WIP: treewide: Refactor nginx config
This commit is contained in:
parent
7bb27d9bee
commit
64363c3962
|
@ -212,9 +212,9 @@ in {
|
|||
];
|
||||
|
||||
forceSSL = true;
|
||||
enableHSTS = true;
|
||||
extraConfig = ''
|
||||
merge_slashes off;
|
||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
||||
'';
|
||||
|
||||
locations = {
|
||||
|
|
|
@ -25,10 +25,7 @@ in {
|
|||
in {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
||||
'';
|
||||
enableHSTS = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyWebsockets = true;
|
||||
|
|
|
@ -42,10 +42,7 @@ in {
|
|||
in {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
||||
'';
|
||||
enableHSTS = true;
|
||||
|
||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||
locations."/metrics" = {
|
||||
|
|
|
@ -39,10 +39,7 @@ in {
|
|||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
||||
'';
|
||||
enableHSTS = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -46,9 +46,7 @@ in {
|
|||
services.nginx.virtualHosts."${hostName}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/${hostName}/access.log upstream_time;
|
||||
'';
|
||||
# The upstream module already adds HSTS
|
||||
};
|
||||
|
||||
# Block repeated failed login attempts
|
||||
|
|
|
@ -17,10 +17,7 @@ in {
|
|||
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
||||
'';
|
||||
enableHSTS = true;
|
||||
|
||||
locations."/".proxyPass = "http://${addr}:${toString port}";
|
||||
};
|
||||
|
|
|
@ -1,23 +1,5 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options.services.nginx.domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "The base domain name to append to virtual domain names";
|
||||
};
|
||||
|
||||
config = {
|
||||
# Don't attempt to run acme if the domain name is not tlater.net
|
||||
systemd.services = let
|
||||
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
||||
in
|
||||
lib.mapAttrs' (cert: _:
|
||||
lib.nameValuePair "acme-${cert}" {
|
||||
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
||||
})
|
||||
config.security.acme.certs;
|
||||
};
|
||||
imports = [
|
||||
./nginxExtensions.nix
|
||||
];
|
||||
}
|
||||
|
|
59
modules/nginxExtensions.nix
Normal file
59
modules/nginxExtensions.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options = {
|
||||
services.nginx.domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "The base domain name to append to virtual domain names";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
extraVirtualHostOptions = {
|
||||
name,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
options = {
|
||||
enableHSTS = lib.mkEnableOption "Enable HSTS";
|
||||
|
||||
addAccessLog = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Add special logging to `/var/log/nginx/''${serverName}`
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
extraConfig = lib.concatStringsSep "\n" [
|
||||
(lib.optionalString config.enableHSTS ''
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
'')
|
||||
(lib.optionalString config.addAccessLog ''
|
||||
access_log /var/log/nginx/${name}/access.log upstream_time;
|
||||
'')
|
||||
];
|
||||
};
|
||||
};
|
||||
in
|
||||
lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
# Don't attempt to run acme if the domain name is not tlater.net
|
||||
systemd.services = let
|
||||
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
||||
in
|
||||
lib.mapAttrs' (cert: _:
|
||||
lib.nameValuePair "acme-${cert}" {
|
||||
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
||||
})
|
||||
config.security.acme.certs;
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue