diff options
Diffstat (limited to 'sys/web/nginx.nix')
| -rw-r--r-- | sys/web/nginx.nix | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/sys/web/nginx.nix b/sys/web/nginx.nix new file mode 100644 index 0000000..a054289 --- /dev/null +++ b/sys/web/nginx.nix @@ -0,0 +1,94 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.local.web; + inherit (config.local) domains; +in { + options.local.web = { + enable = mkEnableOption "web server"; + + defaultACMEHost = mkOption { + type = types.str; + }; + + ownedCerts = mkOption { + type = with lib.types; listOf str; + default = []; + }; + }; + + config = mkIf cfg.enable { + services = { + fail2ban.jails = { + # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419 + nginx-botsearch.settings = { + # Usar log en vez de journalctl + # TODO: Pasar todo a systemd? + backend = "pyinotify"; + logpath = "/var/log/nginx/*.log"; + journalmatch = ""; + }; + + nginx-bad-request.settings = { + backend = "pyinotify"; + logpath = "/var/log/nginx/*.log"; + journalmatch = ""; + + maxretry = 10; + }; + }; + + nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + logError = "/var/log/nginx/error.log"; + sslDhparam = config.security.dhparams.params.nginx.path; + clientMaxBodySize = "42M"; + + mapHashBucketSize = 128; + + virtualHosts.default = { + default = true; + + addSSL = true; + useACMEHost = cfg.defaultACMEHost; + + locations."/".extraConfig = '' + return 403; + ''; + }; + }; + }; + + local.certs = listToAttrs (map + (name: { + inherit name; + value.enable = true; + }) + cfg.ownedCerts); + + networking.firewall.allowedTCPPorts = [80 443]; + + security = { + acme.certs = listToAttrs (map + (name: { + name = domains.${name}.main; + value = { + group = mkDefault config.services.nginx.group; + reloadServices = ["nginx.service"]; + }; + }) + cfg.ownedCerts); + + dhparams.params.nginx = {}; + }; + }; +} |