Add modular service configuration with SearXNG and Nginx

- Create modules/ directory with reusable NixOS modules - Add system module for main user configuration - Add podman module for rootless container support - Add nginx module with automatic Let's Encrypt SSL - Add searxng module with Anubis AI firewall protection - Configure SearXNG at search.ashisgreat.xyz - Enable nginx reverse proxy with HTTPS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 19:47:43 +01:00 · 2026-03-17 19:47:43 +01:00 · 24d01ac630
commit 24d01ac630
parent 5dcb85e56d
7 changed files with 469 additions and 1 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -0,0 +1,93 @@
+# Nginx Reverse Proxy Module
+# Provides: Nginx with automatic Let's Encrypt certificates
+#
+# Usage:
+#   myModules.nginx = {
+#     enable = true;
+#     email = "your@email.com";
+#     domains = {
+#       "search.example.com" = {
+#         port = 8888;
+#       };
+#     };
+#   };
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.myModules.nginx;
+in
+{
+  options.myModules.nginx = {
+    enable = lib.mkEnableOption "Nginx reverse proxy with Let's Encrypt";
+
+    email = lib.mkOption {
+      type = lib.types.str;
+      example = "admin@example.com";
+      description = "Email address for Let's Encrypt registration";
+    };
+
+    domains = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          port = lib.mkOption {
+            type = lib.types.port;
+            description = "Local port to proxy to";
+          };
+          extraConfig = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = "Extra Nginx config for this location";
+          };
+        };
+      });
+      default = { };
+      description = "Domains to configure with their proxy targets";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Open HTTP/HTTPS ports
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    # ACME (Let's Encrypt) configuration
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = cfg.email;
+      certs = lib.mapAttrs' (domain: opts: {
+        name = domain;
+        value = { };
+      }) cfg.domains;
+    };
+
+    # Nginx configuration
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts = lib.mapAttrs' (domain: opts: {
+        name = domain;
+        value = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString opts.port}";
+            extraConfig = opts.extraConfig;
+          };
+        };
+      }) cfg.domains;
+    };
+
+    # Ensure nginx user can access ACME certs
+    users.users.nginx.extraGroups = [ "acme" ];
+  };
+}