{ lib, config, pkgs, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
enableACME = true;
forceSSL = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
'';
})
);
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
additionalModules = [ pkgs.nginxModules.pam ];
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
# appendHttpConfig = ''
# map $remote_addr $remote_addr_anon {
# ~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
# ~(?P<ip>[^:]+:[^:]+): $ip::;
# # IP addresses to not anonymize
# 127.0.0.1 $remote_addr;
# ::1 $remote_addr;
# default 0.0.0.0;
# }
# log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
# access_log /var/log/nginx/access.log anon_ip;
# '';
};
security.acme = {
acceptTerms = true;
defaults = {
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
email = "root@${config.networking.domain}";
};
};
security.pam.services.nginx.text = ''
auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
'';
};
}