{ config, lib, pkgs, ... }: let uwsgi_params = builtins.toFile "uwsgi_param" '' uwsgi_param QUERY_STRING $query_string; uwsgi_param REQUEST_METHOD $request_method; uwsgi_param CONTENT_TYPE $content_type; uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param REQUEST_URI $request_uri; uwsgi_param PATH_INFO $document_uri; uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param SERVER_PROTOCOL $server_protocol; uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_ADDR $server_addr; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; ''; favicon = builtins.toFile "favicon" '' location = /favicon.ico { root /srv/www/default; } ''; acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { root /srv/www/acme/$host/; } ''; mail-autoconfig = pkgs.writeTextFile { name = "mail-autoconfig"; destination = "/config-v1.1.xml"; text = '' 141.li xmpp.li yggdrasil.li praseodym.org kleen.li nights.email Yggdrasil Yggdrasil ymir.yggdrasil.li 143 STARTTLS password-cleartext %EMAILLOCALPART% ymir.yggdrasil.li 25 STARTTLS password-cleartext %EMAILLOCALPART% ymir.yggdrasil.li 993 SSL password-cleartext %EMAILLOCALPART% ''; }; in { services.logrotate = { enable = true; config = '' /var/spool/nginx/logs/* { compress daily missingok rotate 4 size 1M su ${config.services.nginx.user} ${config.services.nginx.group} } ''; }; services.nginx = { enable = true; httpConfig = '' default_type application/octet-stream; log_format main '$remote_addr "$remote_user" ' '"$host" "$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '$gzip_ratio'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; access_log syslog:server=unix:/dev/log main; error_log syslog:server=unix:/dev/log; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam ${config.security.dhparams.params.nginx.path}; ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name _; include ${favicon}; include ${acme}; location /.well-known/autoconfig/mail { alias ${mail-autoconfig}/; } root /srv/www/default; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?(f|files)\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${favicon}; include ${acme}; root /srv/www/files; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?(o|online)\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${favicon}; include ${acme}; location / { add_header X-NetworkManager-Status online; return 204; } } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?dirty-haskell\.org$; include ${favicon}; include ${acme}; root /srv/www/dirty-haskell.org; } server { listen *:80; listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; server_name ~^(.*\.)?git\.yggdrasil\.li$; root ${pkgs.cgit}/cgit; try_files $uri @cgit; include ${favicon}; include ${acme}; location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/git.yggdrasil.li.sock; uwsgi_modifier1 9; } } server { listen *:80; listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; server_name ~^(.*\.)?git\.rheperire\.org$; root ${pkgs.cgit}/cgit; try_files $uri @cgit; include ${favicon}; include ${acme}; location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/git.rheperire.org.sock; uwsgi_modifier1 9; } } server { listen *:80; listen [::]:80; server_name ~^(.*\.)?odin\.(yggdrasil\.li|141\.li)$; include ${acme}; location / { return 301 https://$host$request_uri; } } server { listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?odin\.(yggdrasil\.li|141\.li)$; location / { auth_basic "Reverse proxy to odin"; auth_basic_user_file /srv/www/odin/htpasswd; proxy_pass http://odin.asgard.yggdrasil/; } } server { listen *:80; listen [::]:80; server_name ~^ftp\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${acme}; location / { return 301 https://$host$request_uri; } } server { listen *:443 ssl; listen [::]:443 ssl; server_name ~^ftp\.(yggdrasil\.li|141\.li|praseodym\.org)$; client_body_temp_path /tmp/webdav; location / { root /srv/ftp/$remote_user; autoindex on; auth_basic "FTP over WebDAV"; auth_basic_user_file /srv/ftp.htpasswd; dav_methods PUT DELETE MKCOL COPY MOVE; create_full_put_path on; dav_access user:rw group:r all:r; } } ''; }; }