]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/nginx.nix
x509: send the key once for root, not one per service
[sourcephile-nix.git] / servers / mermet / nginx.nix
1 {pkgs, lib, config, system, ...}:
2 let
3 inherit (builtins) readFile;
4 inherit (builtins.extraBuiltins) pass;
5 inherit (lib) types;
6 inherit (pkgs.lib) loadFile;
7 inherit (config) networking;
8 inherit (config.services) nginx;
9 domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
10 in
11 {
12 imports = [
13 nginx/gitweb.nix
14 nginx/www.nix
15 ];
16 options = {
17 services.nginx = {
18 x509Dir = lib.mkOption {
19 type = types.str;
20 default = "/var/lib/nginx/x509";
21 };
22 webDir = lib.mkOption {
23 type = types.str;
24 default = "/var/www";
25 };
26 logDir = lib.mkOption {
27 type = types.str;
28 default = "/var/log/nginx";
29 };
30 };
31 };
32 config = {
33 systemd.services.nginx = {
34 preStart = lib.mkBefore ''
35 install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
36 ${nginx.x509Dir} \
37 ${nginx.webDir} \
38 ${nginx.logDir}
39 '';
40 after = [
41 "${networking.domain}.key.pem-key.service"
42 ];
43 };
44 services.nginx = {
45 enable = true;
46 stateDir = "/dev/shm/nginx";
47 eventsConfig = ''
48 multi_accept on;
49 use epoll;
50 worker_connections 1024;
51 '';
52 clientMaxBodySize = "20m";
53 recommendedProxySettings = true;
54 recommendedTlsSettings = true;
55 serverTokens = false;
56 # Only allow PFS-enabled ciphers with AES256
57 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
58 #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
59 sslDhparam = ../../../sec/openssl/dh.pem;
60 #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;";
61 #sslProtocols = "TLSv1.2";
62 commonHttpConfig = ''
63 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
64 '$status $body_bytes_sent "$http_referer" '
65 '"$http_user_agent" "$http_x_forwarded_for"';
66 #charset UTF-8;
67 '' +
68 lib.concatStringsSep "\n" (lib.attrValues {
69 default = ''
70 default_type application/octet-stream;
71 root ${nginx.webDir};
72 '';
73 security = ''
74 #error_page 403 = 404;
75
76 # Add HSTS header with preloading to HTTPS requests.
77 # Adding this header to HTTP requests is discouraged
78 #map $scheme $hsts_header {
79 # https "max-age=31536000; includeSubdomains; preload";
80 #}
81 #add_header Strict-Transport-Security $hsts_header;
82
83 # Enable CSP for your services.
84 #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
85
86 # Minimize information leaked to other domains
87 add_header 'Referrer-Policy' 'origin-when-cross-origin';
88
89 # Disable embedding as a frame
90 add_header X-Frame-Options DENY;
91
92 # Prevent injection of code in other mime types (XSS Attacks)
93 add_header X-Content-Type-Options nosniff;
94
95 # Enable XSS protection of the browser.
96 # May be unnecessary when CSP is configured properly (see above)
97 add_header X-XSS-Protection "1; mode=block";
98
99 # This might create errors
100 proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
101 '';
102 log = ''
103 access_log ${nginx.logDir}/access.log main buffer=32k;
104 error_log ${nginx.logDir}/error.log warn;
105 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
106 '';
107 proxy = ''
108 proxy_cache_use_stale updating;
109 proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2;
110 '';
111 fastcgi = ''
112 # DOC: http://wiki.nginx.org/HttpFastcgiModule
113 fastcgi_buffer_size 128k;
114 fastcgi_buffers 256 4k;
115 fastcgi_busy_buffers_size 256k;
116 fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
117 fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache
118 inactive=10m
119 keys_zone=microcache:2M
120 levels=1:2
121 loader_files=100000
122 loader_sleep=1
123 loader_threshold=2592000000
124 max_size=64M;
125 fastcgi_connect_timeout 60;
126 fastcgi_ignore_client_abort off;
127 fastcgi_intercept_errors on;
128 fastcgi_max_temp_file_size 2M;
129 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
130 fastcgi_param SCRIPT_FILENAME $request_filename;
131 fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2;
132 '';
133 connection = ''
134 sendfile on;
135 # If the client stops reading data,
136 # free up the stale client connection after this much time.
137 send_timeout 60;
138 # Causes nginx to attempt to send its HTTP response head
139 # in one packet, instead of using partial frames.
140 # This is useful for prepending headers before calling sendfile,
141 # or for throughput optimization.
142 tcp_nopush on;
143 # Don't buffer data-sends (disable Nagle algorithm).
144 # Good for sending frequent small bursts of data in real time.
145 tcp_nodelay on;
146 keepalive_timeout 20;
147 reset_timedout_connection on;
148 server_names_hash_bucket_size 128;
149 types_hash_max_size 2048;
150 '';
151 map = ''
152 # User agents that are to be blocked.
153 #map $http_user_agent $bad_bot {
154 # default 0;
155 # libwww-perl 1;
156 # ~(?i)(httrack|htmlparser|libwww) 1;
157 #}
158 # Referrers that are to be blocked.
159 #map $http_referer $bad_referer {
160 # default 0;
161 # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
162 #}
163 #geo $not_local {
164 # default 1;
165 # 127.0.0.1 0;
166 #}
167 '';
168 gzip = ''
169 gzip on;
170 gzip_buffers 16 8k;
171 gzip_comp_level 6;
172 gzip_disable "MSIE [1-6]\.";
173 gzip_http_version 1.1;
174 gzip_min_length 1024;
175 gzip_proxied any;
176 gzip_static on;
177 gzip_vary on;
178 gzip_types application/atom+xml
179 application/javascript
180 application/json
181 application/rss+xml
182 application/vnd.ms-fontobject
183 application/x-font-ttf
184 application/x-javascript
185 application/xml
186 application/xml+rss
187 font/opentype
188 font/truetype
189 image/svg+xml
190 text/css
191 text/javascript
192 text/plain
193 text/x-component
194 text/xml;
195 '';
196 cache = ''
197 client_body_buffer_size 4K;
198 # getconf PAGESIZE
199 # 4096
200 client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2;
201 client_body_timeout 60;
202 client_header_buffer_size 1k;
203 client_header_timeout 60;
204 large_client_header_buffers 4 8k;
205
206 open_file_cache max=200000 inactive=20s;
207 open_file_cache_errors on;
208 open_file_cache_min_uses 2;
209 open_file_cache_valid 30s;
210 '';
211 });
212 appendConfig = ''
213 worker_processes 4;
214 '';
215 virtualHosts."_" = {
216 forceSSL = false;
217 # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it.
218 # NOTE: no ssl_stapling while the certificate remains self-signed.
219 sslCertificate = loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem");
220 sslCertificateKey = "/run/keys/${networking.domain}.key.pem";
221 };
222 };
223 };
224 }