# Nginx Reverse Proxy Module # Provides: Nginx with automatic Let's Encrypt certificates, security headers, and rate limiting # # Usage: # myModules.nginx = { # enable = true; # email = "your@email.com"; # domains = { # "search.example.com" = { # port = 8888; # }; # }; # }; { config, lib, pkgs, ... }: let cfg = config.myModules.nginx; in { options.myModules.nginx = { enable = lib.mkEnableOption "Nginx reverse proxy with Let's Encrypt"; email = lib.mkOption { type = lib.types.str; example = "admin@example.com"; description = "Email address for Let's Encrypt registration"; }; rateLimit = { enable = lib.mkEnableOption "Nginx rate limiting"; zone = lib.mkOption { type = lib.types.str; default = "10m"; description = "Size of the shared memory zone for rate limiting"; }; requests = lib.mkOption { type = lib.types.int; default = 10; description = "Number of requests allowed per second (burst applies on top)"; }; burst = lib.mkOption { type = lib.types.int; default = 20; description = "Maximum burst of requests allowed beyond the rate"; }; }; domains = lib.mkOption { type = lib.types.attrsOf (lib.types.submodule { options = { port = lib.mkOption { type = lib.types.port; description = "Local port to proxy to"; }; extraConfig = lib.mkOption { type = lib.types.lines; default = ""; description = "Extra Nginx config for this location"; }; contentSecurityPolicy = lib.mkOption { type = lib.types.nullOr lib.types.str; default = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'"; description = "Content-Security-Policy header value. Set to null to omit."; }; internalOnly = lib.mkOption { type = lib.types.bool; default = false; description = "Restrict access to Tailscale network and localhost only"; }; rateLimit = { enable = lib.mkOption { type = lib.types.nullOr lib.types.bool; default = null; description = "Enable rate limiting for this vhost. Defaults to global rateLimit.enable."; }; requests = lib.mkOption { type = lib.types.nullOr lib.types.int; default = null; description = "Requests per second for this vhost. Defaults to global rateLimit.requests."; }; burst = lib.mkOption { type = lib.types.nullOr lib.types.int; default = null; description = "Burst size for this vhost. Defaults to global rateLimit.burst."; }; }; extraLocations = lib.mkOption { type = lib.types.attrsOf (lib.types.submodule { options = { proxyPass = lib.mkOption { type = lib.types.str; description = "Proxy target URL"; }; extraConfig = lib.mkOption { type = lib.types.lines; default = ""; description = "Extra Nginx config for this location"; }; }; }); default = { }; description = "Additional location blocks to add to this virtual host"; }; }; }); default = { }; description = "Domains to configure with their proxy targets"; }; }; config = lib.mkIf cfg.enable { # Open HTTP/HTTPS ports networking.firewall.allowedTCPPorts = [ 80 443 ]; # ACME (Let's Encrypt) configuration security.acme = { acceptTerms = true; defaults.email = cfg.email; certs = lib.mapAttrs' (domain: opts: { name = domain; value = { }; }) cfg.domains; }; # Nginx configuration services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; # Rate limiting zones (one per domain for per-domain limits) commonHttpConfig = lib.optionalString cfg.rateLimit.enable '' # Global rate limiting zone limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s; # Limit connection flooding limit_conn_zone $binary_remote_addr zone=connlimit:10m; ''; virtualHosts = lib.mapAttrs' (domain: opts: { name = domain; value = { enableACME = true; forceSSL = true; # Security headers applied per-vhost extraConfig = '' ${lib.optionalString opts.internalOnly '' # Restrict access to Tailscale network allow 100.64.0.0/10; allow 127.0.0.0/8; deny all; ''} # Strict Transport Security — 6 months, include subdomains, preload-ready add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; # Prevent MIME type sniffing add_header X-Content-Type-Options "nosniff" always; # Restrict browser features add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; # Cross-origin isolation add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Opener-Policy "same-origin" always; # Content Security Policy (configurable per-domain) '' + lib.optionalString (opts.contentSecurityPolicy != null) '' add_header Content-Security-Policy "${opts.contentSecurityPolicy}" always; ''; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString opts.port}"; extraConfig = opts.extraConfig + lib.optionalString (if opts.rateLimit.enable != null then opts.rateLimit.enable else cfg.rateLimit.enable) '' # Rate limiting limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst else cfg.rateLimit.burst)} nodelay; limit_conn connlimit 30; limit_req_status 429; ''; }; } // lib.mapAttrs' (locPath: locOpts: { name = locPath; value = { proxyPass = locOpts.proxyPass; extraConfig = locOpts.extraConfig; }; }) opts.extraLocations; }; }) cfg.domains; }; # Ensure nginx user can access ACME certs users.users.nginx.extraGroups = [ "acme" ]; }; }