]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/profiles/services/nginx.nix
wireguard: setup in initrd
[sourcephile-nix.git] / nixos / profiles / services / nginx.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (lib) types;
4 inherit (config) networking;
5 inherit (config.services) nginx;
6 in
7 {
8 options = {
9 services.nginx = {
10 configs = lib.mkOption {
11 type = types.attrsOf types.lines;
12 default = {};
13 description = ''
14 Make some configs available to all virtual hosts.
15 Useful to workaround the reset of add_header:
16 https://blog.g3rt.nl/nginx-add_header-pitfall.html
17 '';
18 #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
19 };
20 };
21 };
22 config = {
23 systemd.tmpfiles.rules = [
24 "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
25 ];
26 systemd.services.nginx = {
27 serviceConfig = {
28 # FIXME: remove all the mkForce in LogsDirectory
29 # whenever upstream uses a list instead of a string.
30 LogsDirectory = lib.mkForce ["nginx"];
31 StateDirectory = ["nginx"];
32 StateDirectoryMode = "2770";
33 BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
34 };
35 };
36 services.nginx = {
37 eventsConfig = ''
38 multi_accept on;
39 use epoll;
40 worker_connections 1024;
41 '';
42 clientMaxBodySize = "20m";
43 recommendedGzipSettings = true;
44 recommendedOptimisation = false;
45 recommendedProxySettings = true;
46 recommendedTlsSettings = true;
47 resolver = {
48 ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
49 };
50 serverTokens = false;
51 # Only allow PFS-enabled ciphers with AES256
52 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
53 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
54 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
55 sslDhparam = ../../../../sec/openssl/dh.pem;
56 sslProtocols = "TLSv1.3 TLSv1.2";
57 configs = rec {
58 http_add_headers = ''
59 # Add HSTS header with preloading to HTTPS requests.
60 # Adding this header to HTTP requests is discouraged
61 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
62 add_header Strict-Transport-Security $hsts_header;
63
64 # Enable CSP for your services.
65 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
66
67 # Minimize information leaked to other domains
68 add_header 'Referrer-Policy' 'origin-when-cross-origin';
69
70 # Disable embedding as a frame
71 add_header X-Frame-Options DENY;
72
73 # Prevent injection of code in other mime types (XSS Attacks)
74 add_header X-Content-Type-Options nosniff;
75
76 # Enable XSS protection of the browser.
77 # May be unnecessary when CSP is configured properly (see above)
78 add_header X-XSS-Protection "1; mode=block";
79 '';
80 https_add_headers = ''
81 ${http_add_headers}
82 '';
83 };
84 commonHttpConfig = ''
85 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
86 '$status $body_bytes_sent "$http_referer" '
87 '"$http_user_agent" "$http_x_forwarded_for"';
88
89 log_format json escape=json
90 '{'
91 '"time_local":"$time_local",'
92 '"remote_addr":"$remote_addr",'
93 '"status": "$status",'
94 '"request":"$request",'
95 '"body_bytes_sent":"$body_bytes_sent",'
96 '"http_referrer":"$http_referer",'
97 '"http_user_agent":"$http_user_agent",'
98 '"remote_user":"$remote_user",'
99 '"request_time":"$request_time"'
100 '}';
101 charset UTF-8;
102 types {
103 text/html html5;
104 text/plain md;
105 }
106 '' +
107 lib.concatStringsSep "\n" (lib.attrValues {
108 default = ''
109 default_type application/octet-stream;
110 root /var/lib/nginx;
111 '';
112 security = ''
113 #error_page 403 = 404;
114
115 ${nginx.configs.http_add_headers}
116
117 # This might create errors
118 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
119 '';
120 log = ''
121 access_log /var/log/nginx/access.log main buffer=32k;
122 error_log /var/log/nginx/error.log warn;
123 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
124 '';
125 proxy = ''
126 proxy_cache_use_stale updating;
127 proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
128 '';
129 fastcgi = ''
130 # DOC: http://wiki.nginx.org/HttpFastcgiModule
131 fastcgi_buffer_size 128k;
132 fastcgi_buffers 256 4k;
133 fastcgi_busy_buffers_size 256k;
134 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
135 fastcgi_connect_timeout 60;
136 fastcgi_ignore_client_abort off;
137 fastcgi_intercept_errors on;
138 fastcgi_max_temp_file_size 2M;
139 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
140 fastcgi_param SCRIPT_FILENAME $request_filename;
141 fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
142 '';
143 connection = ''
144 sendfile on;
145 # If the client stops reading data,
146 # free up the stale client connection after this much time.
147 send_timeout 60;
148 # Causes nginx to attempt to send its HTTP response head
149 # in one packet, instead of using partial frames.
150 # This is useful for prepending headers before calling sendfile,
151 # or for throughput optimization.
152 tcp_nopush on;
153 # Don't buffer data-sends (disable Nagle algorithm).
154 # Good for sending frequent small bursts of data in real time.
155 tcp_nodelay on;
156 keepalive_timeout 20;
157 reset_timedout_connection on;
158 types_hash_max_size 4096;
159 server_names_hash_bucket_size 128;
160 '';
161 map = ''
162 map $time_iso8601 $date {
163 default 'date-not-found';
164 '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
165 }
166
167 map $scheme $hsts_header {
168 https "max-age=31536000; includeSubdomains; preload";
169 }
170
171 # User agents that are to be blocked.
172 #map $http_user_agent $bad_bot {
173 # default 0;
174 # libwww-perl 1;
175 # ~(?i)(httrack|htmlparser|libwww) 1;
176 #}
177 # Referrers that are to be blocked.
178 #map $http_referer $bad_referer {
179 # default 0;
180 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
181 #}
182 #geo $not_local {
183 # default 1;
184 # 127.0.0.1 0;
185 #}
186 '';
187 cache = ''
188 client_body_buffer_size 4K;
189 # getconf PAGESIZE
190 # 4096
191 client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
192 client_body_timeout 60;
193 client_header_buffer_size 1k;
194 client_header_timeout 60;
195 large_client_header_buffers 4 8k;
196
197 open_file_cache max=200000 inactive=20s;
198 open_file_cache_errors on;
199 open_file_cache_min_uses 2;
200 open_file_cache_valid 30s;
201 '';
202 });
203 appendConfig = ''
204 worker_processes ${toString config.nix.maxJobs};
205 '';
206 };
207 };
208 }