1 { inputs, pkgs, lib, config, host, ... }:
4 inherit (config) networking;
5 inherit (config.services) nginx;
10 configs = lib.mkOption {
11 type = types.attrsOf types.lines;
14 Make some configs available to all virtual hosts.
15 Useful to workaround the reset of add_header:
16 https://blog.g3rt.nl/nginx-add_header-pitfall.html
18 #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
23 systemd.tmpfiles.rules = [
24 "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
26 systemd.services.nginx = {
27 requires = [ "systemd-tmpfiles-setup-dev.service" ];
29 # FIXME: remove all the mkForce in LogsDirectory
30 # whenever upstream uses a list instead of a string.
31 LogsDirectory = lib.mkForce ["nginx"];
32 StateDirectory = ["nginx"];
33 StateDirectoryMode = "2770";
34 #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
41 worker_connections 1024;
43 clientMaxBodySize = "20m";
44 recommendedGzipSettings = true;
45 recommendedOptimisation = false;
46 recommendedProxySettings = true;
47 recommendedTlsSettings = true;
49 ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
52 # Only allow PFS-enabled ciphers with AES256
53 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
54 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
55 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
56 sslDhparam = inputs.secrets + "/openssl/dh.pem";
57 sslProtocols = "TLSv1.3 TLSv1.2";
61 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
63 # Enable XSS protection of the browser.
64 # May be unnecessary when CSP is configured properly (see above)
65 add_header X-XSS-Protection "1; mode=block";
67 # Minimize information leaked to other domains
68 add_header 'Referrer-Policy' 'origin-when-cross-origin';
70 # Restrict embedding as a frame
71 #add_header X-Frame-Options SAMEORIGIN;
73 # Prevent injection of code in other mime types (XSS Attacks)
74 add_header X-Content-Type-Options nosniff;
76 https_add_headers = ''
78 # Add HSTS header with preloading to HTTPS requests.
79 # Adding this header to HTTP requests is discouraged,
80 # as doing so makes the connection vulnerable to SSL stripping attacks
81 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
82 add_header Strict-Transport-Security $hsts_header;
86 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
87 '$status $body_bytes_sent "$http_referer" '
88 '"$http_user_agent" "$http_x_forwarded_for"';
89 log_format json escape=json '{'
90 '"time_local":"$time_local",'
92 '"request":"$request",'
94 '"http_referrer":"$http_referer",'
95 '"remote_addr":"$remote_addr",'
96 '"remote_user":"$remote_user",'
98 '"body_bytes_sent":"$body_bytes_sent",'
99 '"bytes_sent":"$bytes_sent",'
100 '"http_user_agent":"$http_user_agent",'
101 '"request_length":"$request_length",'
102 '"request_method":"$request_method",'
103 '"request_time":"$request_time",'
104 '"request_uri":"$request_uri",'
105 '"server_protocol":"$server_protocol",'
106 '"ssl_protocol":"$ssl_protocol",'
107 '"upstream_addr":"$upstream_addr",'
108 '"upstream_connect_time":"$upstream_connect_time",'
109 '"upstream_response_time":"$upstream_response_time"'
117 lib.concatStringsSep "\n" (lib.attrValues {
119 #default_type application/octet-stream;
123 #error_page 403 = 404;
125 ${nginx.configs.http_add_headers}
127 # This might create errors
128 #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
131 access_log /var/log/nginx/access.json json buffer=32k;
132 error_log /var/log/nginx/error.log warn;
133 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
136 proxy_cache_use_stale updating;
137 proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
140 # DOC: http://wiki.nginx.org/HttpFastcgiModule
141 fastcgi_buffer_size 128k;
142 fastcgi_buffers 256 4k;
143 fastcgi_busy_buffers_size 256k;
144 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
145 fastcgi_connect_timeout 60;
146 fastcgi_ignore_client_abort off;
147 fastcgi_intercept_errors on;
148 fastcgi_max_temp_file_size 2M;
149 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
150 fastcgi_param SCRIPT_FILENAME $request_filename;
151 fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
155 # If the client stops reading data,
156 # free up the stale client connection after this much time.
158 # Causes nginx to attempt to send its HTTP response head
159 # in one packet, instead of using partial frames.
160 # This is useful for prepending headers before calling sendfile,
161 # or for throughput optimization.
163 # Don't buffer data-sends (disable Nagle algorithm).
164 # Good for sending frequent small bursts of data in real time.
166 keepalive_timeout 20;
167 reset_timedout_connection on;
168 types_hash_max_size 4096;
169 server_names_hash_bucket_size 128;
172 map $time_iso8601 $date {
173 default 'date-not-found';
174 '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
177 map $scheme $hsts_header {
178 https "max-age=31536000; includeSubdomains; preload";
181 # User agents that are to be blocked.
182 #map $http_user_agent $bad_bot {
185 # ~(?i)(httrack|htmlparser|libwww) 1;
187 # Referrers that are to be blocked.
188 #map $http_referer $bad_referer {
190 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
198 client_body_buffer_size 4K;
201 client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
202 client_body_timeout 60;
203 client_header_buffer_size 1k;
204 client_header_timeout 60;
205 large_client_header_buffers 4 8k;
207 open_file_cache max=200000 inactive=20s;
208 open_file_cache_errors on;
209 open_file_cache_min_uses 2;
210 open_file_cache_valid 30s;
214 worker_processes ${toString host.CPUs};