WIP: treewide: Refactor nginx config

This commit is contained in:
Tristan Daniël Maat 2024-04-13 04:34:53 +02:00
parent 7bb27d9bee
commit 64363c3962
Signed by: tlater
GPG key ID: 49670FD774E43268
8 changed files with 68 additions and 41 deletions

View file

@ -212,9 +212,9 @@ in {
];
forceSSL = true;
enableHSTS = true;
extraConfig = ''
merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations = {

View file

@ -25,10 +25,7 @@ in {
in {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
enableHSTS = true;
locations."/" = {
proxyWebsockets = true;

View file

@ -42,10 +42,7 @@ in {
in {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
enableHSTS = true;
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = {

View file

@ -39,10 +39,7 @@ in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
enableHSTS = true;
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
}

View file

@ -46,9 +46,7 @@ in {
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
access_log /var/log/nginx/${hostName}/access.log upstream_time;
'';
# The upstream module already adds HSTS
};
# Block repeated failed login attempts

View file

@ -17,10 +17,7 @@ in {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
enableHSTS = true;
locations."/".proxyPass = "http://${addr}:${toString port}";
};

View file

@ -1,23 +1,5 @@
{
pkgs,
config,
lib,
...
}: {
options.services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
imports = [
./nginxExtensions.nix
];
}

View file

@ -0,0 +1,59 @@
{
config,
pkgs,
lib,
...
}: {
options = {
services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
services.nginx.virtualHosts = let
extraVirtualHostOptions = {
name,
config,
...
}: {
options = {
enableHSTS = lib.mkEnableOption "Enable HSTS";
addAccessLog = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Add special logging to `/var/log/nginx/''${serverName}`
'';
};
};
config = {
extraConfig = lib.concatStringsSep "\n" [
(lib.optionalString config.enableHSTS ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'')
(lib.optionalString config.addAccessLog ''
access_log /var/log/nginx/${name}/access.log upstream_time;
'')
];
};
};
in
lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
};
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
}