base/nginx: return 444 on fqdn virtualHost by default

2026-02-04 09:10:01 +01:00 · 2026-01-21 23:17:47 +09:00
parent 2ace7b649f
commit 09d72305e2
1 changed files with 33 additions and 24 deletions
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -39,29 +39,38 @@
    SystemCallFilter = lib.mkForce null;
  };
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts = lib.mkIf config.services.nginx.enable {
-    listen = [
+    "_" = {
-      {
+      listen = [
-        addr = "0.0.0.0";
+        {
-        extraParameters = [
+          addr = "0.0.0.0";
-          "default_server"
+          extraParameters = [
-          # Seemingly the default value of net.core.somaxconn
+            "default_server"
-          "backlog=4096"
+            # Seemingly the default value of net.core.somaxconn
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-      {
+        }
-        addr = "[::0]";
+        {
-        extraParameters = [
+          addr = "[::0]";
-          "default_server"
+          extraParameters = [
-          "backlog=4096"
+            "default_server"
-          "deferred"
+            "backlog=4096"
-        ];
+            "deferred"
-      }
+          ];
-    ];
+        }
-    sslCertificate = "/etc/certs/nginx.crt";
+      ];
-    sslCertificateKey = "/etc/certs/nginx.key";
+      sslCertificate = "/etc/certs/nginx.crt";
-    addSSL = true;
+      sslCertificateKey = "/etc/certs/nginx.key";
-    extraConfig = "return 444;";
+      addSSL = true;
      extraConfig = "return 444;";
    };
    ${config.networking.fqdn} = {
      sslCertificate = "/etc/certs/nginx.crt";
      sslCertificateKey = "/etc/certs/nginx.key";
      addSSL = true;
      extraConfig = "return 444;";
    };
  };
 }