Is there a not-complicated way to deploy nginx with modsecurity on NixOS?
I see a couple related packages but no options and no documentation anywhere on how to use modsecurity
I do see this scary post here: Nginx crashes when trying to use modsecurity but nothing like a how-to guide anywhere
cc: @Izorkin
You probably want the following to compile nginx with modsecurity.
services.nginx.additionalModules = with pkgs.nginxModules; [ modsecurity ];
and then configure it. The linked thread already has some example. https://github.com/NixOS/nixpkgs/blob/b1a9ae8dfd85d144ff1b268d6c7b47934358c9a1/nixos/tests/nginx-modsecurity.nix might also help.
A “slightly less nixy” way I have been using in production (at the time I had some additional issues if I remember correctly) is running bunkerized nginx in a container (as a systemd managed container on the nixos host, configured completely via env vars. That has been a pretty ok user experience and probably a feasible alternative if serving a limited number of domains (or at least a limited number of specific options).