]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/spof/nginx.nix
update
[sourcephile-nix.git] / install / logical / spof / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let inherit (lib) types;
3 inherit (config.services) nginx x509;
4 tempDir = "/dev/shm/nginx";
5 logDir = "/var/log/nginx";
6 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
7 #customPkgs = import ../../pkgs.nix { inherit pkgs lib config system; };
8 in
9 {
10 imports = [
11 ];
12 options.services.nginx.webDir = lib.mkOption {
13 type = types.str;
14 default = "/var/www"; # TODO: /var/lib/nginx ?
15 };
16 config = {
17 systemd.services.nginx-init = {
18 # NOTE: This service workarounds nixpkgs shortcoming,
19 # ideally this script should be prepended to nginx.service's preStart
20 # but since it is a types.lines I would only be able to append to it,
21 # which would put it after nginx's configuration check instead of before.
22 description = "Initialize nginx";
23 before = [ "nginx.service" ];
24 wantedBy = [ "multi-user.target" ];
25 serviceConfig.Type = "oneshot";
26 script =
27 ''
28 install -D -d -m 1700 \
29 -o ${nginx.user} \
30 -g ${nginx.group} \
31 ${nginx.stateDir} \
32 ${nginx.stateDir}/fastcgi_cache \
33 ${tempDir}/fastcgi_temp \
34 ${tempDir}/client_body_temp \
35 ${tempDir}/proxy_temp \
36 ${tempDir}/scgi_temp \
37 ${tempDir}/uwsgi_temp \
38 ${logDir} \
39 ${nginx.webDir}
40 '';
41 };
42 security.dhparams = {
43 enable = true;
44 params = {
45 nginx = 1024;
46 };
47 };
48 services.nginx = {
49 enable = true;
50 config = ''
51 worker_processes 2;
52 pid /run/nginx.pid;
53 events {
54 multi_accept on;
55 use epoll;
56 worker_connections 1024;
57 }
58 http {
59 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
60 '$status $body_bytes_sent "$http_referer" '
61 '"$http_user_agent" "$http_x_forwarded_for"';
62 include ${nginx.package}/conf/mime.types;
63 access_log ${logDir}/access.log main buffer=32k;
64 # % getconf PAGESIZE
65 # 4096
66 client_body_buffer_size 4K;
67 client_body_temp_path ${tempDir}/client_body_temp 1 2;
68 client_body_timeout 60;
69 client_header_buffer_size 1k;
70 client_header_timeout 60;
71 client_max_body_size 20m;
72 default_type application/octet-stream;
73 error_log ${logDir}/error.log warn;
74 #error_log stderr;
75 error_page 403 = 404;
76 # DOC: http://wiki.nginx.org/HttpFastcgiModule
77 fastcgi_buffer_size 128k;
78 fastcgi_buffers 256 4k;
79 fastcgi_busy_buffers_size 256k;
80 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
81 fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
82 inactive=10m
83 keys_zone=microcache:2M
84 levels=1:2
85 loader_files=100000
86 loader_sleep=1
87 loader_threshold=2592000000
88 max_size=64M;
89 fastcgi_connect_timeout 60;
90 fastcgi_ignore_client_abort off;
91 fastcgi_intercept_errors on;
92 fastcgi_max_temp_file_size 2M;
93 fastcgi_param CONTENT_LENGTH $content_length;
94 fastcgi_param CONTENT_TYPE $content_type;
95 fastcgi_param DOCUMENT_ROOT $document_root;
96 fastcgi_param DOCUMENT_URI $document_uri;
97 fastcgi_param GATEWAY_INTERFACE CGI/1.1;
98 fastcgi_param HTTPS $https if_not_empty;
99 fastcgi_param QUERY_STRING $query_string;
100 # PHP only, required if PHP was built with --enable-force-cgi-redirect
101 fastcgi_param REDIRECT_STATUS 200;
102 fastcgi_param REMOTE_ADDR $remote_addr;
103 fastcgi_param REMOTE_PORT $remote_port;
104 fastcgi_param REQUEST_METHOD $request_method;
105 fastcgi_param REQUEST_SCHEME $scheme;
106 fastcgi_param REQUEST_URI $request_uri;
107 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
108 fastcgi_param SCRIPT_FILENAME $request_filename;
109 fastcgi_param SCRIPT_NAME $fastcgi_script_name;
110 fastcgi_param SERVER_ADDR $server_addr;
111 fastcgi_param SERVER_NAME $server_name;
112 fastcgi_param SERVER_PORT $server_port;
113 fastcgi_param SERVER_PROTOCOL $server_protocol;
114 fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
115 fastcgi_temp_path ${tempDir}/fastcgi_temp 1 2;
116 gzip on;
117 gzip_buffers 16 8k;
118 gzip_comp_level 6;
119 gzip_disable "MSIE [1-6]\.";
120 gzip_http_version 1.1;
121 gzip_min_length 1024;
122 gzip_proxied any;
123 gzip_static on;
124 gzip_vary on;
125 gzip_types application/javascript
126 application/json
127 application/rss+xml
128 application/vnd.ms-fontobject
129 application/x-font-ttf
130 application/x-javascript
131 application/xml
132 application/xml+rss
133 font/opentype
134 font/truetype
135 image/svg+xml
136 text/css
137 text/javascript
138 text/plain
139 text/x-component
140 text/xml;
141 keepalive_timeout 20;
142 large_client_header_buffers 4 8k;
143 open_file_cache max=200000 inactive=20s;
144 open_file_cache_errors on;
145 open_file_cache_min_uses 2;
146 open_file_cache_valid 30s;
147 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
148 proxy_cache_use_stale updating;
149 proxy_temp_path ${tempDir}/proxy_temp 1 2;
150 reset_timedout_connection on;
151 root ${nginx.webDir};
152 # If the client stops reading data,
153 # free up the stale client connection after this much time.
154 send_timeout 60;
155 sendfile on;
156 server_names_hash_bucket_size 128;
157 server_tokens off;
158 ssl_certificate ${x509.cert};
159 ssl_certificate_key ${x509.key};
160 ssl_ciphers HIGH:!ADH:!MD5;
161 #ssl_ciphers EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;
162 ssl_prefer_server_ciphers on;
163 ssl_protocols TLSv1.2;
164 ssl_session_cache shared:SSL:10m;
165 # Don't buffer data-sends (disable Nagle algorithm).
166 # Good for sending frequent small bursts of data in real time.
167 tcp_nodelay on;
168 # Causes nginx to attempt to send its HTTP response head in one packet,
169 # instead of using partial frames.
170 # This is useful for prepending headers before calling sendfile,
171 # or for throughput optimization.
172 tcp_nopush on;
173 types_hash_max_size 2048;
174 uwsgi_param CONTENT_LENGTH $content_length;
175 uwsgi_param CONTENT_TYPE $content_type;
176 uwsgi_param DOCUMENT_ROOT $document_root;
177 uwsgi_param HTTPS $https if_not_empty;
178 uwsgi_param PATH_INFO $document_uri;
179 uwsgi_param QUERY_STRING $query_string;
180 uwsgi_param REMOTE_ADDR $remote_addr;
181 uwsgi_param REMOTE_PORT $remote_port;
182 uwsgi_param REQUEST_METHOD $request_method;
183 uwsgi_param REQUEST_SCHEME $scheme;
184 uwsgi_param REQUEST_URI $request_uri;
185 uwsgi_param SERVER_NAME $server_name;
186 uwsgi_param SERVER_PORT $server_port;
187 uwsgi_param SERVER_PROTOCOL $server_protocol;
188 # $connection_upgrade is used for websocket proxying
189 map $http_upgrade $connection_upgrade {
190 default upgrade;
191 ''' close;
192 }
193 # User agents that are to be blocked.
194 #map $http_user_agent $bad_bot {
195 # default 0;
196 # libwww-perl 1;
197 # ~(?i)(httrack|htmlparser|libwww) 1;
198 #}
199 # Referrers that are to be blocked.
200 #map $http_referer $bad_referer {
201 # default 0;
202 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
203 #}
204 #geo $not_local {
205 # default 1;
206 # 127.0.0.1 0;
207 #}
208 include /etc/nginx/site.d/*.conf;
209 server {
210 listen 80 default_server;
211 listen [::]:80 default_server;
212 server_name _;
213 return 301 https://$host$request_uri;
214 }
215 }
216 '';
217 };
218 };
219 }