bonfire/modules/services/nginx.nix

{ config, options, lib, pkgs, ... }:
with builtins;
with lib;
with lib.custom;
let
    cfg = config.modules.services.nginx;
in {
    options.modules.services.nginx = {
        enable = mkBoolOpt false;
        enableCloudflareSupport = mkBoolOpt false;
    };

    config = mkMerge [
        (mkIf cfg.enable {
            networking.firewall.allowedTCPPorts = [ 80 443 ];

            user.extraGroups = [ "nginx" ];

            services.nginx = {
                enable = true;

                # Use recommended settings
                recommendedGzipSettings = true;
                recommendedOptimisation = true;
                recommendedProxySettings = true;
                recommendedTlsSettings = true;

                # Reduce the permitted size of client requests, to reduce the likelihood
                # of buffer overflow attacks. This can be tweaked on a per-vhost basis,
                # as needed.
                clientMaxBodySize = "256k";  # default 10m
                # Significantly speed up regex matchers
                appendConfig = ''pcre_jit on;'';
                commonHttpConfig = ''
                    client_body_buffer_size  4k;       # default: 8k
                    large_client_header_buffers 2 4k;  # default: 4 8k

                    map $sent_http_content_type $expires {
                        default                    off;
                        text/html                  10m;
                        text/css                   max;
                        application/javascript     max;
                        application/pdf            max;
                        ~image/                    max;
                    }
                '';
            };
        })

        (mkIf cfg.enableCloudflareSupport {
            services.nginx.commonHttpConfig = ''
                ${concatMapStrings (ip: "set_real_ip_from ${ip};\n")
                    (filter (line: line != "")
                        (splitString "\n" ''
                            ${readFile (fetchurl "https://www.cloudflare.com/ips-v4/")}
                            ${readFile (fetchurl "https://www.cloudflare.com/ips-v6/")}
                      ''))}
                real_ip_header CF-Connecting-IP;
            '';
        })
    ];
}

# Helpful nginx snippets
#
# Set expires headers for static files and turn off logging.
#   location ~* ^.+\.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|r ss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav |bmp|rtf)$ {
#     access_log off; log_not_found off; expires 30d;
#   }
#
# Deny all attempts to access PHP Files in the uploads directory
#   location ~* /(?:uploads|files)/.*\.php$ {
#     deny all;
#   }
initial commit 2023-06-06 23:18:09 +05:00			`{ config, options, lib, pkgs, ... }:`
			`with builtins;`
			`with lib;`
			`with lib.custom;`
			`let`
			`cfg = config.modules.services.nginx;`
			`in {`
			`options.modules.services.nginx = {`
			`enable = mkBoolOpt false;`
			`enableCloudflareSupport = mkBoolOpt false;`
			`};`

			`config = mkMerge [`
			`(mkIf cfg.enable {`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`

			`user.extraGroups = [ "nginx" ];`

			`services.nginx = {`
			`enable = true;`

			`# Use recommended settings`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`

			`# Reduce the permitted size of client requests, to reduce the likelihood`
			`# of buffer overflow attacks. This can be tweaked on a per-vhost basis,`
			`# as needed.`
			`clientMaxBodySize = "256k"; # default 10m`
			`# Significantly speed up regex matchers`
			`appendConfig = ''pcre_jit on;'';`
			`commonHttpConfig = ''`
			`client_body_buffer_size 4k; # default: 8k`
			`large_client_header_buffers 2 4k; # default: 4 8k`

			`map $sent_http_content_type $expires {`
			`default off;`
			`text/html 10m;`
			`text/css max;`
			`application/javascript max;`
			`application/pdf max;`
			`~image/ max;`
			`}`
			`'';`
			`};`
			`})`

			`(mkIf cfg.enableCloudflareSupport {`
			`services.nginx.commonHttpConfig = ''`
			`${concatMapStrings (ip: "set_real_ip_from ${ip};\n")`
			`(filter (line: line != "")`
			`(splitString "\n" ''`
			`${readFile (fetchurl "https://www.cloudflare.com/ips-v4/")}`
			`${readFile (fetchurl "https://www.cloudflare.com/ips-v6/")}`
			`''))}`
			`real_ip_header CF-Connecting-IP;`
			`'';`
			`})`
			`];`
			`}`

			`# Helpful nginx snippets`
			`#`
			`# Set expires headers for static files and turn off logging.`
			`# location ~* ^.+\.(js\|css\|swf\|xml\|txt\|ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|r ss\|atom\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav \|bmp\|rtf)$ {`
			`# access_log off; log_not_found off; expires 30d;`
			`# }`
			`#`
			`# Deny all attempts to access PHP Files in the uploads directory`
			`# location ~* /(?:uploads\|files)/.*\.php$ {`
			`# deny all;`
			`# }`