{ config, lib, pkgs, this, ... }: with lib; let cfg = config.nixfiles.modules.nginx; in { options.nixfiles.modules.nginx = { enable = mkEnableOption "Nginx"; upstreams = mkOption { description = "Defines a group of servers to use as proxy target."; type = with types; anything; default = null; }; virtualHosts = mkOption { description = "Attrset of virtual hosts."; type = with types; anything; default = null; }; }; config = mkIf cfg.enable { _module.args.libNginx.config = { internalOnly = '' if ($internal != 1) { return 403; } access_log off; ''; appendHead = text: '' sub_filter '' '${lib.concatStrings text}'; sub_filter_once on; ''; noProxyBuffering = '' proxy_buffering off; proxy_cache off; ''; }; services = { nginx = { enable = true; enableReload = true; package = pkgs.nginxMainline; statusPage = true; serverTokens = false; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = concatStrings [ '' add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) ( with config.nixfiles.modules.wireguard; '' geo $internal { default 0; 127.0.0.1/32 1; ::1/128 1; ${ipv4.subnet} 1; ${ipv6.subnet} 1; } '' )) ]; inherit (cfg) upstreams; virtualHosts = { default = { default = true; rejectSSL = true; locations."/".return = "444"; }; } // (mkIf (cfg.virtualHosts != null) ( mapAttrs ( _: attr: mkMerge [ attr (mkIf config.nixfiles.modules.acme.enable { enableACME = mkDefault true; forceSSL = mkDefault true; }) ] ) cfg.virtualHosts )); }; fail2ban.jails = { nginx-http-auth.enabled = true; nginx-botsearch.enabled = true; }; prometheus.exporters.nginx = { enable = true; listenAddress = mkDefault this.wireguard.ipv4.address; port = mkDefault 9113; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }; }