From 958afe957f69c2ddc0756e792878956794ad8679 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Sun, 1 Oct 2023 22:50:54 +0200
Subject: [PATCH] feat(modules): Init dgn-web

Add a module to enable recommended web settings
---
 modules/default.nix |  1 +
 modules/dgn-web.nix | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 modules/dgn-web.nix

diff --git a/modules/default.nix b/modules/default.nix
index 5941f7e..17be621 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -43,6 +43,7 @@
     "dgn-network"
     "dgn-secrets"
     "dgn-ssh"
+    "dgn-web"
   ]) ++ [
     "${sources.agenix}/modules/age.nix"
     "${sources.attic}/nixos/atticd.nix"
diff --git a/modules/dgn-web.nix b/modules/dgn-web.nix
new file mode 100644
index 0000000..bb68203
--- /dev/null
+++ b/modules/dgn-web.nix
@@ -0,0 +1,26 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.dgn-web;
+in {
+  options.dgn-web = {
+    enable = mkEnableOption "sane defaults for web services.";
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}