{ config, pkgs, lib, ... }: { options = { services.nginx.domain = lib.mkOption { type = lib.types.str; description = "The base domain name to append to virtual domain names"; }; services.nginx.virtualHosts = let extraLocationOptions = {config, ...}: { options = { enableAuthorization = lib.mkEnableOption "Enable authorization via authelia"; }; config = { recommendedProxySettings = lib.mkIf config.enableAuthorization false; extraConfig = lib.concatStringsSep "\n" [ (lib.optionalString config.enableAuthorization '' proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_redirect http:// $scheme://; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; real_ip_header X-Forwarded-For; real_ip_recursive on; '') (lib.optionalString config.enableAuthorization '' auth_request /internal/authelia/authz; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Email $email; proxy_set_header Remote-Name $name; auth_request_set $redirection_url $upstream_http_location; error_page 401 =302 $redirection_url; '') ]; }; }; extraVirtualHostOptions = {name, config, ...}: { options = { enableAuthorization = lib.mkEnableOption "Enable authorization via authelia"; enableHSTS = lib.mkEnableOption "Enable HSTS"; addAccessLog = lib.mkOption { type = lib.types.bool; default = true; description = '' Add special logging to `/var/log/nginx/''${serverName}` ''; }; locations = lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraLocationOptions); }; }; config = { extraConfig = lib.concatStringsSep "\n" [ (lib.optionalString config.enableHSTS '' add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; '') (lib.optionalString config.addAccessLog '' access_log /var/log/nginx/${name}/access.log upstream_time; '') ]; locations = lib.mkIf config.enableAuthorization { "/".enableAuthorization = true; "/internal/authelia/authz" = { proxyPass = "http://127.0.0.1:9091/api/authz/auth-request"; recommendedProxySettings = false; extraConfig = '' internal; proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Length ""; proxy_set_header Connection ""; proxy_pass_request_body off; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; client_body_buffer_size 128k; ''; }; }; }; }; in lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); }; }; config = { # Don't attempt to run acme if the domain name is not tlater.net systemd.services = let confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; in lib.mapAttrs' (cert: _: lib.nameValuePair "acme-${cert}" { serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; }) config.security.acme.certs; }; }