From 7db9922dc2e819ee82f4a491ce1efb5068b342bf Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 8 Sep 2021 01:12:56 +0200
Subject: [PATCH] nginx: Disable access log by default

---
 modules/nginx.nix | 40 ++++++++++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/modules/nginx.nix b/modules/nginx.nix
index 0931a21..6eca8cb 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -1,18 +1,30 @@
 { config, lib, ... }:
-
+let
+  cfg = config.sbruder.nginx;
+in
 {
-  options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";
-
-  config = lib.mkIf config.sbruder.nginx.hardening.enable {
-    services.nginx.commonHttpConfig = ''
-      map $scheme $hsts_header {
-        https   "max-age=31536000";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      add_header Referrer-Policy strict-origin;
-      add_header X-Content-Type-Options nosniff;
-      add_header X-Frame-Options SAMEORIGIN;
-    '';
+  options.sbruder.nginx = {
+    hardening.enable = lib.mkEnableOption "nginx hardening";
+    privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
   };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.hardening.enable {
+      services.nginx.commonHttpConfig = ''
+        map $scheme $hsts_header {
+          https   "max-age=31536000";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        add_header Referrer-Policy strict-origin;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options SAMEORIGIN;
+      '';
+    })
+    (lib.mkIf cfg.privacy.enable {
+      services.nginx.commonHttpConfig = ''
+        access_log off;
+      '';
+    })
+  ];
 }