]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nginx.nix
direnv: fix dump
[sourcephile-nix.git] / servers / mermet / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let
3 inherit (builtins) readFile;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile;
7 inherit (config) networking;
8 inherit (config.services) nginx;
9 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
10 in
11 {
12 imports = [
13 nginx/sourcephile.fr.nix
14 ];
15 options = {
16 services.nginx = {
17 x509Dir = lib.mkOption {
18 type = types.str;
19 default = "/var/lib/nginx/x509";
20 };
21 webDir = lib.mkOption {
22 type = types.str;
23 default = "/var/www";
24 };
25 logDir = lib.mkOption {
26 type = types.str;
27 default = "/var/log/nginx";
28 };
29 };
30 };
31 config = {
32 systemd.services.nginx = {
33 preStart = lib.mkBefore ''
34 install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
35 ${nginx.x509Dir} \
36 ${nginx.webDir} \
37 ${nginx.logDir}
38 '';
39 };
40 users.groups."acme".members = [nginx.user];
41 services.nginx = {
42 enable = true;
43 stateDir = "/dev/shm/nginx";
44 eventsConfig = ''
45 multi_accept on;
46 use epoll;
47 worker_connections 1024;
48 '';
49 clientMaxBodySize = "20m";
50 recommendedGzipSettings = true;
51 recommendedOptimisation = false;
52 recommendedProxySettings = true;
53 recommendedTlsSettings = true;
54 resolver = {
55 addresses = [ "127.0.0.1:53" ];
56 valid = "";
57 ipv6 = networking.defaultGateway6 != null;
58 };
59 serverTokens = false;
60 # Only allow PFS-enabled ciphers with AES256
61 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
62 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
63 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
64 sslDhparam = ../../../sec/openssl/dh.pem;
65 sslProtocols = "TLSv1.3 TLSv1.2";
66 commonHttpConfig = ''
67 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
68 '$status $body_bytes_sent "$http_referer" '
69 '"$http_user_agent" "$http_x_forwarded_for"';
70 #charset UTF-8;
71 '' +
72 lib.concatStringsSep "\n" (lib.attrValues {
73 default = ''
74 default_type application/octet-stream;
75 root ${nginx.webDir};
76 '';
77 security = ''
78 #error_page 403 = 404;
79
80 # Add HSTS header with preloading to HTTPS requests.
81 # Adding this header to HTTP requests is discouraged
82 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
83 map $scheme $hsts_header {
84 https "max-age=31536000; includeSubdomains; preload";
85 }
86 add_header Strict-Transport-Security $hsts_header;
87
88 # Enable CSP for your services.
89 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
90
91 # Minimize information leaked to other domains
92 add_header 'Referrer-Policy' 'origin-when-cross-origin';
93
94 # Disable embedding as a frame
95 add_header X-Frame-Options DENY;
96
97 # Prevent injection of code in other mime types (XSS Attacks)
98 add_header X-Content-Type-Options nosniff;
99
100 # Enable XSS protection of the browser.
101 # May be unnecessary when CSP is configured properly (see above)
102 add_header X-XSS-Protection "1; mode=block";
103
104 # This might create errors
105 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
106
107 # If a client has a session ticket, it can present it to the server and re-negotiation is not necessary.
108 ssl_session_tickets on;
109 '';
110 log = ''
111 access_log ${nginx.logDir}/access.log main buffer=32k;
112 error_log ${nginx.logDir}/error.log warn;
113 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
114 '';
115 proxy = ''
116 proxy_cache_use_stale updating;
117 proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
118 '';
119 fastcgi = ''
120 # DOC: http://wiki.nginx.org/HttpFastcgiModule
121 fastcgi_buffer_size 128k;
122 fastcgi_buffers 256 4k;
123 fastcgi_busy_buffers_size 256k;
124 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
125 fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
126 inactive=10m
127 keys_zone=microcache:2M
128 levels=1:2
129 loader_files=100000
130 loader_sleep=1
131 loader_threshold=2592000000
132 max_size=64M;
133 fastcgi_connect_timeout 60;
134 fastcgi_ignore_client_abort off;
135 fastcgi_intercept_errors on;
136 fastcgi_max_temp_file_size 2M;
137 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
138 fastcgi_param SCRIPT_FILENAME $request_filename;
139 fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
140 '';
141 connection = ''
142 sendfile on;
143 # If the client stops reading data,
144 # free up the stale client connection after this much time.
145 send_timeout 60;
146 # Causes nginx to attempt to send its HTTP response head
147 # in one packet, instead of using partial frames.
148 # This is useful for prepending headers before calling sendfile,
149 # or for throughput optimization.
150 tcp_nopush on;
151 # Don't buffer data-sends (disable Nagle algorithm).
152 # Good for sending frequent small bursts of data in real time.
153 tcp_nodelay on;
154 keepalive_timeout 20;
155 reset_timedout_connection on;
156 types_hash_max_size 4096;
157 server_names_hash_bucket_size 128;
158 '';
159 map = ''
160 # User agents that are to be blocked.
161 #map $http_user_agent $bad_bot {
162 # default 0;
163 # libwww-perl 1;
164 # ~(?i)(httrack|htmlparser|libwww) 1;
165 #}
166 # Referrers that are to be blocked.
167 #map $http_referer $bad_referer {
168 # default 0;
169 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
170 #}
171 #geo $not_local {
172 # default 1;
173 # 127.0.0.1 0;
174 #}
175 '';
176 cache = ''
177 client_body_buffer_size 4K;
178 # getconf PAGESIZE
179 # 4096
180 client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
181 client_body_timeout 60;
182 client_header_buffer_size 1k;
183 client_header_timeout 60;
184 large_client_header_buffers 4 8k;
185
186 open_file_cache max=200000 inactive=20s;
187 open_file_cache_errors on;
188 open_file_cache_min_uses 2;
189 open_file_cache_valid 30s;
190 '';
191 });
192 appendConfig = ''
193 worker_processes ${toString config.nix.maxJobs};
194 '';
195 virtualHosts."_" = {
196 forceSSL = true;
197 useACMEHost = networking.domain;
198 };
199 };
200 };
201 }