modules/nixos: add nginx

- set worker_processes / worker_cpu_affinity to auto, enable pcre_jit - enable ktls - set a default virtualHost for a 404 and use it for reuseport - set enableACME, forceSSL by default, disable for localhost - set robots header and file
2024-07-08 09:36:56 +10:00 · 2024-07-08 09:36:56 +10:00 · 01c2beb7b4
commit 01c2beb7b4
parent cf8fc93213
10 changed files with 60 additions and 21 deletions
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@ -0,0 +1,53 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = {
+          enableACME = lib.mkDefault true;
+          forceSSL = lib.mkDefault true;
+          kTLS = true;
+
+          extraConfig = ''
+            add_header X-Robots-Tag "none, noarchive, nosnippet";
+          '';
+
+          locations."= /robots.txt".alias = pkgs.writeText "robots.txt" ''
+            User-agent: *
+            Disallow: /
+          '';
+        };
+      }
+    );
+  };
+
+  imports = [ inputs.srvos.nixosModules.mixins-nginx ];
+
+  config = {
+    services.nginx = {
+      appendConfig = ''
+        pcre_jit on;
+        worker_processes auto;
+        worker_cpu_affinity auto;
+      '';
+
+      virtualHosts."${config.networking.hostName}.nix-community.org" = {
+        default = true;
+        locations."/".return = "404";
+        reuseport = true; # should only be set for one virtualHost
+      };
+
+      # localhost is used by the nginx status page
+      virtualHosts.localhost = {
+        enableACME = false;
+        forceSSL = false;
+      };
+    };
+  };
+}