2024-06-28 19:12:55 +01:00
|
|
|
{ config
|
|
|
|
, pkgs
|
|
|
|
, lib
|
|
|
|
, ...
|
2024-04-13 03:34:53 +01:00
|
|
|
}: {
|
|
|
|
options = {
|
|
|
|
services.nginx.domain = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "The base domain name to append to virtual domain names";
|
|
|
|
};
|
|
|
|
|
2024-06-28 19:12:55 +01:00
|
|
|
services.nginx.virtualHosts =
|
|
|
|
let
|
|
|
|
extraVirtualHostOptions =
|
|
|
|
{ name
|
|
|
|
, config
|
|
|
|
, ...
|
|
|
|
}: {
|
|
|
|
options = {
|
|
|
|
enableHSTS = lib.mkEnableOption "Enable HSTS";
|
2024-04-13 03:34:53 +01:00
|
|
|
|
2024-06-28 19:12:55 +01:00
|
|
|
addAccessLog = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Add special logging to `/var/log/nginx/''${serverName}`
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2024-04-13 03:34:53 +01:00
|
|
|
|
2024-06-28 19:12:55 +01:00
|
|
|
config = {
|
|
|
|
extraConfig = lib.concatStringsSep "\n" [
|
|
|
|
(lib.optionalString config.enableHSTS ''
|
|
|
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
|
|
'')
|
|
|
|
(lib.optionalString config.addAccessLog ''
|
|
|
|
access_log /var/log/nginx/${name}/access.log upstream_time;
|
|
|
|
'')
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
in
|
2024-04-13 03:34:53 +01:00
|
|
|
lib.mkOption {
|
|
|
|
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
# Don't attempt to run acme if the domain name is not tlater.net
|
2024-06-28 19:12:55 +01:00
|
|
|
systemd.services =
|
|
|
|
let
|
|
|
|
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
|
|
|
in
|
|
|
|
lib.mapAttrs'
|
|
|
|
(cert: _:
|
|
|
|
lib.nameValuePair "acme-${cert}" {
|
|
|
|
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
|
|
|
})
|
|
|
|
config.security.acme.certs;
|
2024-04-13 03:34:53 +01:00
|
|
|
};
|
|
|
|
}
|