# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, ... }:
let
  cfg = config.sbruder.nginx;
in
{
  options.sbruder.nginx = {
    hardening.enable = lib.mkEnableOption "nginx hardening";
    privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
    recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.hardening.enable {
      services.nginx.commonHttpConfig = ''
        map $scheme $hsts_header {
          https   "max-age=31536000";
        }
        add_header Strict-Transport-Security $hsts_header;

        add_header Referrer-Policy strict-origin;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
      '';
    })
    (lib.mkIf cfg.privacy.enable {
      services.nginx.commonHttpConfig = ''
        access_log off;
      '';
    })
    (lib.mkIf cfg.recommended.enable {
      services.nginx = {
        recommendedGzipSettings = lib.mkDefault true;
        recommendedOptimisation = lib.mkDefault true;
        recommendedProxySettings = lib.mkDefault true;
        recommendedTlsSettings = lib.mkDefault true;
      };
    })
  ];
}