prevent hostless access

modules/services/nginx-conf.nix

@@ -107,6 +107,14 @@ in {
         ${realIpsFromList cfipv6}
         real_ip_header CF-Connecting-IP;
       '';
+
+      # prevent leaking domain through direct ip access or no host
+      # generally a good idea to keep this
+      virtualHosts."_"= {
+        default = true;
+        rejectSSL = true;
+        locations."/".return = 444;
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ 443 80 ];