penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
nixos-vps/modules/nginx.nix
ashisgreat22 6b64254eab .
2026-03-22 01:45:51 +00:00

201 lines
6.7 KiB
Nix
Raw Blame History

# Nginx Reverse Proxy Module
# Provides: Nginx with automatic Let's Encrypt certificates, security headers, and rate limiting
{
config,
lib,
pkgs,
...
}:
let
cfg = config.myModules.nginx;
in
{
options.myModules.nginx = {
enable = lib.mkEnableOption "Nginx reverse proxy with Let's Encrypt";
email = lib.mkOption {
type = lib.types.str;
example = "admin@example.com";
description = "Email address for Let's Encrypt registration";
};
rateLimit = {
enable = lib.mkEnableOption "Nginx rate limiting";
zone = lib.mkOption {
type = lib.types.str;
default = "10m";
description = "Size of the shared memory zone for rate limiting";
};
requests = lib.mkOption {
type = lib.types.int;
default = 10;
description = "Number of requests allowed per second";
};
burst = lib.mkOption {
type = lib.types.int;
default = 20;
description = "Maximum burst of requests allowed beyond the rate";
};
};
domains = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
port = lib.mkOption {
type = lib.types.port;
description = "Local port to proxy to";
};
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = "Extra Nginx config for this location";
};
contentSecurityPolicy = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'";
description = "Content-Security-Policy header value. Set to null to omit.";
};
internalOnly = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Restrict access to Tailscale network and localhost only";
};
rateLimit = {
enable = lib.mkOption {
type = lib.types.nullOr lib.types.bool;
default = null;
description = "Enable rate limiting for this vhost.";
};
requests = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "Number of requests allowed per second for this vhost.";
};
burst = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
description = "Burst size for this vhost.";
};
};
websockets = {
enable = lib.mkEnableOption "WebSocket proxy support for this domain";
};
extraLocations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options = {
proxyPass = lib.mkOption {
type = lib.types.str;
description = "Proxy target URL";
};
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = "Extra Nginx config for this location";
};
};
});
default = { };
description = "Additional location blocks";
};
};
});
default = { };
description = "Domains to configure with their proxy targets";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = cfg.email;
certs = lib.mapAttrs' (domain: opts: {
name = domain;
value.webroot = "/var/lib/acme/acme-challenge";
}) cfg.domains;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = lib.optionalString cfg.rateLimit.enable ''
limit_req_zone $binary_remote_addr zone=global:10m rate=${toString cfg.rateLimit.requests}r/s;
limit_conn_zone $binary_remote_addr zone=connlimit:10m;
''
+ ''
map $http_upgrade $connection_upgrade {
default upgrade;
''' close;
}
'';
virtualHosts = lib.mapAttrs' (domain: opts: {
name = domain;
value = {
useACMEHost = domain;
forceSSL = true;
extraConfig = ''
${lib.optionalString opts.internalOnly ''
allow 100.64.0.0/10;
allow 127.0.0.0/8;
deny all;
''}
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
'' + lib.optionalString (opts.contentSecurityPolicy != null) ''
add_header Content-Security-Policy "${opts.contentSecurityPolicy}" always;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString opts.port}";
extraConfig = opts.extraConfig
+ lib.optionalString opts.websockets.enable ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
''
+ lib.optionalString (if opts.rateLimit.enable != null then
opts.rateLimit.enable else cfg.rateLimit.enable) ''
limit_req zone=global burst=${toString (if opts.rateLimit.burst != null then opts.rateLimit.burst
else cfg.rateLimit.burst)} nodelay;
limit_conn connlimit 30;
limit_req_status 429;
'';
};
} // lib.mapAttrs' (locPath: locOpts: {
name = locPath;
value = {
proxyPass = locOpts.proxyPass;
extraConfig = locOpts.extraConfig;
};
}) opts.extraLocations;
};
}) cfg.domains;
};
users.users.nginx.extraGroups = [ "acme" ];
};
}
Reference in a new issue View git blame Copy permalink