{ config, lib, pkgs, this, ... }: with lib; let cfg = config.nixfiles.modules.nginx; in { options.nixfiles.modules.nginx = { enable = mkEnableOption "Nginx"; upstreams = mkOption { description = "Defines a group of servers to use as proxy target."; type = with types; anything; default = null; }; virtualHosts = mkOption { description = "Attrset of virtual hosts."; type = with types; anything; default = null; }; }; config = mkIf cfg.enable { services = { nginx = { enable = true; enableReload = true; package = pkgs.nginxMainline; statusPage = true; serverTokens = false; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = concatStrings [ '' add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) (with config.nixfiles.modules.wireguard; '' geo $internal { default 0; 127.0.0.1/32 1; ::1/128 1; ${ipv4.subnet} 1; ${ipv6.subnet} 1; } '')) ]; inherit (cfg) upstreams; virtualHosts = { default = { default = true; rejectSSL = true; locations."/".return = "444"; }; } // (mkIf (cfg.virtualHosts != null) (mapAttrs (_: attr: mkMerge [ attr (mkIf config.nixfiles.modules.acme.enable { enableACME = true; forceSSL = true; }) ]) cfg.virtualHosts)); }; fail2ban.jails = { nginx-http-auth = '' enabled = true ''; nginx-botsearch = '' enabled = true ''; }; prometheus.exporters.nginx = { enable = true; listenAddress = mkDefault this.wireguard.ipv4.address; port = mkDefault 9113; }; }; networking.firewall.allowedTCPPorts = [80 443]; }; }