infra/config/services/nginx.nix

{ config, pkgs, ... }:
let
  snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" { buildInputs = [ pkgs.openssl ]; } ''
    mkdir "$out"
    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
  '';
in
{
  services.nginx = {
    enable = true;
    package = pkgs.nginxMainline;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedZstdSettings = true;

    # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
    virtualHosts = {
      "defaultDummy404" = {
        default = true;
        serverName = "_";
        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
      };
      "defaultDummy404ssl" = {
        default = true;
        serverName = "_";
        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
        # Dummy SSL config
        onlySSL = true;
        sslCertificate = "${snakeoilCert}/cert.pem";
        sslCertificateKey = "${snakeoilCert}/cert.key";
      };
    };

    sslDhparam = config.security.dhparams.params.nginx.path;
  };

  security.dhparams = {
    enable = true;
    params.nginx = { };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  # allow nginx to access Acme secrets
  users.users.nginx.extraGroups = [ "acme" ];
}
style: format with nixfmt-rfc-style 2024-09-18 16:10:20 +02:00			`{ config, pkgs, ... }:`
			`let`
			`snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" { buildInputs = [ pkgs.openssl ]; } ''`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00			`mkdir "$out"`
			`openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"`
			`'';`
style: format with nixfmt-rfc-style 2024-09-18 16:10:20 +02:00			`in`
			`{`
feat: init 2023-05-06 06:49:46 +02:00			`services.nginx = {`
			`enable = true;`
			`package = pkgs.nginxMainline;`

feat: harden nginx 2024-09-13 18:46:44 +02:00			`recommendedBrotliSettings = true;`
feat: init 2023-05-06 06:49:46 +02:00			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
feat: harden nginx 2024-09-13 18:46:44 +02:00			`recommendedZstdSettings = true;`
feat: init 2023-05-06 06:49:46 +02:00
			`# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811`
			`virtualHosts = {`
			`"defaultDummy404" = {`
			`default = true;`
			`serverName = "_";`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00			`locations."/".extraConfig = "return 444;";`
feat: init 2023-05-06 06:49:46 +02:00			`locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";`
			`};`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00			`"defaultDummy404ssl" = {`
feat: init 2023-05-06 06:49:46 +02:00			`default = true;`
			`serverName = "_";`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00			`locations."/".extraConfig = "return 444;";`
feat: init 2023-05-06 06:49:46 +02:00			`locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";`
			`# Dummy SSL config`
			`onlySSL = true;`
			`sslCertificate = "${snakeoilCert}/cert.pem";`
			`sslCertificateKey = "${snakeoilCert}/cert.key";`
			`};`
			`};`
feat: harden nginx 2024-09-13 18:46:44 +02:00
			`sslDhparam = config.security.dhparams.params.nginx.path;`
			`};`

			`security.dhparams = {`
			`enable = true;`
style: format with nixfmt-rfc-style 2024-09-18 16:10:20 +02:00			`params.nginx = { };`
feat: init 2023-05-06 06:49:46 +02:00			`};`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00
style: format with nixfmt-rfc-style 2024-09-18 16:10:20 +02:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
feat: add S3, configure NextCloud for it 2024-09-03 11:15:46 +02:00
			`# allow nginx to access Acme secrets`
style: format with nixfmt-rfc-style 2024-09-18 16:10:20 +02:00			`users.users.nginx.extraGroups = [ "acme" ];`
feat: init 2023-05-06 06:49:46 +02:00			`}`