servers/mermet/nginx.nix

   1 {pkgs, lib, config, system, ...}:
   2 let inherit (builtins) readFile;
   3     inherit (builtins.extraBuiltins) pass;
   4     inherit (lib) types;
   5     inherit (pkgs.lib) loadFile;
   6     inherit (config) networking;
   7     inherit (config.services) nginx;
   8     domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
   9 in
  10 {
  11 imports = [
  12   nginx/gitweb.nix
  13 ];
  14 options = {
  15   services.nginx = {
  16     x509Dir = lib.mkOption {
  17       type    = types.str;
  18       default = "/var/lib/nginx/x509";
  19     };
  20     webDir = lib.mkOption {
  21       type    = types.str;
  22       default = "/var/www";
  23     };
  24     logDir = lib.mkOption {
  25       type    = types.str;
  26       default = "/var/log/nginx";
  27     };
  28   };
  29 };
  30 config = {
  31   systemd.services.nginx.after = [
  32     "${networking.domainBase}.key.pem-key.service"
  33     #"keys.target"
  34   ];
  35   deployment.keys = {
  36     "nginx.${networking.domainBase}.key.pem" = {
  37       text        = pass "x509/${networking.domainBase}/key.pem";
  38       user        = nginx.user;
  39       group       = "root";
  40       destDir     = "/run/keys/";
  41       permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
  42     };
  43   };
  44   systemd.services.nginx = {
  45     preStart = lib.mkBefore ''
  46       install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
  47        ${nginx.x509Dir} \
  48        ${nginx.webDir} \
  49        ${nginx.logDir}
  50     '';
  51   };
  52   services.nginx = {
  53     enable = true;
  54     stateDir = "/dev/shm/nginx";
  55     eventsConfig = ''
  56       multi_accept on;
  57       use epoll;
  58       worker_connections 1024;
  59     '';
  60     clientMaxBodySize = "20m";
  61     recommendedProxySettings = true;
  62     recommendedTlsSettings = true;
  63     serverTokens = false;
  64     sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  65     sslDhparam = ../../../sec/openssl/dh.pem;
  66     #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
  67     #sslProtocols = "TLSv1.2";
  68     commonHttpConfig = ''
  69       log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  70                       '$status $body_bytes_sent "$http_referer" '
  71                       '"$http_user_agent" "$http_x_forwarded_for"';
  72       #charset UTF-8;
  73       '' +
  74       lib.concatStringsSep "\n" (lib.attrValues {
  75         default = ''
  76           default_type application/octet-stream;
  77           root ${nginx.webDir};
  78         '';
  79         security = ''
  80           #error_page 403 = 404;
  81         '';
  82         log = ''
  83           access_log ${nginx.logDir}/access.log main buffer=32k;
  84           error_log  ${nginx.logDir}/error.log warn;
  85           open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
  86         '';
  87         proxy = ''
  88           proxy_cache_use_stale updating;
  89           proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
  90         '';
  91         fastcgi = ''
  92           # DOC: http://wiki.nginx.org/HttpFastcgiModule
  93           fastcgi_buffer_size 128k;
  94           fastcgi_buffers 256 4k;
  95           fastcgi_busy_buffers_size 256k;
  96           fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
  97           fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
  98                              inactive=10m
  99                              keys_zone=microcache:2M
 100                              levels=1:2
 101                              loader_files=100000
 102                              loader_sleep=1
 103                              loader_threshold=2592000000
 104                              max_size=64M;
 105           fastcgi_connect_timeout 60;
 106           fastcgi_ignore_client_abort off;
 107           fastcgi_intercept_errors on;
 108           fastcgi_max_temp_file_size 2M;
 109           #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 110           fastcgi_param SCRIPT_FILENAME $request_filename;
 111           fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
 112         '';
 113         connexion = ''
 114           sendfile on;
 115           # If the client stops reading data,
 116           # free up the stale client connection after this much time.
 117           send_timeout 60;
 118           # Causes nginx to attempt to send its HTTP response head
 119           # in one packet, instead of using partial frames.
 120           # This is useful for prepending headers before calling sendfile,
 121           # or for throughput optimization.
 122           tcp_nopush on;
 123           # Don't buffer data-sends (disable Nagle algorithm).
 124           # Good for sending frequent small bursts of data in real time.
 125           tcp_nodelay on;
 126           keepalive_timeout 20;
 127           reset_timedout_connection on;
 128           server_names_hash_bucket_size 128;
 129           types_hash_max_size 2048;
 130         '';
 131         map = ''
 132           # User agents that are to be blocked.
 133           #map $http_user_agent $bad_bot {
 134           #  default 0;
 135           #  libwww-perl 1;
 136           #  ~(?i)(httrack|htmlparser|libwww) 1;
 137           #}
 138           # Referrers that are to be blocked.
 139           #map $http_referer $bad_referer {
 140           #  default 0;
 141           #  ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
 142           #}
 143           #geo $not_local {
 144           #  default 1;
 145           #  127.0.0.1 0;
 146           #}
 147         '';
 148         gzip = ''
 149           gzip on;
 150           gzip_buffers 16 8k;
 151           gzip_comp_level 6;
 152           gzip_disable "MSIE [1-6]\.";
 153           gzip_http_version 1.1;
 154           gzip_min_length 1024;
 155           gzip_proxied any;
 156           gzip_static on;
 157           gzip_vary on;
 158           gzip_types application/atom+xml
 159                      application/javascript
 160                      application/json
 161                      application/rss+xml
 162                      application/vnd.ms-fontobject
 163                      application/x-font-ttf
 164                      application/x-javascript
 165                      application/xml
 166                      application/xml+rss
 167                      font/opentype
 168                      font/truetype
 169                      image/svg+xml
 170                      text/css
 171                      text/javascript
 172                      text/plain
 173                      text/x-component
 174                      text/xml;
 175         '';
 176         cache = ''
 177           client_body_buffer_size 4K;
 178             # getconf PAGESIZE
 179             # 4096
 180           client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
 181           client_body_timeout 60;
 182           client_header_buffer_size 1k;
 183           client_header_timeout 60;
 184           large_client_header_buffers 4 8k;
 185
 186           open_file_cache max=200000 inactive=20s;
 187           open_file_cache_errors on;
 188           open_file_cache_min_uses 2;
 189           open_file_cache_valid 30s;
 190         '';
 191       });
 192     appendConfig = ''
 193       worker_processes 2;
 194     '';
 195     virtualHosts."_" = {
 196       forceSSL = true;
 197       # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it.
 198       # NOTE: no ssl_stapling while the certificate remains self-signed.
 199       sslCertificate = loadFile (../../../sec + "/openssl/${networking.domainBase}/cert.self-signed.pem");
 200       sslCertificateKey = "/run/keys/nginx.${networking.domainBase}.key.pem";
 201     };
 202   };
 203 };
 204 }