Guide to deploying nginx with modsecurity on NixOS?

Is there a not-complicated way to deploy nginx with modsecurity on NixOS?

I see a couple related packages but no options and no documentation anywhere on how to use modsecurity

I do see this scary post here: Nginx crashes when trying to use modsecurity but nothing like a how-to guide anywhere

cc: @Izorkin

1 Like

You probably want the following to compile nginx with modsecurity.

services.nginx.additionalModules = with pkgs.nginxModules; [ modsecurity ];

and then configure it. The linked thread already has some example. nixpkgs/nginx-modsecurity.nix at b1a9ae8dfd85d144ff1b268d6c7b47934358c9a1 · NixOS/nixpkgs · GitHub might also help.

1 Like

A “slightly less nixy” way I have been using in production (at the time I had some additional issues if I remember correctly) is running bunkerized nginx in a container (as a systemd managed container on the nixos host, configured completely via env vars. That has been a pretty ok user experience and probably a feasible alternative if serving a limited number of domains (or at least a limited number of specific options).