From ecf65b125d1598768f7e3fc789f8ed6761841cf6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20=C5=A0tancl?= <samuel@archte.ch>
Date: Thu, 28 Aug 2025 17:58:26 +0200
Subject: [PATCH] Add realip.nix

---
 README.md  |  7 +++++++
 realip.nix | 20 ++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 realip.nix

diff --git a/README.md b/README.md
index 2e002e5..2275f4e 100644
--- a/README.md
+++ b/README.md
@@ -269,6 +269,13 @@ However a more proper solution is to use the `real_ip` module in common nginx co
 we can follow the [guide from the NixOS
 wiki](https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN).
 
+> [!NOTE]
+> You can also use the `realip.nix` module here (which wraps the code below):
+>
+> `scp realip.nix root@<server ip>:/etc/nixos/`
+>
+> Then just add `./realip.nix` to your modules array.
+
 ```nix
 # New module in your modules array
 {
diff --git a/realip.nix b/realip.nix
new file mode 100644
index 0000000..4305e37
--- /dev/null
+++ b/realip.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }: {
+  services.nginx.commonHttpConfig =
+    let
+      realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
+      fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
+      cfipv4 = fileToList (pkgs.fetchurl {
+        url = "https://www.cloudflare.com/ips-v4";
+        sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+      });
+      cfipv6 = fileToList (pkgs.fetchurl {
+        url = "https://www.cloudflare.com/ips-v6";
+        sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+      });
+    in
+    ''
+      ${realIpsFromList cfipv4}
+      ${realIpsFromList cfipv6}
+      real_ip_header CF-Connecting-IP;
+    '';
+}