sourcephile / git / sourcephile-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
sourcehut: WIP
[sourcephile-nix.git] / nixos / profiles / services / nginx.nix
diff --git a/nixos/profiles/services/nginx.nix b/nixos/profiles/services/nginx.nix
index 69bca5f03c9dd35e8ec769c2c1765adbabc19ceb..f0f729ce953f79c68395a0c3ef874548c7829d24 100644 (file)
--- a/nixos/profiles/services/nginx.nix
+++ b/nixos/profiles/services/nginx.nix
@@ -1,4 +1,4 @@
-{ flakes, pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, host, ... }:
 let
   inherit (lib) types;
   inherit (config) networking;
@@ -24,13 +24,14 @@ systemd.tmpfiles.rules = [
   "d '/dev/shm/nginx' '750' '${nginx.user}' '${nginx.group}' - -"
 ];
 systemd.services.nginx = {
+  requires = [ "systemd-tmpfiles-setup-dev.service" ];
   serviceConfig = {
     # FIXME: remove all the mkForce in LogsDirectory
     # whenever upstream uses a list instead of a string.
     LogsDirectory = lib.mkForce ["nginx"];
     StateDirectory = ["nginx"];
     StateDirectoryMode = "2770";
-    BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
+    #BindPaths = ["/dev/shm/nginx:/var/cache/nginx"];
   };
 };
 services.nginx = {
@@ -52,61 +53,70 @@ services.nginx = {
   #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
   #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
   #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
-  sslDhparam = flakes.secrets + "/openssl/dh.pem";
+  sslDhparam = inputs.secrets + "/openssl/dh.pem";
   sslProtocols = "TLSv1.3 TLSv1.2";
   configs = rec {
     http_add_headers = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
+      # Enable CSP
       #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
       # Minimize information leaked to other domains
       add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # Restrict embedding as a frame
+      #add_header X-Frame-Options SAMEORIGIN;
 
       # Prevent injection of code in other mime types (XSS Attacks)
       add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
     '';
     https_add_headers = ''
       ${http_add_headers}
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged,
+      # as doing so makes the connection vulnerable to SSL stripping attacks
+      # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
+      add_header Strict-Transport-Security $hsts_header;
     '';
   };
   commonHttpConfig = ''
     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
-
-    log_format json escape=json
-      '{'
-        '"time_local":"$time_local",'
-        '"remote_addr":"$remote_addr",'
-        '"status": "$status",'
-        '"request":"$request",'
-        '"body_bytes_sent":"$body_bytes_sent",'
-        '"http_referrer":"$http_referer",'
-        '"http_user_agent":"$http_user_agent",'
-        '"remote_user":"$remote_user",'
-        '"request_time":"$request_time"'
-      '}';
+    log_format json escape=json '{'
+      '"time_local":"$time_local",'
+      '"host":"$host",'
+      '"request":"$request",'
+      '"status":"$status",'
+      '"http_referrer":"$http_referer",'
+      '"remote_addr":"$remote_addr",'
+      '"remote_user":"$remote_user",'
+      '"msec":"$msec",'
+      '"body_bytes_sent":"$body_bytes_sent",'
+      '"bytes_sent":"$bytes_sent",'
+      '"http_user_agent":"$http_user_agent",'
+      '"request_length":"$request_length",'
+      '"request_method":"$request_method",'
+      '"request_time":"$request_time",'
+      '"request_uri":"$request_uri",'
+      '"server_protocol":"$server_protocol",'
+      '"ssl_protocol":"$ssl_protocol",'
+      '"upstream_addr":"$upstream_addr",'
+      '"upstream_connect_time":"$upstream_connect_time",'
+      '"upstream_response_time":"$upstream_response_time"'
+    '}';
     charset UTF-8;
     types {
       text/html html5;
-      text/plain md;
+      text/plain dump;
     }
     '' +
     lib.concatStringsSep "\n" (lib.attrValues {
       default = ''
-        default_type application/octet-stream;
+        #default_type application/octet-stream;
         root /var/lib/nginx;
       '';
       security = ''
@@ -115,10 +125,10 @@ services.nginx = {
         ${nginx.configs.http_add_headers}
 
         # This might create errors
-        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
       '';
       log = ''
-        access_log /var/log/nginx/access.log main buffer=32k;
+        access_log /var/log/nginx/access.json json;
         error_log  /var/log/nginx/error.log warn;
         open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
       '';
@@ -201,7 +211,7 @@ services.nginx = {
       '';
     });
   appendConfig = ''
-    worker_processes ${toString config.nix.maxJobs};
+    worker_processes ${toString host.CPUs};
   '';
 };
 };
NixOS configurations for Sourcephile's infrastructure