citadel

My dotfiles, scripts and nix configs
git clone git://jb55.com/citadel
Log | Files | Refs | README | LICENSE

default.nix (2941B)


      1 extra:
      2 { config, lib, pkgs, ... }:
      3 let sites = [ ];
      4     logDir = "/var/log/nginx";
      5     gitExtra = {
      6       git = {
      7         projectroot = "/var/git";
      8       };
      9     };
     10     gitCfg = import ./git.nix { inherit config pkgs; extra = extra // gitExtra; };
     11     hoogle = import ./hoogle.nix extra.ztip;
     12     nixserve = import ./nix-serve.nix extra;
     13 in {
     14   services.logrotate.config = ''
     15     ${logDir}/*.log {
     16       daily
     17       missingok
     18       rotate 52
     19       compress
     20       delaycompress
     21       notifempty
     22       # 20MB
     23       minsize 20971520
     24       create 640 root adm
     25       sharedscripts
     26       postrotate
     27               ${pkgs.procps}/bin/pkill -USR1 nginx
     28       endscript
     29     }
     30   '';
     31 
     32   services.nginx = {
     33     enable = true;
     34 
     35     httpConfig = ''
     36       port_in_redirect off;
     37       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     38       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
     39       ssl_prefer_server_ciphers on;
     40 
     41       # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     42       add_header Strict-Transport-Security max-age=15768000;
     43 
     44       sendfile on;
     45       tcp_nopush on;
     46       tcp_nodelay on;
     47       keepalive_timeout 65;
     48       types_hash_max_size 2048;
     49       client_max_body_size 6G;
     50 
     51       # server_tokens off;
     52       proxy_buffering off;
     53       proxy_read_timeout 300s;
     54       expires off;
     55       default_type application/octet-stream;
     56 
     57       access_log ${logDir}/access.log;
     58       error_log ${logDir}/error.log;
     59 
     60       gzip on;
     61       gzip_disable "msie6";
     62 
     63       server {
     64         listen      80;
     65         server_name archer.zero.monster.cat;
     66 
     67         root /www/public;
     68         index index.html index.htm;
     69 
     70         location / {
     71           try_files $uri $uri/ =404;
     72         }
     73       }
     74 
     75       server {
     76         listen       80;
     77         server_name  siren.zero.monster.cat;
     78 
     79         location / {
     80           include ${pkgs.nginx}/conf/fastcgi_params;
     81           gzip off;
     82 
     83           fastcgi_param SCRIPT_FILENAME /home/jb55/src/c/libsirenofshame/siren-rest.fcgi;
     84           fastcgi_param PATH_INFO       $uri;
     85           fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
     86         }
     87       }
     88 
     89       ${lib.concatStringsSep "\n\n" (map builtins.readFile sites)}
     90 
     91       ${gitCfg}
     92       ${hoogle}
     93     '';
     94   };
     95 }