From 5dd5ad74eb722a9aef5c39fd6f3ede7e64d1be1a Mon Sep 17 00:00:00 2001
From: Charlie Root <charlie@charlieroot.dev>
Date: Sun, 6 Apr 2025 22:59:18 +0200
Subject: [PATCH 1/2] nginx/module.nix: init

---
 modules/services/nginx/module.nix | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 modules/services/nginx/module.nix

diff --git a/modules/services/nginx/module.nix b/modules/services/nginx/module.nix
new file mode 100644
index 0000000..71fdd49
--- /dev/null
+++ b/modules/services/nginx/module.nix
@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.options) mkEnableOption;
+  cfg = config.modules.system.services.nginx;
+in {
+  options.modules.system.services.nginx.enable = mkEnableOption "nginx";
+  config = mkIf cfg.enable {
+    security = {
+      acme = {
+        acceptTerms = true;
+        defaults.email = "charlie@charlieroot.dev";
+      };
+    };
+    services.ngingx = {
+      package = pkgs.nginxQuic;
+      statusPage = true;
+
+      recommendedTlsSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedZstdSettings = true;
+
+      clientMaxBodySize = mkDefault "512m";
+    };
+  };
+}

From f3d506f4ccdb5bb8403a69444900ad5719c83817 Mon Sep 17 00:00:00 2001
From: Charlie Root <charlie@charlieroot.dev>
Date: Sun, 6 Apr 2025 22:59:44 +0200
Subject: [PATCH 2/2] forgejo: remove unnecessary config, this is set in
 nxinx/module.nix

---
 modules/services/forgejo/module.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/services/forgejo/module.nix b/modules/services/forgejo/module.nix
index 0953db5..f8a9e72 100644
--- a/modules/services/forgejo/module.nix
+++ b/modules/services/forgejo/module.nix
@@ -19,6 +19,7 @@ in {
   config = mkIf cfg.enable {
     modules.system.services = {
       database.postgresql.enable = true;
+      nginx.enable = true;
     };
 
     networking.firewall.allowedTCPPorts = [
@@ -51,8 +52,6 @@ in {
     security.acme = let
       email = "charlie@charlieroot.dev";
     in {
-      acceptTerms = true;
-      defaults.email = email;
       # testing server, do not use in production, but DO use it for setting things up.
       # it has much higher rate limits.
       # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";