diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-03-31 22:15:20 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-03-31 22:15:20 +0200 |
commit | 2549a6fe6153ecef9ae935685691a288d6d299fc (patch) | |
tree | 5640d4c3191e887290eb18ca4c341a7fda9f3da1 /custom | |
parent | 94c24ebcb3f91c5656f8aaec440957b0a512b34e (diff) | |
download | nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.gz nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.bz2 nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.tar.xz nixos-2549a6fe6153ecef9ae935685691a288d6d299fc.zip |
nginx...
Diffstat (limited to 'custom')
-rw-r--r-- | custom/ymir-nginx.nix | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 81b253fe..f1fd1a6d 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix | |||
@@ -86,9 +86,16 @@ in { | |||
86 | 86 | ||
87 | services.nginx = { | 87 | services.nginx = { |
88 | enable = true; | 88 | enable = true; |
89 | httpConfig = '' | ||
90 | default_type application/octet-stream; | ||
91 | 89 | ||
90 | recommendedOptimisation = true; | ||
91 | sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; | ||
92 | sslDhparam = config.security.dhparams.params.nginx.path; | ||
93 | recommendedTlsSettings = true; | ||
94 | recommendedGzipSettings = true; | ||
95 | recommendedProxySettings = true; | ||
96 | |||
97 | |||
98 | commonHttpConfig = '' | ||
92 | log_format main | 99 | log_format main |
93 | '$remote_addr "$remote_user" ' | 100 | '$remote_addr "$remote_user" ' |
94 | '"$host" "$request" $status $bytes_sent ' | 101 | '"$host" "$request" $status $bytes_sent ' |
@@ -104,34 +111,19 @@ in { | |||
104 | large_client_header_buffers 4 2k; | 111 | large_client_header_buffers 4 2k; |
105 | request_pool_size 4k; | 112 | request_pool_size 4k; |
106 | 113 | ||
107 | gzip on; | ||
108 | gzip_min_length 1100; | ||
109 | gzip_buffers 4 8k; | ||
110 | gzip_types text/plain; | ||
111 | |||
112 | output_buffers 1 32k; | 114 | output_buffers 1 32k; |
113 | postpone_output 1460; | 115 | postpone_output 1460; |
114 | 116 | ||
115 | sendfile on; | ||
116 | tcp_nopush on; | ||
117 | tcp_nodelay on; | ||
118 | |||
119 | keepalive_timeout 75 20; | ||
120 | |||
121 | ignore_invalid_headers on; | 117 | ignore_invalid_headers on; |
122 | 118 | ||
123 | access_log syslog:server=unix:/dev/log main; | 119 | access_log syslog:server=unix:/dev/log main; |
124 | error_log syslog:server=unix:/dev/log info; | 120 | error_log syslog:server=unix:/dev/log info; |
125 | 121 | ||
126 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
127 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | ||
128 | ssl_prefer_server_ciphers on; | ||
129 | ssl_session_cache shared:SSL:10m; | ||
130 | ssl_dhparam ${config.security.dhparams.params.nginx.path}; | ||
131 | |||
132 | ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; | 122 | ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; |
133 | ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; | 123 | ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; |
124 | ''; | ||
134 | 125 | ||
126 | appendHttpConfig = ''; | ||
135 | server { | 127 | server { |
136 | listen *:443 ssl; | 128 | listen *:443 ssl; |
137 | listen [::]:443 ssl; | 129 | listen [::]:443 ssl; |