blob: a36ac79ee85213e19a82f052431e5540e8a2ff52 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
{ config, lib, pkgs, ... }:
let
uwsgi_params = builtins.toFile "uwsgi_param" ''
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_ADDR $server_addr;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
'';
favicon = builtins.toFile "favicon" ''
location = /favicon.ico {
root /srv/www/default;
}
'';
acme = builtins.toFile "acme" ''
location /.well-known/acme-challenge {
root /srv/www/acme/$host/;
}
'';
in {
services.nginx = {
enable = true;
httpConfig = ''
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
access_log stderr;
error_log stderr;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;
server {
listen *:80;
listen [::]:80;
listen *:443 ssl;
listen [::]:443 ssl;
server_name _;
include ${favicon};
include ${acme};
root /srv/www/default;
}
server {
listen *:80;
listen [::]:80;
listen *:443 ssl;
listen [::]:443 ssl;
server_name ~^(.*\.)?dirty-haskell\.org$;
include ${favicon};
include ${acme};
root /srv/www/dirty-haskell.org;
}
server {
listen *:80;
listen *:443 ssl;
listen [::]:80;
listen [::]:443 ssl;
server_name ~^(.*\.)?git\.yggdrasil\.li$;
root ${pkgs.cgit}/cgit;
try_files $uri @cgit;
include ${favicon};
include ${acme};
location @cgit {
include ${uwsgi_params};
uwsgi_pass unix:/tmp/cgit.sock;
uwsgi_modifier1 9;
}
}
'';
};
}
|