treewide: Refactor nginx config

2024-04-13 04:34:53 +02:00 · 2024-04-13 04:34:53 +02:00 · 0d43b5177d
commit 0d43b5177d
parent 7bb27d9bee
8 changed files with 68 additions and 41 deletions
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@ -212,9 +212,9 @@ in {
    ];

    forceSSL = true;
+    enableHSTS = true;
    extraConfig = ''
      merge_slashes off;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
    '';

    locations = {
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@ -25,10 +25,7 @@ in {
  in {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/" = {
      proxyWebsockets = true;
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -42,10 +42,7 @@ in {
  in {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
    locations."/metrics" = {
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -39,10 +39,7 @@ in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;
    locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
  };
 }
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -46,9 +46,7 @@ in {
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      access_log /var/log/nginx/${hostName}/access.log upstream_time;
-    '';
+    # The upstream module already adds HSTS
  };

  # Block repeated failed login attempts
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -17,10 +17,7 @@ in {

    forceSSL = true;
    enableACME = true;
-    extraConfig = ''
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
-    '';
+    enableHSTS = true;

    locations."/".proxyPass = "http://${addr}:${toString port}";
  };