2025-07-10 21:42:33 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
2025-07-11 00:38:31 +02:00
|
|
|
modulesPath,
|
2025-07-10 21:42:33 +02:00
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.khscodes.services.nginx;
|
2025-07-11 00:38:31 +02:00
|
|
|
locationOptions = import "${modulesPath}/services/web-servers/nginx/location-options.nix" {
|
|
|
|
|
inherit lib config;
|
|
|
|
|
};
|
2025-07-10 21:42:33 +02:00
|
|
|
vhostOption = lib.khscodes.mkSubmodule {
|
|
|
|
|
description = "nginx vhost";
|
|
|
|
|
options = {
|
2025-07-11 00:38:31 +02:00
|
|
|
acme = lib.mkOption {
|
|
|
|
|
description = "If a simple certificate for the virtual host name itself is not desired auto configured, then set this option. If set to a string it will be used as `useAcmeHost` from NixOS nginx service configuration. Otherwise set to the acme submodule and configure the desired certificate that way";
|
|
|
|
|
type = lib.types.nullOr (
|
|
|
|
|
lib.types.oneOf [
|
|
|
|
|
lib.types.str
|
|
|
|
|
(lib.types.mkSubmodule {
|
|
|
|
|
description = "acme certificate";
|
|
|
|
|
options = {
|
|
|
|
|
domains = lib.mkOption {
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
|
description = "Domain names the certificate should be requested for, should include the virtual host itself";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
globalRedirect = lib.mkOption {
|
2025-07-10 21:42:33 +02:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
2025-07-11 00:38:31 +02:00
|
|
|
default = null;
|
|
|
|
|
description = "If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.";
|
|
|
|
|
};
|
|
|
|
|
redirectCode = lib.mkOption {
|
|
|
|
|
type = lib.types.int;
|
|
|
|
|
default = 301;
|
|
|
|
|
description = "HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.";
|
|
|
|
|
};
|
|
|
|
|
extraConfig = lib.mkOption {
|
|
|
|
|
type = lib.types.lines;
|
|
|
|
|
description = "Extra configuration to inject into the generated nginx config";
|
|
|
|
|
default = '''';
|
|
|
|
|
};
|
|
|
|
|
locations = lib.mkOption {
|
|
|
|
|
type = lib.types.attrsOf (
|
|
|
|
|
lib.khscodes.mkSubmodule {
|
|
|
|
|
description = "nginx virtual host location";
|
|
|
|
|
options = locationOptions;
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
default = { };
|
2025-07-10 21:42:33 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-07-11 00:38:31 +02:00
|
|
|
dns01Enabled = config.khscodes.security.acme.dns01Enabled;
|
|
|
|
|
useAcmeConfiguration = lib.attrsets.foldlAttrs (
|
|
|
|
|
acc: name: item:
|
|
|
|
|
acc || (item.acme != null && !lib.attrsets.isAttrs item.acme)
|
|
|
|
|
) false cfg.virtualHosts;
|
2025-07-10 21:42:33 +02:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.khscodes.services.nginx = {
|
|
|
|
|
enable = lib.mkEnableOption "Enables nginx";
|
|
|
|
|
virtualHosts = lib.mkOption {
|
|
|
|
|
type = lib.types.attrsOf vhostOption;
|
|
|
|
|
description = "Virtual hosts settings";
|
|
|
|
|
default = { };
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
2025-07-11 00:38:31 +02:00
|
|
|
assertions = [
|
|
|
|
|
{
|
|
|
|
|
assertion = !useAcmeConfiguration || dns01Enabled;
|
|
|
|
|
message = "Cannot use `config.khscodes.services.nginx.virtualHosts.<name>.acme = {}` without setting config.khscodes.security.acme.dns01Enabled";
|
|
|
|
|
}
|
|
|
|
|
];
|
2025-07-10 21:42:33 +02:00
|
|
|
khscodes.security.acme.enable = true;
|
2025-07-11 00:38:31 +02:00
|
|
|
security.dhparams.enable = true;
|
|
|
|
|
security.dhparams.params."nginx".bits = 4096;
|
2025-07-10 21:42:33 +02:00
|
|
|
services.nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
package = lib.mkDefault pkgs.nginxStable;
|
|
|
|
|
sslDhparam = lib.mkDefault "${config.security.dhparams.params."nginx".path}";
|
|
|
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
|
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
|
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
|
|
|
recommendedZstdSettings = lib.mkDefault true;
|
|
|
|
|
recommendedProxySettings = lib.mkDefault true;
|
2025-07-11 00:38:31 +02:00
|
|
|
virtualHosts = lib.attrsets.mapAttrs (name: value: {
|
|
|
|
|
inherit (value)
|
|
|
|
|
extraConfig
|
|
|
|
|
locations
|
|
|
|
|
globalRedirect
|
|
|
|
|
redirectCode
|
|
|
|
|
;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = value.acme == null && !dns01Enabled;
|
|
|
|
|
useACMEHost =
|
|
|
|
|
if lib.strings.isString value.acme then
|
|
|
|
|
value.acme
|
|
|
|
|
else if lib.attrsets.isAttrs value.acme || dns01Enabled then
|
|
|
|
|
name
|
|
|
|
|
else
|
|
|
|
|
null;
|
|
|
|
|
}) cfg.virtualHosts;
|
2025-07-10 21:42:33 +02:00
|
|
|
};
|
2025-07-11 00:38:31 +02:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
80
|
|
|
|
|
443
|
|
|
|
|
];
|
|
|
|
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
|
|
|
|
users.users.nginx.extraGroups = lib.lists.optional dns01Enabled "acme";
|
|
|
|
|
security.acme.certs = lib.mkIf dns01Enabled (
|
|
|
|
|
lib.attrsets.foldlAttrs (
|
|
|
|
|
acc: name: value:
|
|
|
|
|
(
|
|
|
|
|
acc
|
|
|
|
|
// (lib.attrsets.optionalAttrs (lib.attrsets.isAttrs value.acme || dns01Enabled) {
|
|
|
|
|
"${name}" =
|
|
|
|
|
if value.acme == null then
|
|
|
|
|
{
|
|
|
|
|
domain = name;
|
|
|
|
|
reloadServices = [ "nginx" ];
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
domain = lib.lists.head value.acme.domains;
|
|
|
|
|
extraDomainNames = lib.lists.tail value.acme.domains;
|
|
|
|
|
reloadServices = [ "nginx" ];
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
)
|
|
|
|
|
) { } cfg.virtualHosts
|
|
|
|
|
);
|
2025-07-10 21:42:33 +02:00
|
|
|
};
|
|
|
|
|
}
|
