treewide: Refactor nginx config

2024-04-13 04:34:53 +02:00 · 2024-04-13 04:34:53 +02:00 · 0d43b5177d
parent 7bb27d9bee
commit 0d43b5177d
8 changed files with 68 additions and 41 deletions
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@ -212,9 +212,9 @@ in {
    ];

    forceSSL = true;
+    enableHSTS = true;
    extraConfig = ''
      merge_slashes off;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
    '';

    locations = {
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@ -25,10 +25,7 @@ in {
  in {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/" = {
      proxyWebsockets = true;
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -42,10 +42,7 @@ in {
  in {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
    locations."/metrics" = {
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -39,10 +39,7 @@ in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;
    locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
  };
 }
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -46,9 +46,7 @@ in {
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      access_log /var/log/nginx/${hostName}/access.log upstream_time;
-    '';
+    # The upstream module already adds HSTS
  };

  # Block repeated failed login attempts
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -17,10 +17,7 @@ in {

    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/".proxyPass = "http://${addr}:${toString port}";
  };
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,23 +1,5 @@
 {
-  pkgs,
-  config,
-  lib,
-  ...
-}: {
-  options.services.nginx.domain = lib.mkOption {
-    type = lib.types.str;
-    description = "The base domain name to append to virtual domain names";
-  };
-
-  config = {
-    # Don't attempt to run acme if the domain name is not tlater.net
-    systemd.services = let
-      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
-    in
-      lib.mapAttrs' (cert: _:
-        lib.nameValuePair "acme-${cert}" {
-          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
-        })
-      config.security.acme.certs;
-  };
+  imports = [
+    ./nginxExtensions.nix
+  ];
 }
--- a/modules/nginxExtensions.nix
+++ b/modules/nginxExtensions.nix
@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options = {
+    services.nginx.domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The base domain name to append to virtual domain names";
+    };
+
+    services.nginx.virtualHosts = let
+      extraVirtualHostOptions = {
+        name,
+        config,
+        ...
+      }: {
+        options = {
+          enableHSTS = lib.mkEnableOption "Enable HSTS";
+
+          addAccessLog = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = ''
+              Add special logging to `/var/log/nginx/''${serverName}`
+            '';
+          };
+        };
+
+        config = {
+          extraConfig = lib.concatStringsSep "\n" [
+            (lib.optionalString config.enableHSTS ''
+              add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+            '')
+            (lib.optionalString config.addAccessLog ''
+              access_log /var/log/nginx/${name}/access.log upstream_time;
+            '')
+          ];
+        };
+      };
+    in
+      lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
+      };
+  };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
+}