citadel

My dotfiles, scripts and nix configs
git clone git://jb55.com/citadel
Log | Files | Refs | README | LICENSE

default.nix (2320B)

      1 extra:
      2 { config, lib, pkgs, ... }:
      3 let sites = [./sites/jb55.com
      4              ./sites/npmrepo.com
      5              ./sites/wineparty.xyz
      6              ./sites/hearpress.com
      7             ];
      8     logDir = "/var/log/nginx";
      9 in {
     10   services.logrotate.config = ''
     11     ${logDir}/*.log {
     12       daily
     13       missingok
     14       rotate 52
     15       compress
     16       delaycompress
     17       notifempty
     18       # 20MB
     19       minsize 20971520
     20       create 640 root adm
     21       sharedscripts
     22       postrotate
     23               ${pkgs.procps}/bin/pkill -USR1 nginx
     24       endscript
     25     }
     26   '';
     27 
     28   services.nginx = {
     29     enable = true;
     30 
     31     config = ''
     32       worker_processes 2;
     33 
     34       events {
     35       	worker_connections 768;
     36         # multi_accept on;
     37       }
     38     '';
     39 
     40     httpConfig = ''
     41       port_in_redirect off;
     42       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     43       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
     44       ssl_prefer_server_ciphers on;
     45 
     46       # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     47       add_header Strict-Transport-Security max-age=15768000;
     48 
     49       sendfile on;
     50       tcp_nopush on;
     51       tcp_nodelay on;
     52       keepalive_timeout 65;
     53       types_hash_max_size 2048;
     54       # server_tokens off;
     55       proxy_buffering off;
     56       proxy_read_timeout 300s;
     57       expires off;
     58 
     59       access_log ${logDir}/access.log;
     60       error_log ${logDir}/error.log;
     61 
     62       gzip on;
     63       gzip_disable "msie6";
     64 
     65       server {
     66         listen      80 default_server;
     67         server_name "";
     68         return      444;
     69       }
     70 
     71       ${lib.concatStringsSep "\n\n" (map builtins.readFile sites)}
     72     '';
     73   };
     74 }