treewide: Refactor nginx config #109

Manually merged
tlater merged 1 commit from tlater/refactor-nginx into master 2024-04-13 04:08:38 +01:00
8 changed files with 68 additions and 41 deletions

View file

@ -212,9 +212,9 @@ in {
]; ];
forceSSL = true; forceSSL = true;
enableHSTS = true;
extraConfig = '' extraConfig = ''
merge_slashes off; merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
''; '';
locations = { locations = {

View file

@ -25,10 +25,7 @@ in {
in { in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;

View file

@ -42,10 +42,7 @@ in {
in { in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}"; locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
locations."/metrics" = { locations."/metrics" = {

View file

@ -39,10 +39,7 @@ in {
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
}; };
} }

View file

@ -46,9 +46,7 @@ in {
services.nginx.virtualHosts."${hostName}" = { services.nginx.virtualHosts."${hostName}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' # The upstream module already adds HSTS
access_log /var/log/nginx/${hostName}/access.log upstream_time;
'';
}; };
# Block repeated failed login attempts # Block repeated failed login attempts

View file

@ -17,10 +17,7 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' enableHSTS = true;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations."/".proxyPass = "http://${addr}:${toString port}"; locations."/".proxyPass = "http://${addr}:${toString port}";
}; };

View file

@ -1,23 +1,5 @@
{ {
pkgs, imports = [
config, ./nginxExtensions.nix
lib, ];
...
}: {
options.services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
} }

View file

@ -0,0 +1,59 @@
{
config,
pkgs,
lib,
...
}: {
options = {
services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
services.nginx.virtualHosts = let
extraVirtualHostOptions = {
name,
config,
...
}: {
options = {
enableHSTS = lib.mkEnableOption "Enable HSTS";
addAccessLog = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Add special logging to `/var/log/nginx/''${serverName}`
'';
};
};
config = {
extraConfig = lib.concatStringsSep "\n" [
(lib.optionalString config.enableHSTS ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'')
(lib.optionalString config.addAccessLog ''
access_log /var/log/nginx/${name}/access.log upstream_time;
'')
];
};
};
in
lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
};
};
config = {
# Don't attempt to run acme if the domain name is not tlater.net
systemd.services = let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
lib.mapAttrs' (cert: _:
lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
})
config.security.acme.certs;
};
}