servers/mermet/nginx.nix

   1 {pkgs, lib, config, system, ...}:
   2 let
   3   inherit (builtins) readFile;
   4   inherit (builtins.extraBuiltins) pass;
   5   inherit (lib) types;
   6   inherit (pkgs.lib) loadFile;
   7   inherit (config) networking;
   8   inherit (config.services) nginx;
   9   domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
  10 in
  11 {
  12 imports = [
  13   nginx/sourcephile.fr.nix
  14 ];
  15 options = {
  16   services.nginx = {
  17     x509Dir = lib.mkOption {
  18       type    = types.str;
  19       default = "/var/lib/nginx/x509";
  20     };
  21     webDir = lib.mkOption {
  22       type    = types.str;
  23       default = "/var/www";
  24     };
  25     logDir = lib.mkOption {
  26       type    = types.str;
  27       default = "/var/log/nginx";
  28     };
  29   };
  30 };
  31 config = {
  32   systemd.services.nginx = {
  33     preStart = lib.mkBefore ''
  34       install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
  35        ${nginx.x509Dir} \
  36        ${nginx.webDir} \
  37        ${nginx.logDir}
  38     '';
  39   };
  40   users.groups."acme".members = [nginx.user];
  41   services.nginx = {
  42     enable = true;
  43     package = pkgs.nginx.override {
  44       modules = with pkgs.nginxModules; [
  45         fancyindex
  46       ];
  47     };
  48     stateDir = "/dev/shm/nginx";
  49     eventsConfig = ''
  50       multi_accept on;
  51       use epoll;
  52       worker_connections 1024;
  53     '';
  54     clientMaxBodySize = "20m";
  55     recommendedGzipSettings = true;
  56     recommendedOptimisation = false;
  57     recommendedProxySettings = true;
  58     recommendedTlsSettings = true;
  59     resolver = {
  60       addresses = [ "127.0.0.1:53" ];
  61       valid = "";
  62       ipv6 = networking.defaultGateway6 != null;
  63     };
  64     serverTokens = false;
  65     # Only allow PFS-enabled ciphers with AES256
  66     #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
  67     #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  68     #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
  69     sslDhparam = ../../../sec/openssl/dh.pem;
  70     sslProtocols = "TLSv1.3 TLSv1.2";
  71     commonHttpConfig = ''
  72       log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  73                       '$status $body_bytes_sent "$http_referer" '
  74                       '"$http_user_agent" "$http_x_forwarded_for"';
  75
  76       log_format json escape=json
  77         '{'
  78           '"time_local":"$time_local",'
  79           '"remote_addr":"$remote_addr",'
  80           '"status": "$status",'
  81           '"request":"$request",'
  82           '"body_bytes_sent":"$body_bytes_sent",'
  83           '"http_referrer":"$http_referer",'
  84           '"http_user_agent":"$http_user_agent",'
  85           '"remote_user":"$remote_user",'
  86           '"request_time":"$request_time"'
  87         '}';
  88       charset UTF-8;
  89       types {
  90         text/html html5;
  91         text/plain md;
  92       }
  93       '' +
  94       lib.concatStringsSep "\n" (lib.attrValues {
  95         default = ''
  96           default_type application/octet-stream;
  97           root ${nginx.webDir};
  98         '';
  99         security = ''
 100           #error_page 403 = 404;
 101
 102           # Add HSTS header with preloading to HTTPS requests.
 103           # Adding this header to HTTP requests is discouraged
 104           # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
 105           map $scheme $hsts_header {
 106               https   "max-age=31536000; includeSubdomains; preload";
 107           }
 108           add_header Strict-Transport-Security $hsts_header;
 109
 110           # Enable CSP for your services.
 111           #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 112
 113           # Minimize information leaked to other domains
 114           add_header 'Referrer-Policy' 'origin-when-cross-origin';
 115
 116           # Disable embedding as a frame
 117           add_header X-Frame-Options DENY;
 118
 119           # Prevent injection of code in other mime types (XSS Attacks)
 120           add_header X-Content-Type-Options nosniff;
 121
 122           # Enable XSS protection of the browser.
 123           # May be unnecessary when CSP is configured properly (see above)
 124           add_header X-XSS-Protection "1; mode=block";
 125
 126           # This might create errors
 127           proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 128
 129           # If a client has a session ticket, it can present it to the server and re-negotiation is not necessary.
 130           ssl_session_tickets on;
 131         '';
 132         log = ''
 133           access_log ${nginx.logDir}/access.log main buffer=32k;
 134           error_log  ${nginx.logDir}/error.log warn;
 135           open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
 136         '';
 137         proxy = ''
 138           proxy_cache_use_stale updating;
 139           proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
 140         '';
 141         fastcgi = ''
 142           # DOC: http://wiki.nginx.org/HttpFastcgiModule
 143           fastcgi_buffer_size 128k;
 144           fastcgi_buffers 256 4k;
 145           fastcgi_busy_buffers_size 256k;
 146           fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
 147           fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
 148                              inactive=10m
 149                              keys_zone=microcache:2M
 150                              levels=1:2
 151                              loader_files=100000
 152                              loader_sleep=1
 153                              loader_threshold=2592000000
 154                              max_size=64M;
 155           fastcgi_connect_timeout 60;
 156           fastcgi_ignore_client_abort off;
 157           fastcgi_intercept_errors on;
 158           fastcgi_max_temp_file_size 2M;
 159           #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 160           fastcgi_param SCRIPT_FILENAME $request_filename;
 161           fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
 162         '';
 163         connection = ''
 164           sendfile on;
 165           # If the client stops reading data,
 166           # free up the stale client connection after this much time.
 167           send_timeout 60;
 168           # Causes nginx to attempt to send its HTTP response head
 169           # in one packet, instead of using partial frames.
 170           # This is useful for prepending headers before calling sendfile,
 171           # or for throughput optimization.
 172           tcp_nopush on;
 173           # Don't buffer data-sends (disable Nagle algorithm).
 174           # Good for sending frequent small bursts of data in real time.
 175           tcp_nodelay on;
 176           keepalive_timeout 20;
 177           reset_timedout_connection on;
 178           types_hash_max_size 4096;
 179           server_names_hash_bucket_size 128;
 180         '';
 181         map = ''
 182           map $time_iso8601 $date {
 183             default 'date-not-found';
 184             '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
 185           }
 186           # User agents that are to be blocked.
 187           #map $http_user_agent $bad_bot {
 188           #  default 0;
 189           #  libwww-perl 1;
 190           #  ~(?i)(httrack|htmlparser|libwww) 1;
 191           #}
 192           # Referrers that are to be blocked.
 193           #map $http_referer $bad_referer {
 194           #  default 0;
 195           #  ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
 196           #}
 197           #geo $not_local {
 198           #  default 1;
 199           #  127.0.0.1 0;
 200           #}
 201         '';
 202         cache = ''
 203           client_body_buffer_size 4K;
 204             # getconf PAGESIZE
 205             # 4096
 206           client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
 207           client_body_timeout 60;
 208           client_header_buffer_size 1k;
 209           client_header_timeout 60;
 210           large_client_header_buffers 4 8k;
 211
 212           open_file_cache max=200000 inactive=20s;
 213           open_file_cache_errors on;
 214           open_file_cache_min_uses 2;
 215           open_file_cache_valid 30s;
 216         '';
 217       });
 218     appendConfig = ''
 219       worker_processes ${toString config.nix.maxJobs};
 220     '';
 221     virtualHosts."_" = {
 222       forceSSL = true;
 223       useACMEHost = networking.domain;
 224     };
 225   };
 226 };
 227 }