{ config, lib, ... }: with lib; let cfg = config.profiles.clerie.common-webserver; in { options.profiles.clerie.common-webserver = { enable = mkEnableOption "Webserver profile"; httpDefaultVirtualHost = (mkEnableOption "Default Virtual Host") // { default = true; }; }; config = mkIf cfg.enable { services.nginx = { enableReload = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' server_names_hash_bucket_size 64; charset utf-8; types { text/plain nix; } map $remote_addr $remote_addr_anon { ~(?P\d+\.\d+\.\d+)\. $ip.0; ~(?P[^:]*:[^:]*(:[^:]*)?): $ip::; default ::; } log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$server_name" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; access_log /var/log/nginx/access.log vcombined_anon_monitoring; ''; virtualHosts = mkIf cfg.httpDefaultVirtualHost { "default" = { default = true; rejectSSL = true; locations."/" = { return = ''200 "Some piece of infrastructure\n"''; extraConfig = '' types { } default_type "text/plain; charset=utf-8"; ''; }; }; }; }; services.logrotate.settings.nginx = { frequency = "daily"; maxage = 14; }; security.acme = { defaults.email = "letsencrypt@clerie.de"; acceptTerms = true; }; }; }