]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/nginx.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
dovecot: handle perms to auto create Maildirs.
[sourcephile-nix.git] / install / logical / friot / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let inherit (lib) types;
3 inherit (config.services) nginx x509;
4 logDir = "/var/log/nginx";
5 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
6 in
7 {
8 imports = [
9 nginx/gitweb.nix
10 ];
11 options.services.nginx.webDir = lib.mkOption {
12 type = types.str;
13 default = "/var/www"; # TODO: /var/lib/nginx ?
14 };
15 config = {
16 security.dhparams = {
17 enable = true;
18 params = {
19 nginx = 1024;
20 };
21 };
22 services.nginx = {
23 enable = true;
24 stateDir = "/dev/shm/nginx";
25 eventsConfig = ''
26 multi_accept on;
27 use epoll;
28 worker_connections 1024;
29 '';
30 clientMaxBodySize = "20m";
31 recommendedProxySettings = true;
32 recommendedTlsSettings = true;
33 serverTokens = false;
34 sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
35 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
36 #sslProtocols = "TLSv1.2";
37 commonHttpConfig = ''
38 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
39 '$status $body_bytes_sent "$http_referer" '
40 '"$http_user_agent" "$http_x_forwarded_for"';
41 #charset UTF-8;
42 '' +
43 lib.concatStringsSep "\n" (lib.attrValues {
44 default = ''
45 default_type application/octet-stream;
46 root ${nginx.webDir};
47 '';
48 security = ''
49 error_page 403 = 404;
50 #ssl_certificate ${x509.cert};
51 #ssl_certificate_key ${x509.key};
52 '';
53 log = ''
54 access_log ${logDir}/access.log main buffer=32k;
55 error_log ${logDir}/error.log warn;
56 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
57 '';
58 proxy = ''
59 proxy_cache_use_stale updating;
60 proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
61 '';
62 fastcgi = ''
63 # DOC: http://wiki.nginx.org/HttpFastcgiModule
64 fastcgi_buffer_size 128k;
65 fastcgi_buffers 256 4k;
66 fastcgi_busy_buffers_size 256k;
67 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
68 fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
69 inactive=10m
70 keys_zone=microcache:2M
71 levels=1:2
72 loader_files=100000
73 loader_sleep=1
74 loader_threshold=2592000000
75 max_size=64M;
76 fastcgi_connect_timeout 60;
77 fastcgi_ignore_client_abort off;
78 fastcgi_intercept_errors on;
79 fastcgi_max_temp_file_size 2M;
80 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
81 fastcgi_param SCRIPT_FILENAME $request_filename;
82 fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
83 '';
84 connexion = ''
85 sendfile on;
86 send_timeout 60;
87 # ^ If the client stops reading data,
88 # free up the stale client connection after this much time.
89 tcp_nopush on;
90 # ^ Causes nginx to attempt to send its HTTP response head
91 # in one packet, instead of using partial frames.
92 # This is useful for prepending headers before calling sendfile,
93 # or for throughput optimization.
94 tcp_nodelay on;
95 # ^ Don't buffer data-sends (disable Nagle algorithm).
96 # Good for sending frequent small bursts of data in real time.
97 keepalive_timeout 20;
98 reset_timedout_connection on;
99 server_names_hash_bucket_size 128;
100 types_hash_max_size 2048;
101 '';
102 map = ''
103 # User agents that are to be blocked.
104 #map $http_user_agent $bad_bot {
105 # default 0;
106 # libwww-perl 1;
107 # ~(?i)(httrack|htmlparser|libwww) 1;
108 #}
109 # Referrers that are to be blocked.
110 #map $http_referer $bad_referer {
111 # default 0;
112 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
113 #}
114 #geo $not_local {
115 # default 1;
116 # 127.0.0.1 0;
117 #}
118 '';
119 gzip = ''
120 gzip on;
121 gzip_buffers 16 8k;
122 gzip_comp_level 6;
123 gzip_disable "MSIE [1-6]\.";
124 gzip_http_version 1.1;
125 gzip_min_length 1024;
126 gzip_proxied any;
127 gzip_static on;
128 gzip_vary on;
129 gzip_types application/atom+xml
130 application/javascript
131 application/json
132 application/rss+xml
133 application/vnd.ms-fontobject
134 application/x-font-ttf
135 application/x-javascript
136 application/xml
137 application/xml+rss
138 font/opentype
139 font/truetype
140 image/svg+xml
141 text/css
142 text/javascript
143 text/plain
144 text/x-component
145 text/xml;
146 '';
147 cache = ''
148 client_body_buffer_size 4K;
149 # ^ getconf PAGESIZE
150 # 4096
151 client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
152 client_body_timeout 60;
153 client_header_buffer_size 1k;
154 client_header_timeout 60;
155 large_client_header_buffers 4 8k;
156
157 open_file_cache max=200000 inactive=20s;
158 open_file_cache_errors on;
159 open_file_cache_min_uses 2;
160 open_file_cache_valid 30s;
161 '';
162 });
163 appendConfig = ''
164 worker_processes 2;
165 '';
166 };
167 };
168 }
NixOS configurations for Sourcephile's infrastructure