base/nginx: return 444 on fqdn virtualHost by default

2026-02-04 09:10:01 +01:00 · 2026-01-21 23:17:47 +09:00
parent 2ace7b649f
commit 09d72305e2
1 changed files with 33 additions and 24 deletions
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -39,29 +39,38 @@
    SystemCallFilter = lib.mkForce null;
  };

-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    listen = [
-      {
-        addr = "0.0.0.0";
-        extraParameters = [
-          "default_server"
-          # Seemingly the default value of net.core.somaxconn
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-      {
-        addr = "[::0]";
-        extraParameters = [
-          "default_server"
-          "backlog=4096"
-          "deferred"
-        ];
-      }
-    ];
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
+    "_" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          extraParameters = [
+            "default_server"
+            # Seemingly the default value of net.core.somaxconn
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+        {
+          addr = "[::0]";
+          extraParameters = [
+            "default_server"
+            "backlog=4096"
+            "deferred"
+          ];
+        }
+      ];
+      sslCertificate = "/etc/certs/nginx.crt";
+      sslCertificateKey = "/etc/certs/nginx.key";
+      addSSL = true;
+      extraConfig = "return 444;";
+    };
+
+    ${config.networking.fqdn} = {
+      sslCertificate = "/etc/certs/nginx.crt";
+      sslCertificateKey = "/etc/certs/nginx.key";
+      addSSL = true;
+      extraConfig = "return 444;";
+    };
  };
 }