3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

139 commits

Author SHA1 Message Date
Izorkin 4d988ff0d0 nixos/nginx: change log and cache directories 2020-05-04 16:36:37 +03:00
Jan Tojnar 3c4ab13243
nixos/nginx: fix eval
Fixes a typo introduced in https://github.com/NixOS/nixpkgs/pull/83611
2020-03-29 00:20:07 +01:00
Vincent Bernat 7c451c3b6b
nginx: increase types_hash_max_size to 4096 (#83609)
After upgrading to NixOS 20.03, I've got the following warning:

    nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

The documentation states that "if nginx emits the message requesting
to increase either hash max size or hash bucket size then the first
parameter should first be increased" (aka types_hash_max_size).

In 19.03, the size of mime.types was around 100 entries. In 20.03, we
are around 900 entries. This is due to ff0148d868 which makes nginx
use mailcap mime.types.
2020-03-28 20:40:44 +01:00
Vincent Bernat 8f8cbec985
nixos/nginx: use mailcap mimetypes in all cases (#83611)
In ff0148d868, nginx configuration was modified to use mime.types
from mailcap package as it is more complete. However, there are two
places where mime.types is included in configuration. When the user
was setting `cfg.httpConfig`, the mime.types from nginx was still
used. This commit fix that by moving the common snippet in a variable
of its own and ensure it is used at both places.
2020-03-28 20:29:09 +01:00
Emily 4ed98d69ed nixos/nginx: use Mozilla Intermediate TLS configuration
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189.

Resolves #80952.
2020-03-06 13:08:56 +00:00
Aaron Andersen fc1bee555e
Merge pull request #75602 from vanyaklimenko/nginx-gitweb-more-options
nixos/nginx/gitweb: add some (crucial) options
2020-01-15 21:16:24 -05:00
Vanya Klimenko ed52a6567c nixos/nginx/gitweb: add some (crucial) options
This replaces some hardcoded values in nginx's VirtualHosts's
configuration with customizable options. Previous values are kept as
default, so nothing should break for existing users.

Co-Authored-By: Florian Klink <flokli@flokli.de>
2020-01-14 00:11:10 +00:00
rnhmjoj 1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Danylo Hlynskyi cef68c4580
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch with reload enabled (#76179)
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch
with reload enabled

Closes https://github.com/NixOS/nixpkgs/issues/73455
2020-01-05 00:39:23 +02:00
danbst 50d6e93dc8 nixos/nginx: fixup permissions for Nginx state dir
The commit b0bbacb521 was a bit too fast
It did set executable bit for log files.

Also, it didn't account for other directories in state dir:
```
 # ls -la /var/spool/nginx/
total 32
drwxr-x--- 8 nginx nginx 4096 Dec 26 12:00 .
drwxr-xr-x 4 root  root  4096 Oct 10 20:24 ..
drwx------ 2 root  root  4096 Oct 10 20:24 client_body_temp
drwx------ 2 root  root  4096 Oct 10 20:24 fastcgi_temp
drwxr-x--- 2 nginx nginx 4096 Dec 26 12:00 logs
drwx------ 2 root  root  4096 Oct 10 20:24 proxy_temp
drwx------ 2 root  root  4096 Oct 10 20:24 scgi_temp
drwx------ 2 root  root  4096 Oct 10 20:24 uwsgi_temp
```

With proposed change, only ownership is changed for state files, and mode is left as is
except that statedir/logs is now group accessible.
2019-12-26 14:16:29 +02:00
Yurii Izorkin b0bbacb521 nixos/nginx: recursively change logs directory owner/group (#76174)
This change brings pre-existing installations (where the logfiles
are owned by root) in line with the new permssions (where logfiles
are owned by the nginx user)
2019-12-26 13:51:10 +02:00
Florian Klink 0a41dae98b
Merge pull request #56255 from Izorkin/nginx-temp1
nginx: do not run anything as root
2019-12-20 23:34:55 +01:00
brprice 5b210859f6 nixos/nginx: drop extra semicolon in return example (#76055) 2019-12-19 21:59:01 +02:00
Izorkin 2a413da57e nixos/nginx: do not run anything as root 2019-12-15 11:21:08 +03:00
paumr 5a1c15da12 improved nginx.basicAuthFile description 2019-12-03 14:05:46 +01:00
Renaud bf6217cbf1
nixos/nginx: correct header
Apache -> Nginx
2019-11-18 23:25:17 +01:00
Benjamin Hipple 3d73b6db85 nixos/nginx: update comment
It says Apache, but this is for Nginx; looks like a copy-paste error.
2019-11-03 10:22:56 -05:00
Robin Gloster 8e1fdad7c6
Merge pull request #70858 from manveru/nginx-map-hash-sizes
nginx: add map_hash_*_size options
2019-10-09 17:32:40 +02:00
Milan Pässler ff0148d868 nixos/nginx: use mailcap mime.types
The mime type definitions included with nginx are very incomplete, so
we use a list of mime types from the mailcap package, which is also
used by most other Linux distributions by default.
2019-10-09 14:20:40 +00:00
Michael Fellinger 2d0b34aa1c
nginx: add map_hash_*_size options 2019-10-09 15:59:03 +02:00
Vincent Bernat cf3e491cef nginx: remove gzip_disable directive
IE6 is long gone and this directive is not useful anymore. We can
spare a few CPU cycles (and maybe skip some bugs) by not trying to
disable gzip for MSIE6.
2019-09-12 11:55:32 -05:00
Silvan Mosberger 478e7184f8
nixos/modules: Remove all usages of types.string
And replace them with a more appropriate type

Also fix up some minor module problems along the way
2019-08-31 18:19:00 +02:00
Arian van Putten 604b7c139f Fix letsencrypt (#60219)
* nixos/acme: Fix ordering of cert requests

When subsequent certificates would be added, they would
not wake up nginx correctly due to target units only being triggered
once. We now added more fine-grained systemd dependencies to make sure
nginx always is aware of new certificates and doesn't restart too early
resulting in a crash.

Furthermore, the acme module has been refactored. Mostly to get
rid of the deprecated PermissionStartOnly systemd options which were
deprecated. Below is a summary of changes made.

* Use SERVICE_RESULT to determine status
This was added in systemd v232. we don't have to keep track
of the EXITCODE ourselves anymore.

* Add regression test for requesting mutliple domains

* Deprecate 'directory' option
We now use systemd's StateDirectory option to manage
create and permissions of the acme state directory.

* The webroot is created using a systemd.tmpfiles.rules rule
instead of the preStart script.

* Depend on certs directly

By getting rid of the target units, we make sure ordering
is correct in the case that you add new certs after already
having deployed some.

Reason it broke before:  acme-certificates.target would
be in active state, and if you then add a new cert, it
would still be active and hence nginx would restart
without even requesting a new cert. Not good!  We
make the dependencies more fine-grained now. this should fix that

* Remove activationDelay option

It complicated the code a lot, and is rather arbitrary. What if
your activation script takes more than activationDelay seconds?

Instead, one should use systemd dependencies to make sure some
action happens before setting the certificate live.

e.g. If you want to wait until your cert is published in DNS DANE /
TLSA, you could create a unit that blocks until it appears in DNS:

```
RequiredBy=acme-${cert}.service
After=acme-${cert}.service
ExecStart=publish-wait-for-dns-script
```
2019-08-29 16:32:59 +02:00
Danylo Hlynskyi 855be67358
nginx: expose generated config and allow nginx reloads (#57429)
* nginx: expose generated config and allow nginx reloads

Fixes: https://github.com/NixOS/nixpkgs/issues/15906
Another try was done, but not yet merged in https://github.com/NixOS/nixpkgs/pull/24476

This add 2 new features: ability to review generated Nginx config
(and NixOS has sophisticated generation!) and reloading
of nginx on config changes. This preserves nginx restart on package
updates.

I've modified nginx test to use this new feature and check reload/restart
behavior.

* rename to enableReload

* add sleep(1) in ETag test (race condition) and rewrite rebuild-switch using `nesting.clone`
2019-08-21 16:52:46 +03:00
volth f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Izorkin 5612650767 nixos/nginx: add ipv6 options to resolver 2019-06-02 19:29:30 +00:00
Dan Elkouby 83c9b6ee39 nginx: use fullchain.pem for ssl_trusted_certificate
Some ACME clients do not generate full.pem, which is the same as
fullchain.pem + the certificate key (key.pem), which is not necessary
for verifying OCSP staples.
2019-04-23 12:33:19 +03:00
Jörg Thalheim 6dd7483ce1
Merge pull request #57979 from 4z3/writeNginxConfig
nixos/nginx: use nginxfmt and gixy
2019-04-04 20:23:58 +01:00
tv 59fac1a6d7 nixos/nginx: use writeNginxConfig 2019-03-23 11:16:14 +01:00
Dmitry Kalinkin 0e57b98b2c
Merge pull request #57596 from artemist/nginx-return
nixos/nginx: add return option to location
2019-03-22 14:08:33 -04:00
Silvan Mosberger f8de52a2fe
Revert "nixos/nginx: support h2c" 2019-03-15 14:31:11 +01:00
Artemis Tosini fee854ed01
nixos/nginx: add return option to location 2019-03-13 17:31:01 +00:00
Jordan Johnson-Doyle 04425c6223
nixos/nginx: support h2c 2019-03-08 17:50:46 +00:00
Janne Heß 3de5726e9b nixos/nginx: Support additional listen parameters (#56835) 2019-03-06 11:42:46 +02:00
Andreas Rammhold 768336a74b
Merge pull request #56233 from jtojnar/nginx-tlsv13
nixos/nginx: Enable TLS 1.3 support
2019-03-03 14:19:38 +01:00
Jan Tojnar f93ff28c62 nixos/nginx: Enable TLS 1.3 support 2019-02-25 16:47:19 +01:00
Izorkin 569248b3c2 nginx: fix formating the config file 2019-02-24 19:50:58 +03:00
Izorkin 0394b177c7 nginx: formating the config file 2019-02-24 10:17:11 +03:00
Jappie Klooster e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
Izorkin af8ae49395 nginx: add custom options 2018-10-23 21:04:07 +03:00
Franz Pletz ebd38185c8 nixos/nextcloud: init
Co-authored-by: Franz Pletz <fpletz@fnordicwalking.de>
Co-authored-by: Robin Gloster <mail@glob.in>
Co-authored-by: Janne Heß <janne@hess.ooo>
Co-authored-by: Florian Klink <flokli@flokli.de>
2018-10-01 02:07:43 +09:30
Uli Baum 15e6e1ff6f nixos/nginx: fix type of sslTrustedCertificate option
The option was added in 1251b34b5b
with type `types.path` but default `null`, so eval failed with
the default setting. This broke the acme and certmgr tests.

cc: @vincentbernat @fpletz
2018-09-02 01:35:59 +02:00
Vincent Bernat 1251b34b5b nixos/nginx: ensure TLS OCSP stapling works out of the box with LE
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

    openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

    OCSP response: no response sent

After this change, we get:

    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 30 20:46:00 2018 GMT
2018-08-30 22:47:41 +02:00
Vincent Bernat bd075eb914 nginx: add more gzipped MIME types
The additions are:

 - image/svg+xml for SVG images
 - application/atom+xml for Atom feeds

These types are also present in mime.types. For better readability,
the list is sorted and formatted with one type per line.
2018-08-26 21:48:55 +02:00
Vincent Bernat 06a5fb2ada nginx: use a compression level of 5 in recommended configuration
While there is little gain of space to use a compression level of 9,
the CPU usage is significant. Many experiments point to use something
between 4 and 6. For example:

 - https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
 - 3bda5b93ed/nginx.conf (L93)
2018-08-26 21:43:34 +02:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Jan Tojnar bd648f321c
nixos/nginx: emphasize that useACMEHost does not create certs
It was not entirely clean that `services.nginx.virtualHosts.<name>.useACMEHost` does not create certificates, see https://github.com/NixOS/nixpkgs/issues/40593
2018-05-17 20:48:02 +02:00
Nikolay Amiantov a08645e9be nginx module: add upstream extraConfig 2018-05-08 16:32:11 +03:00
Ben Wolsieffer 4d40adb86d nginx: allow basic auth passwords to be specified in a file 2018-04-25 15:37:09 +02:00