{ config, lib, pkgs, this, ... }: with lib; let cfg = config.nixfiles.modules.nginx; in { options.nixfiles.modules.nginx = { enable = mkEnableOption "Nginx"; upstreams = mkOption { description = "Defines a group of servers to use as proxy target."; type = with types; anything; default = null; }; virtualHosts = mkOption { description = "Attrset of virtual hosts."; type = with types; anything; default = null; }; }; config = mkIf cfg.enable { _module.args.libNginx.config = { internalOnly = '' if ($internal != 1) { return 403; } access_log off; ''; appendHead = text: '' sub_filter '' '${lib.concatStrings text}'; sub_filter_once on; ''; noProxyBuffering = '' proxy_buffering off; proxy_cache off; ''; }; services = { nginx = { enable = true; enableReload = true; package = pkgs.nginxMainline; statusPage = true; serverTokens = false; recommendedBrotliSettings = lib.mkDefault true; recommendedGzipSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; recommendedZstdSettings = lib.mkDefault true; commonHttpConfig = concatStrings [ '' access_log syslog:server=unix:/dev/log; add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) ( with config.nixfiles.modules.wireguard; '' geo $internal { default 0; 127.0.0.1/32 1; ::1/128 1; ${ipv4.subnet} 1; ${ipv6.subnet} 1; } '' )) ]; inherit (cfg) upstreams; virtualHosts = { default = { default = true; rejectSSL = true; locations."/".return = "444"; }; } // (mkIf (cfg.virtualHosts != null) ( mapAttrs ( _: attr: mkMerge [ attr (mkIf config.nixfiles.modules.acme.enable { enableACME = mkDefault true; forceSSL = mkDefault true; }) ] ) cfg.virtualHosts )); sslDhparam = config.security.dhparams.params.nginx.path; }; fail2ban.jails = { nginx-http-auth.enabled = true; nginx-botsearch.enabled = true; }; prometheus.exporters.nginx = { enable = true; listenAddress = mkDefault this.wireguard.ipv4.address; port = mkDefault 9113; }; }; security.dhparams = { enable = true; params.nginx = { }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }