treewide: Refactor nginx config

2024-04-13 04:34:53 +02:00 · 2024-04-13 04:34:53 +02:00 · 0d43b5177d
commit 0d43b5177d
parent 7bb27d9bee
8 changed files with 68 additions and 41 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,23 +1,5 @@
 {
-  pkgs,
-  config,
-  lib,
-  ...
-}: {
-  options.services.nginx.domain = lib.mkOption {
-    type = lib.types.str;
-    description = "The base domain name to append to virtual domain names";
-  };
-
-  config = {
-    # Don't attempt to run acme if the domain name is not tlater.net
-    systemd.services = let
-      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
-    in
-      lib.mapAttrs' (cert: _:
-        lib.nameValuePair "acme-${cert}" {
-          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
-        })
-      config.security.acme.certs;
-  };
+  imports = [
+    ./nginxExtensions.nix
+  ];
 }
--- a/modules/nginxExtensions.nix
+++ b/modules/nginxExtensions.nix
@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options = {
+    services.nginx.domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The base domain name to append to virtual domain names";
+    };
+
+    services.nginx.virtualHosts = let
+      extraVirtualHostOptions = {
+        name,
+        config,
+        ...
+      }: {
+        options = {
+          enableHSTS = lib.mkEnableOption "Enable HSTS";
+
+          addAccessLog = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = ''
+              Add special logging to `/var/log/nginx/''${serverName}`
+            '';
+          };
+        };
+
+        config = {
+          extraConfig = lib.concatStringsSep "\n" [
+            (lib.optionalString config.enableHSTS ''
+              add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+            '')
+            (lib.optionalString config.addAccessLog ''
+              access_log /var/log/nginx/${name}/access.log upstream_time;
+            '')
+          ];
+        };
+      };
+    in
+      lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
+      };
+  };
+
+  config = {
+    # Don't attempt to run acme if the domain name is not tlater.net
+    systemd.services = let
+      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
+    in
+      lib.mapAttrs' (cert: _:
+        lib.nameValuePair "acme-${cert}" {
+          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+        })
+      config.security.acme.certs;
+  };
+}