reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nix-server/modules/services/nginx-conf.nix

108 lines
3.6 KiB
Nix
Executable file
Raw Blame History

{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.nginx-config;
in {
options.modules.services.nginx-config = {
enable = mkEnableOption "enable and configure nginx. you know what nginx is.";
package = mkOption {
type = types.package;
default = pkgs.openresty;
};
defaultLuaPackagePath = mkOption {
type = types.path;
default = null;
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.defaultLuaPackagePath != null;
description = "The defaultLuaPackagePath property *must* be explicitly specified.";
}
];
security.acme = {
acceptTerms = true;
defaults.email = "reidlab325@gmail.com";
# uncomment me for staging!
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
services.nginx = {
enable = true;
package = cfg.package;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
commonHttpConfig = let
# lua
lua-resty-template = pkgs.fetchFromGitHub {
owner = "bungle";
repo = "lua-resty-template";
rev = "v2.0";
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
};
lua-resty-redis = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-redis";
rev = "v0.29";
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
};
lua-resty-websocket = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-websocket";
rev = "v0.10";
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
};
# cloudflare
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
cfipv4 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
});
cfipv6 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
});
in ''
lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# ^ this above breaks forgejo/gitea so
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
${realIpsFromList cfipv4}
${realIpsFromList cfipv6}
real_ip_header CF-Connecting-IP;
'';
# this prevents invalid domains and direct ip access from being used
virtualHosts."_".locations."/".return = "444";
};
networking.firewall.allowedTCPPorts = [ 443 80 ];
networking.firewall.allowedUDPPorts = [ 443 80 ];
};
}
Reference in a new issue View git blame Copy permalink