]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nginx.nix
stig: update to 0.11.0a
[sourcephile-nix.git] / servers / mermet / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let
3 inherit (builtins) readFile;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile;
7 inherit (config) networking;
8 inherit (config.services) nginx;
9 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
10 in
11 {
12 imports = [
13 nginx/sourcephile.fr.nix
14 ];
15 options = {
16 services.nginx = {
17 webDir = lib.mkOption {
18 type = types.str;
19 default = "/var/www";
20 };
21 cacheDir = lib.mkOption {
22 type = types.str;
23 default = "/dev/shm/nginx";
24 };
25 logDir = lib.mkOption {
26 type = types.str;
27 default = "/var/log/nginx";
28 };
29 configs = lib.mkOption {
30 type = types.attrsOf types.lines;
31 default = {};
32 description = ''
33 Make some configs available to all virtual hosts.
34 Useful to workaround the reset of add_header:
35 https://blog.g3rt.nl/nginx-add_header-pitfall.html
36 '';
37 #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
38 };
39 };
40 };
41 config = {
42 systemd.services.nginx = {
43 preStart = lib.mkBefore ''
44 install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
45 ${nginx.cacheDir} \
46 ${nginx.logDir} \
47 ${nginx.webDir}
48 '';
49 };
50 users.groups."acme".members = [nginx.user];
51 services.nginx = {
52 enable = true;
53 package = pkgs.nginx.override {
54 modules = with pkgs.nginxModules; [
55 fancyindex
56 ];
57 };
58 eventsConfig = ''
59 multi_accept on;
60 use epoll;
61 worker_connections 1024;
62 '';
63 clientMaxBodySize = "20m";
64 recommendedGzipSettings = true;
65 recommendedOptimisation = false;
66 recommendedProxySettings = true;
67 recommendedTlsSettings = true;
68 resolver = {
69 addresses = [ "127.0.0.1:53" ];
70 valid = "";
71 ipv6 = networking.defaultGateway6 != null;
72 };
73 serverTokens = false;
74 # Only allow PFS-enabled ciphers with AES256
75 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
76 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
77 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
78 sslDhparam = ../../../sec/openssl/dh.pem;
79 sslProtocols = "TLSv1.3 TLSv1.2";
80 configs = rec {
81 http_add_headers = ''
82 # Add HSTS header with preloading to HTTPS requests.
83 # Adding this header to HTTP requests is discouraged
84 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
85 add_header Strict-Transport-Security $hsts_header;
86
87 # Enable CSP for your services.
88 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
89
90 # Minimize information leaked to other domains
91 add_header 'Referrer-Policy' 'origin-when-cross-origin';
92
93 # Disable embedding as a frame
94 add_header X-Frame-Options DENY;
95
96 # Prevent injection of code in other mime types (XSS Attacks)
97 add_header X-Content-Type-Options nosniff;
98
99 # Enable XSS protection of the browser.
100 # May be unnecessary when CSP is configured properly (see above)
101 add_header X-XSS-Protection "1; mode=block";
102 '';
103 https_add_headers = ''
104 ${http_add_headers}
105 '';
106 };
107 commonHttpConfig = ''
108 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
109 '$status $body_bytes_sent "$http_referer" '
110 '"$http_user_agent" "$http_x_forwarded_for"';
111
112 log_format json escape=json
113 '{'
114 '"time_local":"$time_local",'
115 '"remote_addr":"$remote_addr",'
116 '"status": "$status",'
117 '"request":"$request",'
118 '"body_bytes_sent":"$body_bytes_sent",'
119 '"http_referrer":"$http_referer",'
120 '"http_user_agent":"$http_user_agent",'
121 '"remote_user":"$remote_user",'
122 '"request_time":"$request_time"'
123 '}';
124 charset UTF-8;
125 types {
126 text/html html5;
127 text/plain md;
128 }
129 '' +
130 lib.concatStringsSep "\n" (lib.attrValues {
131 default = ''
132 default_type application/octet-stream;
133 root ${nginx.webDir};
134 '';
135 security = ''
136 #error_page 403 = 404;
137
138 ${nginx.configs.http_add_headers}
139
140 # This might create errors
141 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
142 '';
143 log = ''
144 access_log ${nginx.logDir}/access.log main buffer=32k;
145 error_log ${nginx.logDir}/error.log warn;
146 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
147 '';
148 proxy = ''
149 proxy_cache_use_stale updating;
150 proxy_temp_path ${nginx.cacheDir}/proxy_temp 1 2;
151 '';
152 fastcgi = ''
153 # DOC: http://wiki.nginx.org/HttpFastcgiModule
154 fastcgi_buffer_size 128k;
155 fastcgi_buffers 256 4k;
156 fastcgi_busy_buffers_size 256k;
157 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
158 fastcgi_connect_timeout 60;
159 fastcgi_ignore_client_abort off;
160 fastcgi_intercept_errors on;
161 fastcgi_max_temp_file_size 2M;
162 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
163 fastcgi_param SCRIPT_FILENAME $request_filename;
164 fastcgi_temp_path ${nginx.cacheDir}/fastcgi_temp 1 2;
165 '';
166 connection = ''
167 sendfile on;
168 # If the client stops reading data,
169 # free up the stale client connection after this much time.
170 send_timeout 60;
171 # Causes nginx to attempt to send its HTTP response head
172 # in one packet, instead of using partial frames.
173 # This is useful for prepending headers before calling sendfile,
174 # or for throughput optimization.
175 tcp_nopush on;
176 # Don't buffer data-sends (disable Nagle algorithm).
177 # Good for sending frequent small bursts of data in real time.
178 tcp_nodelay on;
179 keepalive_timeout 20;
180 reset_timedout_connection on;
181 types_hash_max_size 4096;
182 server_names_hash_bucket_size 128;
183 '';
184 map = ''
185 map $time_iso8601 $date {
186 default 'date-not-found';
187 '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
188 }
189
190 map $scheme $hsts_header {
191 https "max-age=31536000; includeSubdomains; preload";
192 }
193
194 # User agents that are to be blocked.
195 #map $http_user_agent $bad_bot {
196 # default 0;
197 # libwww-perl 1;
198 # ~(?i)(httrack|htmlparser|libwww) 1;
199 #}
200 # Referrers that are to be blocked.
201 #map $http_referer $bad_referer {
202 # default 0;
203 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
204 #}
205 #geo $not_local {
206 # default 1;
207 # 127.0.0.1 0;
208 #}
209 '';
210 cache = ''
211 client_body_buffer_size 4K;
212 # getconf PAGESIZE
213 # 4096
214 client_body_temp_path ${nginx.cacheDir}/client_body_temp 1 2;
215 client_body_timeout 60;
216 client_header_buffer_size 1k;
217 client_header_timeout 60;
218 large_client_header_buffers 4 8k;
219
220 open_file_cache max=200000 inactive=20s;
221 open_file_cache_errors on;
222 open_file_cache_min_uses 2;
223 open_file_cache_valid 30s;
224 '';
225 });
226 appendConfig = ''
227 worker_processes ${toString config.nix.maxJobs};
228 '';
229 virtualHosts."_" = {
230 forceSSL = true;
231 useACMEHost = networking.domain;
232 };
233 };
234 };
235 }