bonfire/modules/services/nginx.nix
2023-06-06 23:18:09 +05:00

75 lines
2.7 KiB
Nix

{ config, options, lib, pkgs, ... }:
with builtins;
with lib;
with lib.custom;
let
cfg = config.modules.services.nginx;
in {
options.modules.services.nginx = {
enable = mkBoolOpt false;
enableCloudflareSupport = mkBoolOpt false;
};
config = mkMerge [
(mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
user.extraGroups = [ "nginx" ];
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Reduce the permitted size of client requests, to reduce the likelihood
# of buffer overflow attacks. This can be tweaked on a per-vhost basis,
# as needed.
clientMaxBodySize = "256k"; # default 10m
# Significantly speed up regex matchers
appendConfig = ''pcre_jit on;'';
commonHttpConfig = ''
client_body_buffer_size 4k; # default: 8k
large_client_header_buffers 2 4k; # default: 4 8k
map $sent_http_content_type $expires {
default off;
text/html 10m;
text/css max;
application/javascript max;
application/pdf max;
~image/ max;
}
'';
};
})
(mkIf cfg.enableCloudflareSupport {
services.nginx.commonHttpConfig = ''
${concatMapStrings (ip: "set_real_ip_from ${ip};\n")
(filter (line: line != "")
(splitString "\n" ''
${readFile (fetchurl "https://www.cloudflare.com/ips-v4/")}
${readFile (fetchurl "https://www.cloudflare.com/ips-v6/")}
''))}
real_ip_header CF-Connecting-IP;
'';
})
];
}
# Helpful nginx snippets
#
# Set expires headers for static files and turn off logging.
# location ~* ^.+\.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|r ss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav |bmp|rtf)$ {
# access_log off; log_not_found off; expires 30d;
# }
#
# Deny all attempts to access PHP Files in the uploads directory
# location ~* /(?:uploads|files)/.*\.php$ {
# deny all;
# }