servers/mermet/nginx.nix

   1 {pkgs, lib, config, system, ...}:
   2 let inherit (builtins) readFile;
   3     inherit (builtins.extraBuiltins) pass;
   4     inherit (lib) types;
   5     inherit (pkgs.lib) loadFile;
   6     inherit (config) networking;
   7     inherit (config.services) nginx;
   8     domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
   9 in
  10 {
  11 imports = [
  12   nginx/gitweb.nix
  13   nginx/www.nix
  14 ];
  15 options = {
  16   services.nginx = {
  17     x509Dir = lib.mkOption {
  18       type    = types.str;
  19       default = "/var/lib/nginx/x509";
  20     };
  21     webDir = lib.mkOption {
  22       type    = types.str;
  23       default = "/var/www";
  24     };
  25     logDir = lib.mkOption {
  26       type    = types.str;
  27       default = "/var/log/nginx";
  28     };
  29   };
  30 };
  31 config = {
  32   deployment.keys = {
  33     "nginx.${networking.domainBase}.key.pem" = {
  34       text        = pass "x509/${networking.domainBase}/key.pem";
  35       user        = nginx.user;
  36       group       = "root";
  37       destDir     = "/run/keys/";
  38       permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
  39     };
  40   };
  41   systemd.services.nginx = {
  42     preStart = lib.mkBefore ''
  43       install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
  44        ${nginx.x509Dir} \
  45        ${nginx.webDir} \
  46        ${nginx.logDir}
  47     '';
  48     after = [
  49       "nginx.${networking.domainBase}.key.pem-key.service"
  50     ];
  51   };
  52   services.nginx = {
  53     enable = true;
  54     stateDir = "/dev/shm/nginx";
  55     eventsConfig = ''
  56       multi_accept on;
  57       use epoll;
  58       worker_connections 1024;
  59     '';
  60     clientMaxBodySize = "20m";
  61     recommendedProxySettings = true;
  62     recommendedTlsSettings = true;
  63     serverTokens = false;
  64     # Only allow PFS-enabled ciphers with AES256
  65     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
  66     #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  67     sslDhparam = ../../../sec/openssl/dh.pem;
  68     #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
  69     #sslProtocols = "TLSv1.2";
  70     commonHttpConfig = ''
  71       log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  72                       '$status $body_bytes_sent "$http_referer" '
  73                       '"$http_user_agent" "$http_x_forwarded_for"';
  74       #charset UTF-8;
  75       '' +
  76       lib.concatStringsSep "\n" (lib.attrValues {
  77         default = ''
  78           default_type application/octet-stream;
  79           root ${nginx.webDir};
  80         '';
  81         security = ''
  82           #error_page 403 = 404;
  83
  84           # Add HSTS header with preloading to HTTPS requests.
  85           # Adding this header to HTTP requests is discouraged
  86           #map $scheme $hsts_header {
  87           #    https   "max-age=31536000; includeSubdomains; preload";
  88           #}
  89           #add_header Strict-Transport-Security $hsts_header;
  90
  91           # Enable CSP for your services.
  92           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
  93
  94           # Minimize information leaked to other domains
  95           add_header 'Referrer-Policy' 'origin-when-cross-origin';
  96
  97           # Disable embedding as a frame
  98           add_header X-Frame-Options DENY;
  99
 100           # Prevent injection of code in other mime types (XSS Attacks)
 101           add_header X-Content-Type-Options nosniff;
 102
 103           # Enable XSS protection of the browser.
 104           # May be unnecessary when CSP is configured properly (see above)
 105           add_header X-XSS-Protection "1; mode=block";
 106
 107           # This might create errors
 108           proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 109         '';
 110         log = ''
 111           access_log ${nginx.logDir}/access.log main buffer=32k;
 112           error_log  ${nginx.logDir}/error.log warn;
 113           open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
 114         '';
 115         proxy = ''
 116           proxy_cache_use_stale updating;
 117           proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
 118         '';
 119         fastcgi = ''
 120           # DOC: http://wiki.nginx.org/HttpFastcgiModule
 121           fastcgi_buffer_size 128k;
 122           fastcgi_buffers 256 4k;
 123           fastcgi_busy_buffers_size 256k;
 124           fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
 125           fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
 126                              inactive=10m
 127                              keys_zone=microcache:2M
 128                              levels=1:2
 129                              loader_files=100000
 130                              loader_sleep=1
 131                              loader_threshold=2592000000
 132                              max_size=64M;
 133           fastcgi_connect_timeout 60;
 134           fastcgi_ignore_client_abort off;
 135           fastcgi_intercept_errors on;
 136           fastcgi_max_temp_file_size 2M;
 137           #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 138           fastcgi_param SCRIPT_FILENAME $request_filename;
 139           fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
 140         '';
 141         connection = ''
 142           sendfile on;
 143           # If the client stops reading data,
 144           # free up the stale client connection after this much time.
 145           send_timeout 60;
 146           # Causes nginx to attempt to send its HTTP response head
 147           # in one packet, instead of using partial frames.
 148           # This is useful for prepending headers before calling sendfile,
 149           # or for throughput optimization.
 150           tcp_nopush on;
 151           # Don't buffer data-sends (disable Nagle algorithm).
 152           # Good for sending frequent small bursts of data in real time.
 153           tcp_nodelay on;
 154           keepalive_timeout 20;
 155           reset_timedout_connection on;
 156           server_names_hash_bucket_size 128;
 157           types_hash_max_size 2048;
 158         '';
 159         map = ''
 160           # User agents that are to be blocked.
 161           #map $http_user_agent $bad_bot {
 162           #  default 0;
 163           #  libwww-perl 1;
 164           #  ~(?i)(httrack|htmlparser|libwww) 1;
 165           #}
 166           # Referrers that are to be blocked.
 167           #map $http_referer $bad_referer {
 168           #  default 0;
 169           #  ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
 170           #}
 171           #geo $not_local {
 172           #  default 1;
 173           #  127.0.0.1 0;
 174           #}
 175         '';
 176         gzip = ''
 177           gzip on;
 178           gzip_buffers 16 8k;
 179           gzip_comp_level 6;
 180           gzip_disable "MSIE [1-6]\.";
 181           gzip_http_version 1.1;
 182           gzip_min_length 1024;
 183           gzip_proxied any;
 184           gzip_static on;
 185           gzip_vary on;
 186           gzip_types application/atom+xml
 187                      application/javascript
 188                      application/json
 189                      application/rss+xml
 190                      application/vnd.ms-fontobject
 191                      application/x-font-ttf
 192                      application/x-javascript
 193                      application/xml
 194                      application/xml+rss
 195                      font/opentype
 196                      font/truetype
 197                      image/svg+xml
 198                      text/css
 199                      text/javascript
 200                      text/plain
 201                      text/x-component
 202                      text/xml;
 203         '';
 204         cache = ''
 205           client_body_buffer_size 4K;
 206             # getconf PAGESIZE
 207             # 4096
 208           client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
 209           client_body_timeout 60;
 210           client_header_buffer_size 1k;
 211           client_header_timeout 60;
 212           large_client_header_buffers 4 8k;
 213
 214           open_file_cache max=200000 inactive=20s;
 215           open_file_cache_errors on;
 216           open_file_cache_min_uses 2;
 217           open_file_cache_valid 30s;
 218         '';
 219       });
 220     appendConfig = ''
 221       worker_processes 4;
 222     '';
 223     virtualHosts."_" = {
 224       forceSSL = false;
 225       # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it.
 226       # NOTE: no ssl_stapling while the certificate remains self-signed.
 227       sslCertificate = loadFile (../../../sec + "/openssl/${networking.domainBase}/cert.self-signed.pem");
 228       sslCertificateKey = "/run/keys/nginx.${networking.domainBase}.key.pem";
 229     };
 230   };
 231 };
 232 }