infra/config/services/nginx.nix

{
  config,
  pkgs,
  ...
}: let
  snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
    mkdir "$out"
    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
  '';
in {
  services.nginx = {
    enable = true;
    package = pkgs.nginxMainline;
    additionalModules = [pkgs.nginxModules.geoip2];

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    commonHttpConfig = let
      geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
    in
      # nginx
      ''
        geoip2 ${geoipDir}/GeoLite2-Country.mmdb {
          auto_reload 5m;
          $geoip2_metadata_country_build metadata build_epoch;
          $geoip2_data_country_code country iso_code;
          $geoip2_data_country_name country names en;
        }

        geoip2 ${geoipDir}/GeoLite2-City.mmdb {
          auto_reload 5m;
          $geoip2_data_city_name city names en;
        }

        log_format combined_geoip '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time" "$geoip2_data_country_name" "$geoip2_data_city_name"';
        access_log /var/log/nginx/access.log combined_geoip;
      '';

    # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
    virtualHosts = {
      "defaultDummy404" = {
        default = true;
        serverName = "_";
        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
      };
      "defaultDummy404ssl" = {
        default = true;
        serverName = "_";
        locations."/".extraConfig = "return 444;";
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
        # Dummy SSL config
        onlySSL = true;
        sslCertificate = "${snakeoilCert}/cert.pem";
        sslCertificateKey = "${snakeoilCert}/cert.key";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [80 443];

  # allow nginx to access Acme secrets
  users.users.nginx.extraGroups = ["acme"];
}