{pkgs, lib, config, system, ...}: let inherit (lib) types; inherit (config.services) nginx x509; tempDir = "/dev/shm/nginx"; logDir = "/var/log/nginx"; domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom)); #customPkgs = import ../../pkgs.nix { inherit pkgs lib config system; }; in { imports = [ ]; options.services.nginx.webDir = lib.mkOption { type = types.str; default = "/var/www"; # TODO: /var/lib/nginx ? }; config = { systemd.services.nginx-init = { # NOTE: This service workarounds nixpkgs shortcoming, # ideally this script should be prepended to nginx.service's preStart # but since it is a types.lines I would only be able to append to it, # which would put it after nginx's configuration check instead of before. description = "Initialize nginx"; before = [ "nginx.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; script = '' install -D -d -m 1700 \ -o ${nginx.user} \ -g ${nginx.group} \ ${nginx.stateDir} \ ${nginx.stateDir}/fastcgi_cache \ ${tempDir}/fastcgi_temp \ ${tempDir}/client_body_temp \ ${tempDir}/proxy_temp \ ${tempDir}/scgi_temp \ ${tempDir}/uwsgi_temp \ ${logDir} \ ${nginx.webDir} ''; }; security.dhparams = { enable = true; params = { nginx = 1024; }; }; services.nginx = { enable = true; config = '' worker_processes 2; pid /run/nginx.pid; events { multi_accept on; use epoll; worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; include ${nginx.package}/conf/mime.types; access_log ${logDir}/access.log main buffer=32k; # % getconf PAGESIZE # 4096 client_body_buffer_size 4K; client_body_temp_path ${tempDir}/client_body_temp 1 2; client_body_timeout 60; client_header_buffer_size 1k; client_header_timeout 60; client_max_body_size 20m; default_type application/octet-stream; error_log ${logDir}/error.log warn; #error_log stderr; error_page 403 = 404; # DOC: http://wiki.nginx.org/HttpFastcgiModule fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache inactive=10m keys_zone=microcache:2M levels=1:2 loader_files=100000 loader_sleep=1 loader_threshold=2592000000 max_size=64M; fastcgi_connect_timeout 60; fastcgi_ignore_client_abort off; fastcgi_intercept_errors on; fastcgi_max_temp_file_size 2M; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param HTTPS $https if_not_empty; fastcgi_param QUERY_STRING $query_string; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param REQUEST_URI $request_uri; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_NAME $server_name; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_temp_path ${tempDir}/fastcgi_temp 1 2; gzip on; gzip_buffers 16 8k; gzip_comp_level 6; gzip_disable "MSIE [1-6]\."; gzip_http_version 1.1; gzip_min_length 1024; gzip_proxied any; gzip_static on; gzip_vary on; gzip_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/xml application/xml+rss font/opentype font/truetype image/svg+xml text/css text/javascript text/plain text/x-component text/xml; keepalive_timeout 20; large_client_header_buffers 4 8k; open_file_cache max=200000 inactive=20s; open_file_cache_errors on; open_file_cache_min_uses 2; open_file_cache_valid 30s; open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; proxy_cache_use_stale updating; proxy_temp_path ${tempDir}/proxy_temp 1 2; reset_timedout_connection on; root ${nginx.webDir}; # If the client stops reading data, # free up the stale client connection after this much time. send_timeout 60; sendfile on; server_names_hash_bucket_size 128; server_tokens off; ssl_certificate ${x509.cert}; ssl_certificate_key ${x509.key}; ssl_ciphers HIGH:!ADH:!MD5; #ssl_ciphers EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_session_cache shared:SSL:10m; # Don't buffer data-sends (disable Nagle algorithm). # Good for sending frequent small bursts of data in real time. tcp_nodelay on; # Causes nginx to attempt to send its HTTP response head in one packet, # instead of using partial frames. # This is useful for prepending headers before calling sendfile, # or for throughput optimization. tcp_nopush on; types_hash_max_size 2048; uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param CONTENT_TYPE $content_type; uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param HTTPS $https if_not_empty; uwsgi_param PATH_INFO $document_uri; uwsgi_param QUERY_STRING $query_string; uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param REQUEST_METHOD $request_method; uwsgi_param REQUEST_SCHEME $scheme; uwsgi_param REQUEST_URI $request_uri; uwsgi_param SERVER_NAME $server_name; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_PROTOCOL $server_protocol; # $connection_upgrade is used for websocket proxying map $http_upgrade $connection_upgrade { default upgrade; ''' close; } # User agents that are to be blocked. #map $http_user_agent $bad_bot { # default 0; # libwww-perl 1; # ~(?i)(httrack|htmlparser|libwww) 1; #} # Referrers that are to be blocked. #map $http_referer $bad_referer { # default 0; # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; #} #geo $not_local { # default 1; # 127.0.0.1 0; #} include /etc/nginx/site.d/*.conf; server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } } ''; }; }; }