]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nginx.nix
nix: shell: fix merging with host's env
[sourcephile-nix.git] / servers / mermet / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let inherit (builtins) readFile;
3 inherit (builtins.extraBuiltins) pass;
4 inherit (lib) types;
5 inherit (pkgs.lib) loadFile;
6 inherit (config) networking;
7 inherit (config.services) nginx;
8 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
9 in
10 {
11 imports = [
12 nginx/gitweb.nix
13 nginx/www.nix
14 ];
15 options = {
16 services.nginx = {
17 x509Dir = lib.mkOption {
18 type = types.str;
19 default = "/var/lib/nginx/x509";
20 };
21 webDir = lib.mkOption {
22 type = types.str;
23 default = "/var/www";
24 };
25 logDir = lib.mkOption {
26 type = types.str;
27 default = "/var/log/nginx";
28 };
29 };
30 };
31 config = {
32 deployment.keys = {
33 "nginx.${networking.domainBase}.key.pem" = {
34 text = pass "x509/${networking.domainBase}/key.pem";
35 user = nginx.user;
36 group = "root";
37 destDir = "/run/keys/";
38 permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
39 };
40 };
41 systemd.services.nginx = {
42 preStart = lib.mkBefore ''
43 install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
44 ${nginx.x509Dir} \
45 ${nginx.webDir} \
46 ${nginx.logDir}
47 '';
48 after = [
49 "nginx.${networking.domainBase}.key.pem-key.service"
50 ];
51 };
52 services.nginx = {
53 enable = true;
54 stateDir = "/dev/shm/nginx";
55 eventsConfig = ''
56 multi_accept on;
57 use epoll;
58 worker_connections 1024;
59 '';
60 clientMaxBodySize = "20m";
61 recommendedProxySettings = true;
62 recommendedTlsSettings = true;
63 serverTokens = false;
64 # Only allow PFS-enabled ciphers with AES256
65 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
66 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
67 sslDhparam = ../../../sec/openssl/dh.pem;
68 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
69 #sslProtocols = "TLSv1.2";
70 commonHttpConfig = ''
71 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
72 '$status $body_bytes_sent "$http_referer" '
73 '"$http_user_agent" "$http_x_forwarded_for"';
74 #charset UTF-8;
75 '' +
76 lib.concatStringsSep "\n" (lib.attrValues {
77 default = ''
78 default_type application/octet-stream;
79 root ${nginx.webDir};
80 '';
81 security = ''
82 #error_page 403 = 404;
83
84 # Add HSTS header with preloading to HTTPS requests.
85 # Adding this header to HTTP requests is discouraged
86 #map $scheme $hsts_header {
87 # https "max-age=31536000; includeSubdomains; preload";
88 #}
89 #add_header Strict-Transport-Security $hsts_header;
90
91 # Enable CSP for your services.
92 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
93
94 # Minimize information leaked to other domains
95 add_header 'Referrer-Policy' 'origin-when-cross-origin';
96
97 # Disable embedding as a frame
98 add_header X-Frame-Options DENY;
99
100 # Prevent injection of code in other mime types (XSS Attacks)
101 add_header X-Content-Type-Options nosniff;
102
103 # Enable XSS protection of the browser.
104 # May be unnecessary when CSP is configured properly (see above)
105 add_header X-XSS-Protection "1; mode=block";
106
107 # This might create errors
108 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
109 '';
110 log = ''
111 access_log ${nginx.logDir}/access.log main buffer=32k;
112 error_log ${nginx.logDir}/error.log warn;
113 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
114 '';
115 proxy = ''
116 proxy_cache_use_stale updating;
117 proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
118 '';
119 fastcgi = ''
120 # DOC: http://wiki.nginx.org/HttpFastcgiModule
121 fastcgi_buffer_size 128k;
122 fastcgi_buffers 256 4k;
123 fastcgi_busy_buffers_size 256k;
124 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
125 fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
126 inactive=10m
127 keys_zone=microcache:2M
128 levels=1:2
129 loader_files=100000
130 loader_sleep=1
131 loader_threshold=2592000000
132 max_size=64M;
133 fastcgi_connect_timeout 60;
134 fastcgi_ignore_client_abort off;
135 fastcgi_intercept_errors on;
136 fastcgi_max_temp_file_size 2M;
137 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
138 fastcgi_param SCRIPT_FILENAME $request_filename;
139 fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
140 '';
141 connection = ''
142 sendfile on;
143 # If the client stops reading data,
144 # free up the stale client connection after this much time.
145 send_timeout 60;
146 # Causes nginx to attempt to send its HTTP response head
147 # in one packet, instead of using partial frames.
148 # This is useful for prepending headers before calling sendfile,
149 # or for throughput optimization.
150 tcp_nopush on;
151 # Don't buffer data-sends (disable Nagle algorithm).
152 # Good for sending frequent small bursts of data in real time.
153 tcp_nodelay on;
154 keepalive_timeout 20;
155 reset_timedout_connection on;
156 server_names_hash_bucket_size 128;
157 types_hash_max_size 2048;
158 '';
159 map = ''
160 # User agents that are to be blocked.
161 #map $http_user_agent $bad_bot {
162 # default 0;
163 # libwww-perl 1;
164 # ~(?i)(httrack|htmlparser|libwww) 1;
165 #}
166 # Referrers that are to be blocked.
167 #map $http_referer $bad_referer {
168 # default 0;
169 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
170 #}
171 #geo $not_local {
172 # default 1;
173 # 127.0.0.1 0;
174 #}
175 '';
176 gzip = ''
177 gzip on;
178 gzip_buffers 16 8k;
179 gzip_comp_level 6;
180 gzip_disable "MSIE [1-6]\.";
181 gzip_http_version 1.1;
182 gzip_min_length 1024;
183 gzip_proxied any;
184 gzip_static on;
185 gzip_vary on;
186 gzip_types application/atom+xml
187 application/javascript
188 application/json
189 application/rss+xml
190 application/vnd.ms-fontobject
191 application/x-font-ttf
192 application/x-javascript
193 application/xml
194 application/xml+rss
195 font/opentype
196 font/truetype
197 image/svg+xml
198 text/css
199 text/javascript
200 text/plain
201 text/x-component
202 text/xml;
203 '';
204 cache = ''
205 client_body_buffer_size 4K;
206 # getconf PAGESIZE
207 # 4096
208 client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
209 client_body_timeout 60;
210 client_header_buffer_size 1k;
211 client_header_timeout 60;
212 large_client_header_buffers 4 8k;
213
214 open_file_cache max=200000 inactive=20s;
215 open_file_cache_errors on;
216 open_file_cache_min_uses 2;
217 open_file_cache_valid 30s;
218 '';
219 });
220 appendConfig = ''
221 worker_processes 4;
222 '';
223 virtualHosts."_" = {
224 forceSSL = false;
225 # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it.
226 # NOTE: no ssl_stapling while the certificate remains self-signed.
227 sslCertificate = loadFile (../../../sec + "/openssl/${networking.domainBase}/cert.self-signed.pem");
228 sslCertificateKey = "/run/keys/nginx.${networking.domainBase}.key.pem";
229 };
230 };
231 };
232 }