61 lines
2 KiB
Nix
61 lines
2 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
{
|
|
# set default options for virtualHosts
|
|
options = with lib; {
|
|
services.nginx.virtualHosts = mkOption {
|
|
type = types.attrsOf (types.submodule
|
|
({ name, ... }: {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
# split up nginx access logs per vhost
|
|
extraConfig = ''
|
|
access_log /var/log/nginx/${name}_access.log;
|
|
error_log /var/log/nginx/${name}_error.log;
|
|
'';
|
|
})
|
|
);
|
|
};
|
|
};
|
|
|
|
config = {
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
|
services.nginx = {
|
|
enable = true;
|
|
package = pkgs.nginxQuic;
|
|
additionalModules = [ pkgs.nginxModules.pam ];
|
|
recommendedProxySettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
# appendHttpConfig = ''
|
|
# map $remote_addr $remote_addr_anon {
|
|
# ~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
|
|
# ~(?P<ip>[^:]+:[^:]+): $ip::;
|
|
# # IP addresses to not anonymize
|
|
# 127.0.0.1 $remote_addr;
|
|
# ::1 $remote_addr;
|
|
# default 0.0.0.0;
|
|
# }
|
|
# log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
|
|
# '$status $body_bytes_sent "$http_referer" '
|
|
# '"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
# access_log /var/log/nginx/access.log anon_ip;
|
|
# '';
|
|
};
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
email = "root@${config.networking.domain}";
|
|
};
|
|
};
|
|
security.pam.services.nginx.text = ''
|
|
auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
|
account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
|
'';
|
|
};
|
|
}
|