config/modules/nixos/services/web/nginx/default.nix

{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
with lib.custom; let
  cfg = config.services.web.nginx;
in {
  options.services.web.nginx = with types; {
    enable = mkBoolOpt false "Enable NGINX Service";
  };

  config = mkIf cfg.enable {
    security.dhparams = {
      enable = true;
      params.nginx = {};
    };

    services.nginx = {
      enable = true;
      package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
      recommendedProxySettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      sslDhparam = config.security.dhparams.params.nginx.path;
      appendHttpConfig = ''
        limit_req_zone $binary_remote_addr zone=iso_ratelimit:10m rate=1r/m;
        limit_conn_zone $binary_remote_addr zone=iso_connlimit:10m;

        access_log /var/log/nginx/blocked.log combined if=$ratelimited;

        map $request_uri $ratelimited {
          default 0;
          ~\.iso$ $limit_req_status;
        }
      '';
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = "zach@zacharymyers.com";
    };
  };
}
move sites to their own modules 2024-05-24 11:42:49 -04:00			`{`
			`lib,`
			`config,`
			`pkgs,`
			`...`
			`}:`
			`with lib;`
			`with lib.custom; let`
			`cfg = config.services.web.nginx;`
			`in {`
			`options.services.web.nginx = with types; {`
			`enable = mkBoolOpt false "Enable NGINX Service";`
			`};`

			`config = mkIf cfg.enable {`
Update default.nix 2024-07-26 12:29:55 -04:00			`security.dhparams = {`
			`enable = true;`
			`params.nginx = {};`
			`};`

move sites to their own modules 2024-05-24 11:42:49 -04:00			`services.nginx = {`
			`enable = true;`
			`package = pkgs.nginxStable.override {openssl = pkgs.libressl;};`
			`recommendedProxySettings = true;`
Update default.nix 2024-07-26 12:29:55 -04:00			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedTlsSettings = true;`
			`sslDhparam = config.security.dhparams.params.nginx.path;`
smallest change 2025-03-22 16:03:07 -04:00			`appendHttpConfig = ''`
			`limit_req_zone $binary_remote_addr zone=iso_ratelimit:10m rate=1r/m;`
			`limit_conn_zone $binary_remote_addr zone=iso_connlimit:10m;`

			`access_log /var/log/nginx/blocked.log combined if=$ratelimited;`

			`map $request_uri $ratelimited {`
			`default 0;`
			`~\.iso$ $limit_req_status;`
			`}`
			`'';`
			`};`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "zach@zacharymyers.com";`
move sites to their own modules 2024-05-24 11:42:49 -04:00			`};`
			`};`
			`}`