nixos-vps/modules/nginx.nix

# Nginx Reverse Proxy Module
# Provides: Nginx with automatic Let's Encrypt certificates
#
# Usage:
#   myModules.nginx = {
#     enable = true;
#     email = "your@email.com";
#     domains = {
#       "search.example.com" = {
#         port = 8888;
#       };
#     };
#   };

{
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.myModules.nginx;
in
{
  options.myModules.nginx = {
    enable = lib.mkEnableOption "Nginx reverse proxy with Let's Encrypt";

    email = lib.mkOption {
      type = lib.types.str;
      example = "admin@example.com";
      description = "Email address for Let's Encrypt registration";
    };

    domains = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          port = lib.mkOption {
            type = lib.types.port;
            description = "Local port to proxy to";
          };
          extraConfig = lib.mkOption {
            type = lib.types.lines;
            default = "";
            description = "Extra Nginx config for this location";
          };
          extraLocations = lib.mkOption {
            type = lib.types.attrsOf (lib.types.submodule {
              options = {
                proxyPass = lib.mkOption {
                  type = lib.types.str;
                  description = "Proxy target URL";
                };
                extraConfig = lib.mkOption {
                  type = lib.types.lines;
                  default = "";
                  description = "Extra Nginx config for this location";
                };
              };
            });
            default = { };
            description = "Additional location blocks to add to this virtual host";
          };
        };
      });
      default = { };
      description = "Domains to configure with their proxy targets";
    };
  };

  config = lib.mkIf cfg.enable {
    # Open HTTP/HTTPS ports
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    # ACME (Let's Encrypt) configuration
    security.acme = {
      acceptTerms = true;
      defaults.email = cfg.email;
      certs = lib.mapAttrs' (domain: opts: {
        name = domain;
        value = { };
      }) cfg.domains;
    };

    # Nginx configuration
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      virtualHosts = lib.mapAttrs' (domain: opts: {
        name = domain;
        value = {
          enableACME = true;
          forceSSL = true;

          locations = {
            "/" = {
              proxyPass = "http://127.0.0.1:${toString opts.port}";
              extraConfig = opts.extraConfig;
            };
          } // lib.mapAttrs' (locPath: locOpts: {
            name = locPath;
            value = {
              proxyPass = locOpts.proxyPass;
              extraConfig = locOpts.extraConfig;
            };
          }) opts.extraLocations;
        };
      }) cfg.domains;
    };

    # Ensure nginx user can access ACME certs
    users.users.nginx.extraGroups = [ "acme" ];
  };
}