nixos/profiles/services/nginx.nix

   1 { lib, config, host, hostName, inputs, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config) networking;
   5   inherit (config.services) nginx;
   6 in
   7 {
   8   options = {
   9     services.nginx = {
  10       configs = lib.mkOption {
  11         type = types.attrsOf types.lines;
  12         default = { };
  13         description = ''
  14           Make some configs available to all virtual hosts.
  15           Useful to workaround the reset of add_header:
  16           https://blog.g3rt.nl/nginx-add_header-pitfall.html
  17         '';
  18         #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
  19       };
  20     };
  21   };
  22   config = {
  23     systemd.tmpfiles.rules = [
  24       "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
  25     ];
  26     systemd.services.nginx = {
  27       requires = [ "systemd-tmpfiles-setup-dev.service" ];
  28       serviceConfig = {
  29         # FIXME: remove all the mkForce in LogsDirectory
  30         # whenever upstream uses a list instead of a string.
  31         LogsDirectory = lib.mkForce [ "nginx" ];
  32         StateDirectory = [ "nginx" ];
  33         StateDirectoryMode = "2771";
  34         #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
  35       };
  36     };
  37     services.logrotate = {
  38       enable = true;
  39       settings.nginx = {
  40         files = [
  41           "/var/log/nginx/*.log"
  42           "/var/log/nginx/*/*.log"
  43           "/var/log/nginx/*/*/*.log"
  44           "/var/log/nginx/*/*/*/*.log"
  45           "/var/log/nginx/*/*/*/*/*.log"
  46           "/var/log/nginx/*.json"
  47           "/var/log/nginx/*/*.json"
  48           "/var/log/nginx/*/*/*.json"
  49           "/var/log/nginx/*/*/*/*.json"
  50           "/var/log/nginx/*/*/*/*/*.json"
  51         ];
  52         frequency = "weekly";
  53         rotate = 26;
  54         compress = true;
  55         delaycompress = true;
  56         postrotate = ''
  57           [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`
  58         '';
  59       };
  60     };
  61     services.nginx = {
  62       eventsConfig = ''
  63         multi_accept on;
  64         use epoll;
  65         worker_connections 1024;
  66       '';
  67       clientMaxBodySize = "20m";
  68       recommendedGzipSettings = true;
  69       recommendedOptimisation = false;
  70       recommendedProxySettings = true;
  71       recommendedTlsSettings = true;
  72       resolver = {
  73         ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
  74       };
  75       serverTokens = false;
  76       # Only allow PFS-enabled ciphers with AES256
  77       #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
  78       #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  79       #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  80       sslDhparam = inputs.self + "/hosts/${hostName}/nginx/dh4096.pem";
  81       sslProtocols = "TLSv1.3 TLSv1.2";
  82       configs = rec {
  83         http_add_headers = ''
  84           # Enable CSP
  85           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
  86
  87           # Enable XSS protection of the browser.
  88           # May be unnecessary when CSP is configured properly (see above)
  89           # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
  90           #add_header X-XSS-Protection "1; mode=block";
  91
  92           # Minimize information leaked to other domains
  93           add_header 'Referrer-Policy' 'origin-when-cross-origin';
  94
  95           # Restrict embedding as a frame
  96           #add_header X-Frame-Options SAMEORIGIN;
  97
  98           # Prevent injection of code in other mime types (XSS Attacks)
  99           add_header X-Content-Type-Options nosniff;
 100         '';
 101         https_add_headers = ''
 102           ${http_add_headers}
 103           # Add HSTS header with preloading to HTTPS requests.
 104           # Adding this header to HTTP requests is discouraged,
 105           # as doing so makes the connection vulnerable to SSL stripping attacks
 106           # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
 107           add_header Strict-Transport-Security $hsts_header;
 108         '';
 109       };
 110       commonHttpConfig = ''
 111         log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 112                         '$status $body_bytes_sent "$http_referer" '
 113                         '"$http_user_agent" "$http_x_forwarded_for"';
 114         log_format json escape=json '{'
 115           '"time_local":"$time_local",'
 116           '"host":"$host",'
 117           '"request":"$request",'
 118           '"status":"$status",'
 119           '"http_referrer":"$http_referer",'
 120           '"remote_addr":"$remote_addr",'
 121           '"remote_user":"$remote_user",'
 122           '"msec":"$msec",'
 123           '"body_bytes_sent":"$body_bytes_sent",'
 124           '"bytes_sent":"$bytes_sent",'
 125           '"http_user_agent":"$http_user_agent",'
 126           '"request_length":"$request_length",'
 127           '"request_method":"$request_method",'
 128           '"request_time":"$request_time",'
 129           '"request_uri":"$request_uri",'
 130           '"server_protocol":"$server_protocol",'
 131           '"ssl_protocol":"$ssl_protocol",'
 132           '"upstream_addr":"$upstream_addr",'
 133           '"upstream_connect_time":"$upstream_connect_time",'
 134           '"upstream_response_time":"$upstream_response_time"'
 135         '}';
 136         charset UTF-8;
 137         types {
 138           text/html html5;
 139           text/plain dump;
 140         }
 141       '' +
 142       lib.concatStringsSep "\n" (lib.attrValues {
 143         default = ''
 144           #default_type application/octet-stream;
 145           root /var/lib/nginx;
 146         '';
 147         security = ''
 148           #error_page 403 = 404;
 149
 150           ${nginx.configs.http_add_headers}
 151
 152           # This might create errors
 153           #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 154         '';
 155         log = ''
 156           access_log /var/log/nginx/access.json json;
 157           error_log  /var/log/nginx/error.log warn;
 158           open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
 159         '';
 160         proxy = ''
 161           proxy_cache_use_stale updating;
 162           proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
 163         '';
 164         fastcgi = ''
 165           # DOC: http://wiki.nginx.org/HttpFastcgiModule
 166           fastcgi_buffer_size 128k;
 167           fastcgi_buffers 256 4k;
 168           fastcgi_busy_buffers_size 256k;
 169           fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
 170           fastcgi_connect_timeout 60;
 171           fastcgi_ignore_client_abort off;
 172           fastcgi_intercept_errors on;
 173           fastcgi_max_temp_file_size 2M;
 174           #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 175           fastcgi_param SCRIPT_FILENAME $request_filename;
 176           fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
 177         '';
 178         connection = ''
 179           sendfile on;
 180           # If the client stops reading data,
 181           # free up the stale client connection after this much time.
 182           send_timeout 60;
 183           # Causes nginx to attempt to send its HTTP response head
 184           # in one packet, instead of using partial frames.
 185           # This is useful for prepending headers before calling sendfile,
 186           # or for throughput optimization.
 187           tcp_nopush on;
 188           # Don't buffer data-sends (disable Nagle algorithm).
 189           # Good for sending frequent small bursts of data in real time.
 190           tcp_nodelay on;
 191           keepalive_timeout 20;
 192           reset_timedout_connection on;
 193           server_names_hash_bucket_size 128;
 194         '';
 195         map = ''
 196           map $time_iso8601 $date {
 197             default 'date-not-found';
 198             '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
 199           }
 200
 201           map $scheme $hsts_header {
 202             https  "max-age=31536000; includeSubdomains; preload";
 203           }
 204
 205           # User agents that are to be blocked.
 206           #map $http_user_agent $bad_bot {
 207           #  default 0;
 208           #  libwww-perl 1;
 209           #  ~(?i)(httrack|htmlparser|libwww) 1;
 210           #}
 211           # Referrers that are to be blocked.
 212           #map $http_referer $bad_referer {
 213           #  default 0;
 214           #  ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
 215           #}
 216           #geo $not_local {
 217           #  default 1;
 218           #  127.0.0.1 0;
 219           #}
 220         '';
 221         cache = ''
 222           client_body_buffer_size 4K;
 223             # getconf PAGESIZE
 224             # 4096
 225           client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
 226           client_body_timeout 60;
 227           client_header_buffer_size 1k;
 228           client_header_timeout 60;
 229           large_client_header_buffers 4 8k;
 230
 231           open_file_cache max=200000 inactive=20s;
 232           open_file_cache_errors on;
 233           open_file_cache_min_uses 2;
 234           open_file_cache_valid 30s;
 235         '';
 236       });
 237       appendConfig = ''
 238         worker_processes ${toString host.CPUs};
 239       '';
 240     };
 241   };
 242 }