summaryrefslogtreecommitdiff
path: root/custom
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-03-31 22:15:20 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-03-31 22:15:20 +0200
commit2549a6fe6153ecef9ae935685691a288d6d299fc (patch)
tree5640d4c3191e887290eb18ca4c341a7fda9f3da1 /custom
parent94c24ebcb3f91c5656f8aaec440957b0a512b34e (diff)
downloadnixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar
nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.gz
nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.bz2
nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.xz
nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.zip
nginx...
Diffstat (limited to 'custom')
-rw-r--r--custom/ymir-nginx.nix30
1 files changed, 11 insertions, 19 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 81b253fe..f1fd1a6d 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -86,9 +86,16 @@ in {
86 86
87 services.nginx = { 87 services.nginx = {
88 enable = true; 88 enable = true;
89 httpConfig = ''
90 default_type application/octet-stream;
91 89
90 recommendedOptimisation = true;
91 sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
92 sslDhparam = config.security.dhparams.params.nginx.path;
93 recommendedTlsSettings = true;
94 recommendedGzipSettings = true;
95 recommendedProxySettings = true;
96
97
98 commonHttpConfig = ''
92 log_format main 99 log_format main
93 '$remote_addr "$remote_user" ' 100 '$remote_addr "$remote_user" '
94 '"$host" "$request" $status $bytes_sent ' 101 '"$host" "$request" $status $bytes_sent '
@@ -104,34 +111,19 @@ in {
104 large_client_header_buffers 4 2k; 111 large_client_header_buffers 4 2k;
105 request_pool_size 4k; 112 request_pool_size 4k;
106 113
107 gzip on;
108 gzip_min_length 1100;
109 gzip_buffers 4 8k;
110 gzip_types text/plain;
111
112 output_buffers 1 32k; 114 output_buffers 1 32k;
113 postpone_output 1460; 115 postpone_output 1460;
114 116
115 sendfile on;
116 tcp_nopush on;
117 tcp_nodelay on;
118
119 keepalive_timeout 75 20;
120
121 ignore_invalid_headers on; 117 ignore_invalid_headers on;
122 118
123 access_log syslog:server=unix:/dev/log main; 119 access_log syslog:server=unix:/dev/log main;
124 error_log syslog:server=unix:/dev/log info; 120 error_log syslog:server=unix:/dev/log info;
125 121
126 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
127 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
128 ssl_prefer_server_ciphers on;
129 ssl_session_cache shared:SSL:10m;
130 ssl_dhparam ${config.security.dhparams.params.nginx.path};
131
132 ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; 122 ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
133 ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; 123 ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;
124 '';
134 125
126 appendHttpConfig = '';
135 server { 127 server {
136 listen *:443 ssl; 128 listen *:443 ssl;
137 listen [::]:443 ssl; 129 listen [::]:443 ssl;