{ config, pkgs, ... }: let snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} '' mkdir "$out" openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key" ''; in { services.nginx = { enable = true; package = pkgs.nginxMainline; additionalModules = [pkgs.nginxModules.geoip2]; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = let geoipDir = config.services.geoipupdate.settings.DatabaseDirectory; in # nginx '' geoip2 ${geoipDir}/GeoLite2-Country.mmdb { auto_reload 5m; $geoip2_metadata_country_build metadata build_epoch; $geoip2_data_country_code country iso_code; $geoip2_data_country_name country names en; } geoip2 ${geoipDir}/GeoLite2-City.mmdb { auto_reload 5m; $geoip2_data_city_name city names en; } log_format combined_geoip '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time" "$geoip2_data_country_name" "$geoip2_data_city_name"'; access_log /var/log/nginx/access.log combined_geoip; ''; # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811 virtualHosts = { "defaultDummy404" = { default = true; serverName = "_"; locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; }; "defaultDummy404ssl" = { default = true; serverName = "_"; locations."/".extraConfig = "return 444;"; locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge"; # Dummy SSL config onlySSL = true; sslCertificate = "${snakeoilCert}/cert.pem"; sslCertificateKey = "${snakeoilCert}/cert.key"; }; }; }; networking.firewall.allowedTCPPorts = [80 443]; # allow nginx to access Acme secrets users.users.nginx.extraGroups = ["acme"]; }