Add embedded syntax hl

2026-03-08 03:25:16 +00:00 · 2025-12-26 10:48:31 +00:00 · 2025-12-26 10:48:31 +00:00 · fc14a394aa
commit fc14a394aa
parent 5bdf9e3a2c
5 changed files with 284 additions and 250 deletions
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@ -1,105 +1,112 @@
-{ pkgs, lib, config, ... }:
-let
-
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
  cfg = config.mods.server.nginx;
+in
+  with lib; {
+    options.mods.server.nginx = {
+      enable = mkEnableOption {
+        default = false;
+        description = "enables nginx reverse proxy";
+      };

-in with lib; {
-  options.mods.server.nginx = {
-    enable = mkEnableOption {
-      default = false;
-      description = "enables nginx reverse proxy";
+      ip = mkOption {
+        type = types.str;
+        default = "10.0.0.3";
+      };
+
+      domain = mkOption {
+        type = types.str;
+        default = "muon.host";
+      };
+
+      ports = mkOption {
+        type = types.attrsOf (types.ints.u16);
+        default = {};
+      };
    };

-    ip = mkOption {
-      type = types.str;
-      default = "10.0.0.3";
-    };
+    config = mkIf cfg.enable {
+      # ACME won't be able to authenticate your domain
+      # if ports 80 & 443 aren't open in your firewall.
+      networking.firewall = {allowedTCPPorts = [443 80];};
+      security.acme.defaults.email = "acme@muon.host";
+      security.acme.acceptTerms = true;

-    domain = mkOption {
-      type = types.str;
-      default = "muon.host";
-    };
+      services.nginx = {
+        enable = true;

-    ports = mkOption {
-      type = types.attrsOf (types.ints.u16);
-      default = { };
-    };
-  };
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;

-  config = mkIf cfg.enable {
-    # ACME won't be able to authenticate your domain
-    # if ports 80 & 443 aren't open in your firewall.
-    networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
-    security.acme.defaults.email = "acme@muon.host";
-    security.acme.acceptTerms = true;
+        # Only allow PFS-enabled ciphers with AES256
+        # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

-    services.nginx = {
-      enable = true;
+        appendHttpConfig =
+          # sh
+          ''
+            # Add HSTS header with preloading to HTTPS requests.
+            # Adding this header to HTTP requests is discouraged
+            # map $scheme $hsts_header {
+                # https   "max-age=31536000; includeSubdomains; preload";
+            # }
+            # add_header Strict-Transport-Security $hsts_header;

-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
+            # Enable CSP for your services.
+            # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

-      # Only allow PFS-enabled ciphers with AES256
-      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+            # Minimize information leaked to other domains
+            # add_header 'Referrer-Policy' 'origin-when-cross-origin';

-      appendHttpConfig = ''
-        # Add HSTS header with preloading to HTTPS requests.
-        # Adding this header to HTTP requests is discouraged
-        # map $scheme $hsts_header {
-            # https   "max-age=31536000; includeSubdomains; preload";
-        # }
-        # add_header Strict-Transport-Security $hsts_header;
+            # Disable embedding as a frame
+            add_header X-Frame-Options DENY;

-        # Enable CSP for your services.
-        # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+            # Prevent injection of code in other mime types (XSS Attacks)
+            # add_header X-Content-Type-Options nosniff;

-        # Minimize information leaked to other domains
-        # add_header 'Referrer-Policy' 'origin-when-cross-origin';
+            # This might create errors
+            # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";

-        # Disable embedding as a frame
-        add_header X-Frame-Options DENY;
+            # required when the server wants to use HTTP Authentication
+            proxy_pass_header Authorization;

-        # Prevent injection of code in other mime types (XSS Attacks)
-        # add_header X-Content-Type-Options nosniff;
+            # This is necessary to pass the correct IP to be hashed
+            real_ip_header X-Real-IP;

-        # This might create errors
-        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+            # security
+            add_header X-XSS-Protection          "1; mode=block" always;
+            add_header X-Content-Type-Options    "nosniff" always;
+            add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+            add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+            add_header Permissions-Policy        "interest-cohort=()" always;
+            # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+          '';

-        # required when the server wants to use HTTP Authentication
-        proxy_pass_header Authorization;
+        virtualHosts = let
+          base = locations: {
+            inherit locations;

-        # This is necessary to pass the correct IP to be hashed
-        real_ip_header X-Real-IP;
-
-        # security
-        add_header X-XSS-Protection          "1; mode=block" always;
-        add_header X-Content-Type-Options    "nosniff" always;
-        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
-        add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
-        add_header Permissions-Policy        "interest-cohort=()" always;
-        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-      '';
-
-      virtualHosts = let
-        base = locations: {
-          inherit locations;
-
-          forceSSL = true;
-          enableACME = true;
-        };
-        proxy = port:
-          base {
-            "/" = {
-              proxyPass = "http://${cfg.ip}:${toString port}/";
-              proxyWebsockets = true;
-            };
+            forceSSL = true;
+            enableACME = true;
          };
-      in mapAttrs' (name: port:
-        nameValuePair ("${name}.${cfg.domain}")
-        # (proxy port // { default = true; })) cfg.ports;
-        (proxy port)) cfg.ports;
+          proxy = port:
+            base {
+              "/" = {
+                proxyPass = "http://${cfg.ip}:${toString port}/";
+                proxyWebsockets = true;
+              };
+            };
+        in
+          mapAttrs' (name: port:
+            nameValuePair "${name}.${cfg.domain}"
+            # (proxy port // { default = true; })) cfg.ports;
+            (proxy port))
+          cfg.ports;
+      };
    };
-  };
-}
+  }