nginx: Disable access log by default

2021-09-08 01:12:56 +02:00 · 2021-09-08 01:12:56 +02:00 · 7db9922dc2
parent d46eca0ab0
commit 7db9922dc2
1 changed files with 26 additions and 14 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -1,18 +1,30 @@
 { config, lib, ... }:
-
+let
+  cfg = config.sbruder.nginx;
+in
 {
-  options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";
-
-  config = lib.mkIf config.sbruder.nginx.hardening.enable {
-    services.nginx.commonHttpConfig = ''
-      map $scheme $hsts_header {
-        https   "max-age=31536000";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      add_header Referrer-Policy strict-origin;
-      add_header X-Content-Type-Options nosniff;
-      add_header X-Frame-Options SAMEORIGIN;
-    '';
+  options.sbruder.nginx = {
+    hardening.enable = lib.mkEnableOption "nginx hardening";
+    privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.hardening.enable {
+      services.nginx.commonHttpConfig = ''
+        map $scheme $hsts_header {
+          https   "max-age=31536000";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        add_header Referrer-Policy strict-origin;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options SAMEORIGIN;
+      '';
+    })
+    (lib.mkIf cfg.privacy.enable {
+      services.nginx.commonHttpConfig = ''
+        access_log off;
+      '';
+    })
+  ];
 }