1 files changed, 11 insertions, 19 deletions

diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 81b253fe..f1fd1a6d 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -86,9 +86,16 @@ in {
 
   services.nginx = {
     enable = true;
-    httpConfig = ''
-      default_type application/octet-stream;
 
+    recommendedOptimisation = true;
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    sslDhparam = config.security.dhparams.params.nginx.path;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    
+
+    commonHttpConfig = ''
       log_format main
               '$remote_addr "$remote_user" '
               '"$host" "$request" $status $bytes_sent '
@@ -104,34 +111,19 @@ in {
       large_client_header_buffers 4 2k;
       request_pool_size 4k;
 
-      gzip on;
-      gzip_min_length 1100;
-      gzip_buffers 4 8k;
-      gzip_types text/plain;
-
       output_buffers 1 32k;
       postpone_output 1460;
 
-      sendfile on;
-      tcp_nopush on;
-      tcp_nodelay on;
-
-      keepalive_timeout 75 20;
-
       ignore_invalid_headers on;
 
       access_log syslog:server=unix:/dev/log main;
       error_log syslog:server=unix:/dev/log info;
 
-      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-      ssl_prefer_server_ciphers on;
-      ssl_session_cache shared:SSL:10m;
-      ssl_dhparam ${config.security.dhparams.params.nginx.path};
-      
       ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
       ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;
+    '';
 
+    appendHttpConfig = '';
       server {
         listen *:443 ssl;
         listen [::]:443 ssl;