{ config, lib, pkgs, ... }: let cfg = config.services.volpe; mkPkg = domain: pkgs.callPackage ./package.nix { siteUrl = "https://${domain}"; }; allDomains = [cfg.domain] ++ cfg.extraDomains; mkVirtualHost = domain: { root = "${mkPkg domain}"; forceSSL = cfg.enableACME; enableACME = cfg.enableACME; locations."/" = { tryFiles = "$uri $uri/ /index.html"; }; # Cache static assets (CSS, JS, images) for 1 year with immutable locations."~* \\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$" = { extraConfig = '' expires 1y; add_header Cache-Control "public, max-age=31536000, immutable"; access_log off; ''; }; }; in { options.services.volpe = { enable = lib.mkEnableOption "volpe blog"; domain = lib.mkOption { type = lib.types.str; description = "Primary domain name for nginx virtual host."; }; extraDomains = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; description = "Additional domain names, each gets its own virtualHost."; }; enableACME = lib.mkOption { type = lib.types.bool; default = false; description = "Whether to enable ACME (Let's Encrypt) for SSL certificates."; }; acmeEmail = lib.mkOption { type = lib.types.str; default = ""; description = "Email address for ACME certificate registration."; }; }; config = lib.mkIf cfg.enable { services.nginx = { enable = true; recommendedTlsSettings = cfg.enableACME; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; # Create a virtualHost for each domain virtualHosts = lib.listToAttrs (map (domain: { name = domain; value = mkVirtualHost domain; }) allDomains); }; security.acme = lib.mkIf cfg.enableACME { acceptTerms = true; defaults.email = cfg.acmeEmail; }; networking.firewall.allowedTCPPorts = [80 443]; }; }