chore: move nginx module to extra-modules

2025-10-10 23:00:39 +02:00 · 2023-12-25 21:49:36 +01:00 · 2023-12-25 21:49:36 +01:00 · 06a68e0b62
commit 06a68e0b62
parent d10cd74dc6
5 changed files with 8 additions and 107 deletions
--- a/flake.lock
+++ b/flake.lock
@ -405,11 +405,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1703523999,
-        "narHash": "sha256-pKuYDvGYo6ufevbylNo6P6qjwrUHk0ENpFXrP7KU/wY=",
+        "lastModified": 1703537346,
+        "narHash": "sha256-uHS8w7HzkPyPh4K2L0U13A0IUeSI9yugYXgK8xz+CyA=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "bc948ad1abed5eef3f8a10f5b44dc5bcd94d725a",
+        "rev": "4daf3ffd02f7cfb1c9a3c8c95bec21dd078ab26f",
        "type": "github"
      },
      "original": {
@ -1137,11 +1137,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1703185304,
-        "narHash": "sha256-CKsV786NBB8fuls4vyKGTfOz9bkpAn2lh8PKL8YLZ+M=",
+        "lastModified": 1703435563,
+        "narHash": "sha256-BDnoVc9Kvc9wo9lt8GC0kkqwLedP7lnBBdh1UHl4cPw=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "43d20e833267ffd026af692060fb344960930fe1",
+        "rev": "c11158c73e9a488d803356127a54af8101fc0051",
        "type": "github"
      },
      "original": {
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -15,6 +15,7 @@
  boot.mode = "bios";
  users.groups.acme.members = ["nginx"];
  services.nginx.enable = true;
+  services.nginx.recommendedSetup = true;

  meta.promtail = {
    enable = true;
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -27,6 +27,7 @@ in {
  boot.mode = "efi";
  users.groups.acme.members = ["nginx"];
  services.nginx.enable = true;
+  services.nginx.recommendedSetup = true;

  security.acme = {
    acceptTerms = true;
--- a/modules/default.nix
+++ b/modules/default.nix
@ -33,7 +33,6 @@
    ./distributed-config.nix
    ./kanidm.nix
    ./meta.nix
-    ./nginx.nix
    ./oauth2-proxy.nix
    ./promtail.nix
    ./provided-domains.nix
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -1,100 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit
-    (lib)
-    mkBefore
-    mkIf
-    mkOption
-    types
-    ;
-in {
-  options.services.nginx.virtualHosts = mkOption {
-    type = types.attrsOf (types.submodule {
-      options.locations = mkOption {
-        type = types.attrsOf (types.submodule ({config, ...}: {
-          options = {
-            recommendedSecurityHeaders = mkOption {
-              type = types.bool;
-              default = true;
-              description = "Whether to add additional security headers to this location.";
-            };
-
-            X-Frame-Options = mkOption {
-              type = types.str;
-              default = "DENY";
-              description = "The value to use for X-Frame-Options";
-            };
-          };
-          config = mkIf config.recommendedSecurityHeaders {
-            extraConfig = mkBefore ''
-              # Enable HTTP Strict Transport Security (HSTS)
-              add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-
-              # Minimize information leaked to other domains
-              add_header Referrer-Policy "origin-when-cross-origin";
-
-              add_header X-XSS-Protection "1; mode=block";
-              add_header X-Frame-Options "${config.X-Frame-Options}";
-              add_header X-Content-Type-Options "nosniff";
-            '';
-          };
-        }));
-      };
-    });
-  };
-
-  config = mkIf config.services.nginx.enable {
-    age.secrets."dhparams.pem" = {
-      generator.script = "dhparams";
-      mode = "440";
-      group = "nginx";
-    };
-
-    # Sensible defaults for nginx
-    services.nginx = {
-      recommendedBrotliSettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
-      # SSL config
-      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-      sslDhparam = config.age.secrets."dhparams.pem".path;
-      commonHttpConfig = ''
-        log_format json_combined escape=json '{'
-          '"time": $msec,'
-          '"remote_addr":"$remote_addr",'
-          '"status":$status,'
-          '"method":"$request_method",'
-          '"host":"$host",'
-          '"uri":"$request_uri",'
-          '"request_size":$request_length,'
-          '"response_size":$body_bytes_sent,'
-          '"response_time":$request_time,'
-          '"referrer":"$http_referer",'
-          '"user_agent":"$http_user_agent"'
-        '}';
-        error_log syslog:server=unix:/dev/log,nohostname;
-        access_log syslog:server=unix:/dev/log,nohostname json_combined;
-        ssl_ecdh_curve secp384r1;
-      '';
-
-      # Default host that rejects everything.
-      # This is selected when no matching host is found for a request.
-      virtualHosts.dummy = {
-        listenAddresses = ["127.0.0.1" "[::1]"];
-        default = true;
-        rejectSSL = true;
-        locations."/".extraConfig = ''
-          deny all;
-        '';
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [80 443];
-  };
-}