From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sun, 21 Apr 2024 02:15:42 +0300
Subject: 2024-04-21

---
 modules/nginx.nix | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 122 insertions(+)
 create mode 100644 modules/nginx.nix

(limited to 'modules/nginx.nix')

diff --git a/modules/nginx.nix b/modules/nginx.nix
new file mode 100644
index 0000000..ed34237
--- /dev/null
+++ b/modules/nginx.nix
@@ -0,0 +1,122 @@
+{
+  config,
+  lib,
+  pkgs,
+  this,
+  ...
+}:
+with lib;
+let
+  cfg = config.nixfiles.modules.nginx;
+in
+{
+  options.nixfiles.modules.nginx = {
+    enable = mkEnableOption "Nginx";
+
+    upstreams = mkOption {
+      description = "Defines a group of servers to use as proxy target.";
+      type = with types; anything;
+      default = null;
+    };
+
+    virtualHosts = mkOption {
+      description = "Attrset of virtual hosts.";
+      type = with types; anything;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    _module.args.libNginx.config = {
+      internalOnly = ''
+        if ($internal != 1) {
+          return 403;
+        }
+        access_log off;
+      '';
+      appendHead = text: ''
+        sub_filter '</head>' '${lib.concatStrings text}</head>';
+        sub_filter_once on;
+      '';
+      noProxyBuffering = ''
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        enableReload = true;
+
+        package = pkgs.nginxMainline;
+
+        statusPage = true;
+
+        serverTokens = false;
+
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+
+        commonHttpConfig = concatStrings [
+          ''
+            add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
+          ''
+          (optionalString (hasAttr "wireguard" this) (
+            with config.nixfiles.modules.wireguard;
+            ''
+              geo $internal {
+                default 0;
+                127.0.0.1/32 1;
+                ::1/128 1;
+                ${ipv4.subnet} 1;
+                ${ipv6.subnet} 1;
+              }
+            ''
+          ))
+        ];
+
+        inherit (cfg) upstreams;
+
+        virtualHosts =
+          {
+            default = {
+              default = true;
+              rejectSSL = true;
+              locations."/".return = "444";
+            };
+          }
+          // (mkIf (cfg.virtualHosts != null) (
+            mapAttrs (
+              _: attr:
+              mkMerge [
+                attr
+                (mkIf config.nixfiles.modules.acme.enable {
+                  enableACME = mkDefault true;
+                  forceSSL = mkDefault true;
+                })
+              ]
+            ) cfg.virtualHosts
+          ));
+      };
+
+      fail2ban.jails = {
+        nginx-http-auth.enabled = true;
+        nginx-botsearch.enabled = true;
+      };
+
+      prometheus.exporters.nginx = {
+        enable = true;
+        listenAddress = mkDefault this.wireguard.ipv4.address;
+        port = mkDefault 9113;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}
-- 
cgit v1.2.3