nixos/services: serve a strict robots.txt everywhere

nixos/modules/nginx.nix

@@ -3,13 +3,20 @@ let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs:
+    attrs: locations:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
+
+      locations = {
+        "= /robots.txt" = {
+          alias = disallowedRobotsTxt;
+        };
+      }
+      // locations;
     }
     // attrs;
 
@@ -21,6 +28,19 @@ let
       proxy_request_buffering off;
     '';
   };
+
+  mkSsi = webRoot: {
+    root = webRoot;
+
+    extraConfig = ''
+      ssi on;
+    '';
+  };
+
+  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
+    User-agent: *
+    Disallow: /
+  '';
 in
 {
   services.nginx = {
@@ -32,20 +52,14 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts."${fqdn}" = mkVhost {
-      default = true;
-
-      locations."/" = {
-        root = "${self.pins.website}/web-root";
-
-        extraConfig = ''
-          ssi on;
-        '';
+    virtualHosts = {
+      "${fqdn}" = mkVhost { default = true; } {
+        "/" = mkSsi "${self.pins.website}/web-root";
       };
-    };
 
-    virtualHosts."git.${fqdn}" = mkVhost {
-      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      "git.${fqdn}" = mkVhost { } {
+        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      };
     };
   };