]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/profiles/services/nginx.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
logrotate: rotate nginx access.json
[sourcephile-nix.git] / nixos / profiles / services / nginx.nix
1 { inputs, pkgs, lib, config, host, ... }:
2 let
3 inherit (lib) types;
4 inherit (config) networking;
5 inherit (config.services) nginx;
6 in
7 {
8 options = {
9 services.nginx = {
10 configs = lib.mkOption {
11 type = types.attrsOf types.lines;
12 default = {};
13 description = ''
14 Make some configs available to all virtual hosts.
15 Useful to workaround the reset of add_header:
16 https://blog.g3rt.nl/nginx-add_header-pitfall.html
17 '';
18 #apply = lib.mapAttrs (name: pkgs.writeText "${name}.conf");
19 };
20 };
21 };
22 config = {
23 systemd.tmpfiles.rules = [
24 "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
25 ];
26 systemd.services.nginx = {
27 requires = [ "systemd-tmpfiles-setup-dev.service" ];
28 serviceConfig = {
29 # FIXME: remove all the mkForce in LogsDirectory
30 # whenever upstream uses a list instead of a string.
31 LogsDirectory = lib.mkForce ["nginx"];
32 StateDirectory = ["nginx"];
33 StateDirectoryMode = "2770";
34 #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
35 };
36 };
37 services.logrotate = {
38 enable = true;
39 paths.nginx = {
40 path = [
41 "/var/log/nginx/*.log"
42 "/var/log/nginx/*/*.log"
43 "/var/log/nginx/*/*/*.log"
44 "/var/log/nginx/*/*/*/*.log"
45 "/var/log/nginx/*/*/*/*/*.log"
46 "/var/log/nginx/*.json"
47 "/var/log/nginx/*/*.json"
48 "/var/log/nginx/*/*/*.json"
49 "/var/log/nginx/*/*/*/*.json"
50 "/var/log/nginx/*/*/*/*/*.json"
51 ];
52 frequency = "weekly";
53 keep = 26;
54 extraConfig = ''
55 compress
56 delaycompress
57 postrotate
58 [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`
59 endscript
60 '';
61 };
62 };
63 services.nginx = {
64 eventsConfig = ''
65 multi_accept on;
66 use epoll;
67 worker_connections 1024;
68 '';
69 clientMaxBodySize = "20m";
70 recommendedGzipSettings = true;
71 recommendedOptimisation = false;
72 recommendedProxySettings = true;
73 recommendedTlsSettings = true;
74 resolver = {
75 ipv6 = lib.mkDefault (networking.defaultGateway6 != null);
76 };
77 serverTokens = false;
78 # Only allow PFS-enabled ciphers with AES256
79 #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
80 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
81 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
82 sslDhparam = inputs.secrets + "/openssl/dh.pem";
83 sslProtocols = "TLSv1.3 TLSv1.2";
84 configs = rec {
85 http_add_headers = ''
86 # Enable CSP
87 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
88
89 # Enable XSS protection of the browser.
90 # May be unnecessary when CSP is configured properly (see above)
91 add_header X-XSS-Protection "1; mode=block";
92
93 # Minimize information leaked to other domains
94 add_header 'Referrer-Policy' 'origin-when-cross-origin';
95
96 # Restrict embedding as a frame
97 #add_header X-Frame-Options SAMEORIGIN;
98
99 # Prevent injection of code in other mime types (XSS Attacks)
100 add_header X-Content-Type-Options nosniff;
101 '';
102 https_add_headers = ''
103 ${http_add_headers}
104 # Add HSTS header with preloading to HTTPS requests.
105 # Adding this header to HTTP requests is discouraged,
106 # as doing so makes the connection vulnerable to SSL stripping attacks
107 # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
108 add_header Strict-Transport-Security $hsts_header;
109 '';
110 };
111 commonHttpConfig = ''
112 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
113 '$status $body_bytes_sent "$http_referer" '
114 '"$http_user_agent" "$http_x_forwarded_for"';
115 log_format json escape=json '{'
116 '"time_local":"$time_local",'
117 '"host":"$host",'
118 '"request":"$request",'
119 '"status":"$status",'
120 '"http_referrer":"$http_referer",'
121 '"remote_addr":"$remote_addr",'
122 '"remote_user":"$remote_user",'
123 '"msec":"$msec",'
124 '"body_bytes_sent":"$body_bytes_sent",'
125 '"bytes_sent":"$bytes_sent",'
126 '"http_user_agent":"$http_user_agent",'
127 '"request_length":"$request_length",'
128 '"request_method":"$request_method",'
129 '"request_time":"$request_time",'
130 '"request_uri":"$request_uri",'
131 '"server_protocol":"$server_protocol",'
132 '"ssl_protocol":"$ssl_protocol",'
133 '"upstream_addr":"$upstream_addr",'
134 '"upstream_connect_time":"$upstream_connect_time",'
135 '"upstream_response_time":"$upstream_response_time"'
136 '}';
137 charset UTF-8;
138 types {
139 text/html html5;
140 text/plain dump;
141 }
142 '' +
143 lib.concatStringsSep "\n" (lib.attrValues {
144 default = ''
145 #default_type application/octet-stream;
146 root /var/lib/nginx;
147 '';
148 security = ''
149 #error_page 403 = 404;
150
151 ${nginx.configs.http_add_headers}
152
153 # This might create errors
154 #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
155 '';
156 log = ''
157 access_log /var/log/nginx/access.json json;
158 error_log /var/log/nginx/error.log warn;
159 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
160 '';
161 proxy = ''
162 proxy_cache_use_stale updating;
163 proxy_temp_path /var/cache/nginx/proxy_temp 1 2;
164 '';
165 fastcgi = ''
166 # DOC: http://wiki.nginx.org/HttpFastcgiModule
167 fastcgi_buffer_size 128k;
168 fastcgi_buffers 256 4k;
169 fastcgi_busy_buffers_size 256k;
170 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
171 fastcgi_connect_timeout 60;
172 fastcgi_ignore_client_abort off;
173 fastcgi_intercept_errors on;
174 fastcgi_max_temp_file_size 2M;
175 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
176 fastcgi_param SCRIPT_FILENAME $request_filename;
177 fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
178 '';
179 connection = ''
180 sendfile on;
181 # If the client stops reading data,
182 # free up the stale client connection after this much time.
183 send_timeout 60;
184 # Causes nginx to attempt to send its HTTP response head
185 # in one packet, instead of using partial frames.
186 # This is useful for prepending headers before calling sendfile,
187 # or for throughput optimization.
188 tcp_nopush on;
189 # Don't buffer data-sends (disable Nagle algorithm).
190 # Good for sending frequent small bursts of data in real time.
191 tcp_nodelay on;
192 keepalive_timeout 20;
193 reset_timedout_connection on;
194 server_names_hash_bucket_size 128;
195 '';
196 map = ''
197 map $time_iso8601 $date {
198 default 'date-not-found';
199 '~^(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})' $year-$month-$day;
200 }
201
202 map $scheme $hsts_header {
203 https "max-age=31536000; includeSubdomains; preload";
204 }
205
206 # User agents that are to be blocked.
207 #map $http_user_agent $bad_bot {
208 # default 0;
209 # libwww-perl 1;
210 # ~(?i)(httrack|htmlparser|libwww) 1;
211 #}
212 # Referrers that are to be blocked.
213 #map $http_referer $bad_referer {
214 # default 0;
215 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
216 #}
217 #geo $not_local {
218 # default 1;
219 # 127.0.0.1 0;
220 #}
221 '';
222 cache = ''
223 client_body_buffer_size 4K;
224 # getconf PAGESIZE
225 # 4096
226 client_body_temp_path /var/cache/nginx/client_body_temp 1 2;
227 client_body_timeout 60;
228 client_header_buffer_size 1k;
229 client_header_timeout 60;
230 large_client_header_buffers 4 8k;
231
232 open_file_cache max=200000 inactive=20s;
233 open_file_cache_errors on;
234 open_file_cache_min_uses 2;
235 open_file_cache_valid 30s;
236 '';
237 });
238 appendConfig = ''
239 worker_processes ${toString host.CPUs};
240 '';
241 };
242 };
243 }
NixOS configurations for Sourcephile's infrastructure