{pkgs, lib, config, system, ...}: let inherit (builtins) readFile toPath; inherit (builtins.extraBuiltins) pass; inherit (lib) types; inherit (config) networking; inherit (config.services) nginx x509; domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom)); in { imports = [ nginx/gitweb.nix ]; options = { services.nginx = { x509Dir = lib.mkOption { type = types.str; default = "/var/lib/nginx/x509"; }; webDir = lib.mkOption { type = types.str; default = "/var/www"; }; logDir = lib.mkOption { type = types.str; default = "/var/log/nginx"; }; }; }; config = { systemd.services.nginx.after = [ "${networking.domainBase}.key.pem-key.service" #"keys.target" ]; deployment.keys = { "${networking.domainBase}.key.pem" = { text = pass "x509/${networking.domainBase}/key.pem"; user = nginx.user; group = "nobody"; destDir = "/var/lib/nginx/x509/"; permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true }; }; systemd.services.nginx = { preStart = lib.mkBefore '' install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \ ${nginx.x509Dir} \ ${nginx.webDir} \ ${nginx.logDir} ''; }; services.nginx = { enable = true; stateDir = "/dev/shm/nginx"; eventsConfig = '' multi_accept on; use epoll; worker_connections 1024; ''; clientMaxBodySize = "20m"; recommendedProxySettings = true; recommendedTlsSettings = true; serverTokens = false; sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; sslDhparam = ../../../sec/openssl/dh.pem; #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL;"; #sslProtocols = "TLSv1.2"; commonHttpConfig = '' log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #charset UTF-8; '' + lib.concatStringsSep "\n" (lib.attrValues { default = '' default_type application/octet-stream; root ${nginx.webDir}; ''; security = '' #error_page 403 = 404; ''; log = '' access_log ${nginx.logDir}/access.log main buffer=32k; error_log ${nginx.logDir}/error.log warn; open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; ''; proxy = '' proxy_cache_use_stale updating; proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2; ''; fastcgi = '' # DOC: http://wiki.nginx.org/HttpFastcgiModule fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache inactive=10m keys_zone=microcache:2M levels=1:2 loader_files=100000 loader_sleep=1 loader_threshold=2592000000 max_size=64M; fastcgi_connect_timeout 60; fastcgi_ignore_client_abort off; fastcgi_intercept_errors on; fastcgi_max_temp_file_size 2M; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2; ''; connexion = '' sendfile on; # If the client stops reading data, # free up the stale client connection after this much time. send_timeout 60; # Causes nginx to attempt to send its HTTP response head # in one packet, instead of using partial frames. # This is useful for prepending headers before calling sendfile, # or for throughput optimization. tcp_nopush on; # Don't buffer data-sends (disable Nagle algorithm). # Good for sending frequent small bursts of data in real time. tcp_nodelay on; keepalive_timeout 20; reset_timedout_connection on; server_names_hash_bucket_size 128; types_hash_max_size 2048; ''; map = '' # User agents that are to be blocked. #map $http_user_agent $bad_bot { # default 0; # libwww-perl 1; # ~(?i)(httrack|htmlparser|libwww) 1; #} # Referrers that are to be blocked. #map $http_referer $bad_referer { # default 0; # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; #} #geo $not_local { # default 1; # 127.0.0.1 0; #} ''; gzip = '' gzip on; gzip_buffers 16 8k; gzip_comp_level 6; gzip_disable "MSIE [1-6]\."; gzip_http_version 1.1; gzip_min_length 1024; gzip_proxied any; gzip_static on; gzip_vary on; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/xml application/xml+rss font/opentype font/truetype image/svg+xml text/css text/javascript text/plain text/x-component text/xml; ''; cache = '' client_body_buffer_size 4K; # getconf PAGESIZE # 4096 client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2; client_body_timeout 60; client_header_buffer_size 1k; client_header_timeout 60; large_client_header_buffers 4 8k; open_file_cache max=200000 inactive=20s; open_file_cache_errors on; open_file_cache_min_uses 2; open_file_cache_valid 30s; ''; }); appendConfig = '' worker_processes 2; ''; virtualHosts."_" = { forceSSL = true; # Convoluted way to load the certificate in the store and using ${networking.domainBase} to find it. # NOTE: no ssl_stapling while the certificate remains self-signed. sslCertificate = pkgs.writeText "cert.self-signed.pem" (readFile ((toPath ../../../sec) + "/openssl/${networking.domainBase}/cert.self-signed.pem")); sslCertificateKey = "/var/lib/nginx/x509/${networking.domainBase}.key.pem"; }; }; }; }