modules/services/nginx.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

{ config, lib, ... }:

with lib;
let
  cfg = config.modules.services.nginx;
in
{
  options.modules.services.nginx = {
    enable = mkEnableOption "nginx proxy";
  };
  config = mkIf cfg.enable {
    modules.services.acme.enable = true;

    services.nginx = {
      enable = true;
      # prevent 3~5s downtime on update
      enableReload = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # catch-all for unknown hosts.
      virtualHosts."_" = {
        default = true;
        rejectSSL = true;

        extraConfig = ''
          return 444;
        '';
      };
    };

    users.extraUsers.nginx.extraGroups = [ "acme" ];
  };
}