75 lines
2.7 KiB
Nix
75 lines
2.7 KiB
Nix
{ config, options, lib, pkgs, ... }:
|
|
with builtins;
|
|
with lib;
|
|
with lib.custom;
|
|
let
|
|
cfg = config.modules.services.nginx;
|
|
in {
|
|
options.modules.services.nginx = {
|
|
enable = mkBoolOpt false;
|
|
enableCloudflareSupport = mkBoolOpt false;
|
|
};
|
|
|
|
config = mkMerge [
|
|
(mkIf cfg.enable {
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
user.extraGroups = [ "nginx" ];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
# Use recommended settings
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
# Reduce the permitted size of client requests, to reduce the likelihood
|
|
# of buffer overflow attacks. This can be tweaked on a per-vhost basis,
|
|
# as needed.
|
|
clientMaxBodySize = "256k"; # default 10m
|
|
# Significantly speed up regex matchers
|
|
appendConfig = ''pcre_jit on;'';
|
|
commonHttpConfig = ''
|
|
client_body_buffer_size 4k; # default: 8k
|
|
large_client_header_buffers 2 4k; # default: 4 8k
|
|
|
|
map $sent_http_content_type $expires {
|
|
default off;
|
|
text/html 10m;
|
|
text/css max;
|
|
application/javascript max;
|
|
application/pdf max;
|
|
~image/ max;
|
|
}
|
|
'';
|
|
};
|
|
})
|
|
|
|
(mkIf cfg.enableCloudflareSupport {
|
|
services.nginx.commonHttpConfig = ''
|
|
${concatMapStrings (ip: "set_real_ip_from ${ip};\n")
|
|
(filter (line: line != "")
|
|
(splitString "\n" ''
|
|
${readFile (fetchurl "https://www.cloudflare.com/ips-v4/")}
|
|
${readFile (fetchurl "https://www.cloudflare.com/ips-v6/")}
|
|
''))}
|
|
real_ip_header CF-Connecting-IP;
|
|
'';
|
|
})
|
|
];
|
|
}
|
|
|
|
# Helpful nginx snippets
|
|
#
|
|
# Set expires headers for static files and turn off logging.
|
|
# location ~* ^.+\.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|r ss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav |bmp|rtf)$ {
|
|
# access_log off; log_not_found off; expires 30d;
|
|
# }
|
|
#
|
|
# Deny all attempts to access PHP Files in the uploads directory
|
|
# location ~* /(?:uploads|files)/.*\.php$ {
|
|
# deny all;
|
|
# }
|