tlaternet-server/configuration/nginx/default.nix

{
  flake-inputs,
  pkgs,
  lib,
  ...
}:
{
  imports = [
    ./logging.nix
    ./ssl.nix
  ];

  options.services.nginx.domain = lib.mkOption {
    type = lib.types.str;
    description = "The base domain name to append to virtual domain names";
  };

  config = {
    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      clientMaxBodySize = "10G";
      statusPage = true; # For metrics, should be accessible only from localhost
    };

    serviceTests =
      let
        testHostConfig =
          { config, ... }:
          {
            _module.args = { inherit flake-inputs; };
            imports = [
              ./.
              ../../modules/serviceTests/mocks.nix
              flake-inputs.sops-nix.nixosModules.sops
            ];

            services.nginx = {
              domain = "testHost";

              virtualHosts."${config.services.nginx.domain}" = {
                useACMEHost = "tlater.net";
                forceSSL = true;
                enableHSTS = true;
                locations."/".return = "200 ok";
              };
            };
          };
      in
      {
        hstsIsSet = pkgs.testers.runNixOSTest {
          name = "assert-hsts";
          nodes = {
            testHost = testHostConfig;

            client =
              { pkgs, ... }:
              {
                environment.systemPackages = [ pkgs.curl ];
              };
          };

          testScript = ''
            start_all()

            testHost.wait_for_unit("nginx")
            testHost.succeed("systemctl start network-online.target")
            testHost.wait_for_unit("network-online.target")

            client.succeed("curl http://testHost")
          '';
        };
      };
  };
}