treewide: Refactor nginx config #109
|
@ -212,9 +212,9 @@ in {
|
||||||
];
|
];
|
||||||
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
enableHSTS = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
merge_slashes off;
|
merge_slashes off;
|
||||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations = {
|
locations = {
|
||||||
|
|
|
@ -25,10 +25,7 @@ in {
|
||||||
in {
|
in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
enableHSTS = true;
|
||||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
||||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
|
|
@ -42,10 +42,7 @@ in {
|
||||||
in {
|
in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
enableHSTS = true;
|
||||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
||||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||||
locations."/metrics" = {
|
locations."/metrics" = {
|
||||||
|
|
|
@ -39,10 +39,7 @@ in {
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
enableHSTS = true;
|
||||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
||||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
|
||||||
'';
|
|
||||||
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,9 +46,7 @@ in {
|
||||||
services.nginx.virtualHosts."${hostName}" = {
|
services.nginx.virtualHosts."${hostName}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
# The upstream module already adds HSTS
|
||||||
access_log /var/log/nginx/${hostName}/access.log upstream_time;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Block repeated failed login attempts
|
# Block repeated failed login attempts
|
||||||
|
|
|
@ -17,10 +17,7 @@ in {
|
||||||
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
enableHSTS = true;
|
||||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
|
||||||
access_log /var/log/nginx/${domain}/access.log upstream_time;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."/".proxyPass = "http://${addr}:${toString port}";
|
locations."/".proxyPass = "http://${addr}:${toString port}";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,23 +1,5 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
imports = [
|
||||||
config,
|
./nginxExtensions.nix
|
||||||
lib,
|
];
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.services.nginx.domain = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "The base domain name to append to virtual domain names";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
# Don't attempt to run acme if the domain name is not tlater.net
|
|
||||||
systemd.services = let
|
|
||||||
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
|
||||||
in
|
|
||||||
lib.mapAttrs' (cert: _:
|
|
||||||
lib.nameValuePair "acme-${cert}" {
|
|
||||||
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
|
||||||
})
|
|
||||||
config.security.acme.certs;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
59
modules/nginxExtensions.nix
Normal file
59
modules/nginxExtensions.nix
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
services.nginx.domain = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "The base domain name to append to virtual domain names";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = let
|
||||||
|
extraVirtualHostOptions = {
|
||||||
|
name,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
enableHSTS = lib.mkEnableOption "Enable HSTS";
|
||||||
|
|
||||||
|
addAccessLog = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Add special logging to `/var/log/nginx/''${serverName}`
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
extraConfig = lib.concatStringsSep "\n" [
|
||||||
|
(lib.optionalString config.enableHSTS ''
|
||||||
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||||
|
'')
|
||||||
|
(lib.optionalString config.addAccessLog ''
|
||||||
|
access_log /var/log/nginx/${name}/access.log upstream_time;
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
lib.mkOption {
|
||||||
|
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
# Don't attempt to run acme if the domain name is not tlater.net
|
||||||
|
systemd.services = let
|
||||||
|
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
|
||||||
|
in
|
||||||
|
lib.mapAttrs' (cert: _:
|
||||||
|
lib.nameValuePair "acme-${cert}" {
|
||||||
|
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
|
||||||
|
})
|
||||||
|
config.security.acme.certs;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue