223 lines
7.7 KiB
Nix
223 lines
7.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
modulesPath,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.khscodes.services.nginx;
|
|
locationOptions = import "${modulesPath}/services/web-servers/nginx/location-options.nix" {
|
|
inherit lib config;
|
|
};
|
|
vhostOption = lib.khscodes.mkSubmodule {
|
|
description = "nginx vhost";
|
|
options = {
|
|
acme = lib.mkOption {
|
|
description = "If a simple certificate for the virtual host name itself is not desired auto configured, then set this option. If set to a string it will be used as `useAcmeHost` from NixOS nginx service configuration. Otherwise set to the acme submodule and configure the desired certificate that way";
|
|
type = lib.types.nullOr (
|
|
lib.types.oneOf [
|
|
lib.types.str
|
|
(lib.khscodes.mkSubmodule {
|
|
description = "acme certificate";
|
|
options = {
|
|
domains = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "Domain names the certificate should be requested for, should include the virtual host itself";
|
|
};
|
|
};
|
|
})
|
|
]
|
|
);
|
|
default = null;
|
|
};
|
|
globalRedirect = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = "If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.";
|
|
};
|
|
redirectCode = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 301;
|
|
description = "HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.";
|
|
};
|
|
mtls = lib.mkOption {
|
|
type = lib.types.nullOr (
|
|
lib.khscodes.mkSubmodule {
|
|
options = {
|
|
verify = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"optional"
|
|
"on"
|
|
];
|
|
default = "on";
|
|
};
|
|
certificate = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Path to the certificate to verify client certificates against";
|
|
};
|
|
};
|
|
description = "Nginx MTLS settings";
|
|
}
|
|
);
|
|
default = null;
|
|
};
|
|
extraConfig = lib.mkOption {
|
|
type = lib.types.lines;
|
|
description = "Extra configuration to inject into the generated nginx config";
|
|
default = '''';
|
|
};
|
|
locations = lib.mkOption {
|
|
type = lib.types.attrsOf (
|
|
lib.khscodes.mkSubmodule {
|
|
description = "nginx virtual host location";
|
|
options = locationOptions.options;
|
|
}
|
|
);
|
|
default = { };
|
|
};
|
|
};
|
|
};
|
|
dns01Enabled = config.khscodes.security.acme.dns01Enabled;
|
|
useAcmeConfiguration = lib.attrsets.foldlAttrs (
|
|
acc: name: item:
|
|
acc || (item.acme != null && !lib.attrsets.isAttrs item.acme)
|
|
) false cfg.virtualHosts;
|
|
modernSslAppendedHttpConfig =
|
|
if cfg.sslConfiguration == "modern" then
|
|
''
|
|
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
|
''
|
|
else
|
|
'''';
|
|
in
|
|
{
|
|
options.khscodes.services.nginx = {
|
|
enable = lib.mkEnableOption "Enables nginx";
|
|
sslConfiguration = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"modern"
|
|
"intermediate"
|
|
];
|
|
description = ''
|
|
Which sort of ssl configuration following https://ssl-config.mozilla.org/#server=nginx&version=1.28.0&config=modern&openssl=3.4.1&guideline=5.7 as a baseline to generate.
|
|
The generated config is not guarenteed to follow this template specifically. In general, modern is preferred, intermediate should only be used if there's a specific reason to do so.
|
|
Do note that intermediate requires generating dhparams of large size, which can take hours to complete.
|
|
|
|
TODO: Look into OCSP stapling.
|
|
'';
|
|
default = "modern";
|
|
};
|
|
virtualHosts = lib.mkOption {
|
|
type = lib.types.attrsOf vhostOption;
|
|
description = "Virtual hosts settings";
|
|
default = { };
|
|
};
|
|
};
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = !useAcmeConfiguration || dns01Enabled;
|
|
message = "Cannot use `config.khscodes.services.nginx.virtualHosts.<name>.acme = {}` without setting config.khscodes.security.acme.dns01Enabled";
|
|
}
|
|
];
|
|
khscodes.networking.aliases = lib.attrsets.attrNames cfg.virtualHosts;
|
|
khscodes.security.acme.enable = true;
|
|
security.dhparams.enable = lib.mkIf (cfg.sslConfiguration == "intermediate") {
|
|
enable = true;
|
|
params."nginx" = {
|
|
bits = 4096;
|
|
};
|
|
};
|
|
services.nginx = {
|
|
enable = true;
|
|
package = lib.mkDefault pkgs.nginxStable;
|
|
sslDhparam = lib.mkIf (
|
|
cfg.sslConfiguration == "intermediate"
|
|
) "${config.security.dhparams.params."nginx".path}"; # DHParams only used when using the ciphers of intermediate
|
|
sslProtocols = lib.mkIf (cfg.sslConfiguration == "modern") "TLSv1.3"; # The default matches intermediate
|
|
sslCiphers = lib.mkIf (cfg.sslConfiguration == "modern") null;
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
recommendedZstdSettings = lib.mkDefault true;
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
appendHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=63072000; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
${modernSslAppendedHttpConfig}
|
|
'';
|
|
virtualHosts = lib.attrsets.mapAttrs (
|
|
name: value:
|
|
let
|
|
mtls =
|
|
if value.mtls != null then
|
|
''
|
|
ssl_client_certificate ${value.mtls.certificate};
|
|
ssl_verify_client ${value.mtls.verify};
|
|
''
|
|
else
|
|
'''';
|
|
extraConfig = ''
|
|
${mtls}
|
|
${value.extraConfig}
|
|
'';
|
|
in
|
|
{
|
|
inherit (value)
|
|
locations
|
|
globalRedirect
|
|
redirectCode
|
|
;
|
|
inherit extraConfig;
|
|
forceSSL = true;
|
|
enableACME = value.acme == null && !dns01Enabled;
|
|
useACMEHost =
|
|
if lib.strings.isString value.acme then
|
|
value.acme
|
|
else if lib.attrsets.isAttrs value.acme || dns01Enabled then
|
|
name
|
|
else
|
|
null;
|
|
}
|
|
) cfg.virtualHosts;
|
|
};
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
|
users.users.nginx.extraGroups = lib.lists.optional dns01Enabled "acme";
|
|
security.acme.certs = lib.mkIf dns01Enabled (
|
|
lib.attrsets.foldlAttrs (
|
|
acc: name: value:
|
|
(
|
|
acc
|
|
// (lib.attrsets.optionalAttrs
|
|
(lib.attrsets.isAttrs value.acme || (dns01Enabled && !lib.strings.isString value.acme))
|
|
{
|
|
"${name}" =
|
|
if value.acme == null then
|
|
{
|
|
domain = name;
|
|
reloadServices = [ "nginx" ];
|
|
}
|
|
else
|
|
{
|
|
domain = lib.lists.head value.acme.domains;
|
|
extraDomainNames = lib.lists.tail value.acme.domains;
|
|
reloadServices = [ "nginx" ];
|
|
};
|
|
}
|
|
)
|
|
)
|
|
) { } cfg.virtualHosts
|
|
);
|
|
};
|
|
}
|