{ config, lib, ... }: with lib; let cfg = config.local.web; inherit (config.local) domains; in { options.local.web = { enable = mkEnableOption "web server"; defaultACMEHost = mkOption { type = types.str; }; ownedCerts = mkOption { type = with lib.types; listOf str; default = []; }; }; config = mkIf cfg.enable { services = { fail2ban.jails = { # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419 nginx-botsearch.settings = { # Usar log en vez de journalctl # TODO: Pasar todo a systemd? backend = "pyinotify"; logpath = "/var/log/nginx/*.log"; journalmatch = ""; }; nginx-bad-request.settings = { backend = "pyinotify"; logpath = "/var/log/nginx/*.log"; journalmatch = ""; maxretry = 10; }; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; logError = "/var/log/nginx/error.log"; sslDhparam = config.security.dhparams.params.nginx.path; clientMaxBodySize = "42M"; mapHashBucketSize = 128; virtualHosts.default = { default = true; addSSL = true; useACMEHost = cfg.defaultACMEHost; locations."/".extraConfig = '' return 403; ''; }; }; }; local.certs = listToAttrs (map (name: { inherit name; value.enable = true; }) cfg.ownedCerts); networking.firewall.allowedTCPPorts = [80 443]; security = { acme.certs = listToAttrs (map (name: { name = domains.${name}.main; value = { group = mkDefault config.services.nginx.group; reloadServices = ["nginx.service"]; }; }) cfg.ownedCerts); dhparams.params.nginx = {}; }; }; }