]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nginx.nix
initrd: fix SSH host key location
[sourcephile-nix.git] / servers / mermet / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let
3 inherit (builtins) readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) loadFile;
6 inherit (config) networking;
7 inherit (config.services) nginx;
8 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
9 in
10 {
11 imports = [
12 nginx/sourcephile.fr.nix
13 ];
14 options = {
15 services.nginx = {
16 webDir = lib.mkOption {
17 type = types.str;
18 default = "/var/www";
19 };
20 cacheDir = lib.mkOption {
21 type = types.str;
22 default = "/dev/shm/nginx";
23 };
24 logDir = lib.mkOption {
25 type = types.str;
26 default = "/var/log/nginx";
27 };
28 configs = lib.mkOption {
29 type = types.attrsOf types.lines;
30 default = {};
31 description = ''
32 Make some configs available to all virtual hosts.
33 Useful to workaround the reset of add_header:
34 https://blog.g3rt.nl/nginx-add_header-pitfall.html
35 '';
36 #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
37 };
38 };
39 };
40 config = {
41 systemd.services.nginx = {
42 preStart = lib.mkBefore ''
43 install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
44 ${nginx.cacheDir} \
45 ${nginx.logDir} \
46 ${nginx.webDir}
47 '';
48 };
49 users.groups."acme".members = [nginx.user];
50 networking.nftables.ruleset = ''
51 add rule inet filter net2fw tcp dport 80 counter accept comment "HTTP"
52 add rule inet filter net2fw tcp dport 443 counter accept comment "HTTPS"
53 '';
54 services.nginx = {
55 enable = true;
56 package = pkgs.nginx.override {
57 modules = with pkgs.nginxModules; [
58 fancyindex
59 ];
60 };
61 eventsConfig = ''
62 multi_accept on;
63 use epoll;
64 worker_connections 1024;
65 '';
66 clientMaxBodySize = "20m";
67 recommendedGzipSettings = true;
68 recommendedOptimisation = false;
69 recommendedProxySettings = true;
70 recommendedTlsSettings = true;
71 resolver = {
72 addresses = [ "127.0.0.1:53" ];
73 valid = "";
74 ipv6 = networking.defaultGateway6 != null;
75 };
76 serverTokens = false;
77 # Only allow PFS-enabled ciphers with AES256
78 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
79 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
80 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
81 sslDhparam = ../../../sec/openssl/dh.pem;
82 sslProtocols = "TLSv1.3 TLSv1.2";
83 configs = rec {
84 http_add_headers = ''
85 # Add HSTS header with preloading to HTTPS requests.
86 # Adding this header to HTTP requests is discouraged
87 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
88 add_header Strict-Transport-Security $hsts_header;
89
90 # Enable CSP for your services.
91 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
92
93 # Minimize information leaked to other domains
94 add_header 'Referrer-Policy' 'origin-when-cross-origin';
95
96 # Disable embedding as a frame
97 add_header X-Frame-Options DENY;
98
99 # Prevent injection of code in other mime types (XSS Attacks)
100 add_header X-Content-Type-Options nosniff;
101
102 # Enable XSS protection of the browser.
103 # May be unnecessary when CSP is configured properly (see above)
104 add_header X-XSS-Protection "1; mode=block";
105 '';
106 https_add_headers = ''
107 ${http_add_headers}
108 '';
109 };
110 commonHttpConfig = ''
111 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
112 '$status $body_bytes_sent "$http_referer" '
113 '"$http_user_agent" "$http_x_forwarded_for"';
114
115 log_format json escape=json
116 '{'
117 '"time_local":"$time_local",'
118 '"remote_addr":"$remote_addr",'
119 '"status": "$status",'
120 '"request":"$request",'
121 '"body_bytes_sent":"$body_bytes_sent",'
122 '"http_referrer":"$http_referer",'
123 '"http_user_agent":"$http_user_agent",'
124 '"remote_user":"$remote_user",'
125 '"request_time":"$request_time"'
126 '}';
127 charset UTF-8;
128 types {
129 text/html html5;
130 text/plain md;
131 }
132 '' +
133 lib.concatStringsSep "\n" (lib.attrValues {
134 default = ''
135 default_type application/octet-stream;
136 root ${nginx.webDir};
137 '';
138 security = ''
139 #error_page 403 = 404;
140
141 ${nginx.configs.http_add_headers}
142
143 # This might create errors
144 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
145 '';
146 log = ''
147 access_log ${nginx.logDir}/access.log main buffer=32k;
148 error_log ${nginx.logDir}/error.log warn;
149 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
150 '';
151 proxy = ''
152 proxy_cache_use_stale updating;
153 proxy_temp_path ${nginx.cacheDir}/proxy_temp 1 2;
154 '';
155 fastcgi = ''
156 # DOC: http://wiki.nginx.org/HttpFastcgiModule
157 fastcgi_buffer_size 128k;
158 fastcgi_buffers 256 4k;
159 fastcgi_busy_buffers_size 256k;
160 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
161 fastcgi_connect_timeout 60;
162 fastcgi_ignore_client_abort off;
163 fastcgi_intercept_errors on;
164 fastcgi_max_temp_file_size 2M;
165 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
166 fastcgi_param SCRIPT_FILENAME $request_filename;
167 fastcgi_temp_path ${nginx.cacheDir}/fastcgi_temp 1 2;
168 '';
169 connection = ''
170 sendfile on;
171 # If the client stops reading data,
172 # free up the stale client connection after this much time.
173 send_timeout 60;
174 # Causes nginx to attempt to send its HTTP response head
175 # in one packet, instead of using partial frames.
176 # This is useful for prepending headers before calling sendfile,
177 # or for throughput optimization.
178 tcp_nopush on;
179 # Don't buffer data-sends (disable Nagle algorithm).
180 # Good for sending frequent small bursts of data in real time.
181 tcp_nodelay on;
182 keepalive_timeout 20;
183 reset_timedout_connection on;
184 types_hash_max_size 4096;
185 server_names_hash_bucket_size 128;
186 '';
187 map = ''
188 map $time_iso8601 $date {
189 default 'date-not-found';
190 '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
191 }
192
193 map $scheme $hsts_header {
194 https "max-age=31536000; includeSubdomains; preload";
195 }
196
197 # User agents that are to be blocked.
198 #map $http_user_agent $bad_bot {
199 # default 0;
200 # libwww-perl 1;
201 # ~(?i)(httrack|htmlparser|libwww) 1;
202 #}
203 # Referrers that are to be blocked.
204 #map $http_referer $bad_referer {
205 # default 0;
206 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
207 #}
208 #geo $not_local {
209 # default 1;
210 # 127.0.0.1 0;
211 #}
212 '';
213 cache = ''
214 client_body_buffer_size 4K;
215 # getconf PAGESIZE
216 # 4096
217 client_body_temp_path ${nginx.cacheDir}/client_body_temp 1 2;
218 client_body_timeout 60;
219 client_header_buffer_size 1k;
220 client_header_timeout 60;
221 large_client_header_buffers 4 8k;
222
223 open_file_cache max=200000 inactive=20s;
224 open_file_cache_errors on;
225 open_file_cache_min_uses 2;
226 open_file_cache_valid 30s;
227 '';
228 });
229 appendConfig = ''
230 worker_processes ${toString config.nix.maxJobs};
231 '';
232 virtualHosts."_" = {
233 forceSSL = true;
234 useACMEHost = networking.domain;
235 };
236 };
237 };
238 }