citadel

My dotfiles, scripts and nix configs
git clone git://jb55.com/citadel
Log | Files | Refs | README | LICENSE

default.nix (2906B)

      1 extra:
      2 { config, lib, pkgs, ... }:
      3 let sites = [ ];
      4     logDir = "/var/log/nginx";
      5     gitExtra = {
      6       ztip = "172.24.172.226";
      7       git = {
      8         projectroot = "/var/git";
      9       };
     10       host = "git.zero.jb55.com";
     11     };
     12     razornetExtra = {
     13       ztip = "172.29.172.226";
     14       git = {
     15         projectroot = "/var/razorgit";
     16       };
     17       host = "git.razor.jb55.com";
     18     };
     19     gitCfg = extra.git-server { inherit config pkgs; extra = extra // gitExtra; };
     20     razornetGit = extra.git-server { inherit config pkgs; extra = extra // razornetExtra; };
     21 in {
     22   services.logrotate.extraConfig = ''
     23     ${logDir}/*.log {
     24       daily
     25       missingok
     26       rotate 52
     27       compress
     28       delaycompress
     29       notifempty
     30       # 20MB
     31       minsize 20971520
     32       create 640 root adm
     33       sharedscripts
     34       postrotate
     35               ${pkgs.procps}/bin/pkill -USR1 nginx
     36       endscript
     37     }
     38   '';
     39 
     40   services.nginx = {
     41     enable = true;
     42 
     43     package = pkgs.nginx.override {
     44       modules = with pkgs.nginxModules; [ lua ];
     45     };
     46 
     47     user = "jb55";
     48 
     49     config = ''
     50       worker_processes 2;
     51 
     52       events {
     53       	worker_connections 768;
     54         # multi_accept on;
     55       }
     56     '';
     57 
     58     httpConfig = ''
     59       port_in_redirect off;
     60       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     61       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
     62       ssl_prefer_server_ciphers on;
     63 
     64       # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
     65       add_header Strict-Transport-Security max-age=15768000;
     66 
     67       sendfile on;
     68       tcp_nopush on;
     69       tcp_nodelay on;
     70       keepalive_timeout 65;
     71       types_hash_max_size 2048;
     72       # server_tokens off;
     73       proxy_buffering off;
     74       proxy_read_timeout 300s;
     75       expires off;
     76       default_type application/octet-stream;
     77 
     78       access_log ${logDir}/access.log;
     79       error_log ${logDir}/error.log;
     80 
     81       gzip on;
     82       gzip_disable "msie6";
     83 
     84       server {
     85         listen      80 default_server;
     86         server_name _;
     87         root /www/public;
     88         index index.html index.htm;
     89         location / {
     90           try_files $uri $uri/ =404;
     91         }
     92       }
     93 
     94       ${gitCfg}
     95 
     96       ${razornetGit}
     97     '';
     98   };
     99 }