1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
Commit graph

174 commits

Author SHA1 Message Date
Lassulus ea5759474a
Merge pull request #119803 from SuperSandro2000/SuperSandro2000-patch-1
nixos/nginx: set isSystemUser
2021-04-24 22:37:46 +02:00
Maciej Krüger 9530794548
nginx: add vhost.http3
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-18 20:20:24 +02:00
Sandro 15cd5fc57e
nixos/nginx: set isSystemUser 2021-04-18 16:15:48 +02:00
Sandro 0139874db9
nixos/nginx: add upstreams examples (#118447)
* nixos/nginx: add upstreams examples

I am not fully sure if they are fully correct but they deployed the right syntax.

* nixos/nginx: use literal example

* Update nixos/modules/services/web-servers/nginx/default.nix

* Update nixos/modules/services/web-servers/nginx/default.nix
2021-04-17 00:25:03 +02:00
talyz 06dee38345
Revert "nixos/nginx: fix eval for tengine"
This reverts commit 2d3200e010.
2021-04-14 16:34:10 +02:00
Sandro 39060b241c
Merge pull request #118445 from SuperSandro2000/SuperSandro2000-patch-3 2021-04-12 17:18:50 +02:00
Kim Lindberger 5a1bd5ff66
Merge pull request #116074 from talyz/discourse
discourse: Add package and NixOS module
2021-04-08 14:19:49 +02:00
Sandro fb9a2414dc nixos/nginx: use http 1.1 in "recommended" proxySettings
This allows http keep-alive by default which requires http 1.1.
2021-04-05 05:30:18 +02:00
talyz 46d935a4ce
nixos/nginx: Add an option to specify additional third-party modules 2021-04-04 13:44:36 +02:00
Sandro db5a15676c
nixos/nginx: set "recommended" proxy timeouts to 60s
According to the nginx documentation [1] those values  cannot usually exceed 75 seconds.
The defaults are 60s and should probably be lowered to something reasonable like 20 or 30 seconds.

[1] https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
2021-04-04 07:47:45 +02:00
ajs124 2d3200e010 nixos/nginx: fix eval for tengine 2021-03-10 01:23:11 +01:00
Aaron Andersen 9798ed1a3d
Merge pull request #111011 from waldheinz/nginx-mem-write-exec
nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
2021-03-03 07:19:35 -05:00
Martin Weinelt 47901b544c
Merge pull request #111302 from fooker/pr/nginx-default-type
nixos/nginx: serve unknown MIME-Types as binary
2021-02-09 01:44:47 +01:00
Luflosi e31dc1c5f6
nginx module: fix typo in proxyWebsockets description 2021-01-31 18:09:41 +01:00
Fritz Otlinghaus a55d0b80ff
nixos/nginx: add logError type 2021-01-31 11:37:38 +01:00
Dustin Frisch 891d1aa885
nixos/nginx: serve unknown MIME-Types as binary
The built-in default for unknown MIME-Types is `text/plain` whereas the
upstream default config changes it to `application/octet-stream`. By
changing the default tpye, unknown files will be downloaded by browsers
instead of being displayed.
2021-01-30 12:52:02 +01:00
Matthias Treydte 7d2829c0a0 nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).

Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
2021-01-28 13:13:31 +01:00
Kevin Cox 8455fa3bca
Merge pull request #105347 from Mic92/nginx
nixos/nginx: add streamConfig option
2021-01-07 08:46:29 -05:00
Alyssa Ross 178ec8974f nixos/nginx: allow overriding fastcgi params
By default in Nginx, if you want to override a single fastcgi_param,
you have to override all of them.  This is less of a big deal if
you're editing the Nginx configuration directly, but when you're
generating the Nginx configuration with Nix it can be very annoying to
bloat your configuration repeating the default values of FastCGI
parameters every time.

This patch adds a fastcgiParams option to Nginx locations.  If any
parameters are set through this, all the default values will be
included as well, so only the ones that are changing need to be
supplied.  There's no way to use fastcgiParams to actually override
all parameters if that's what you want, but I think that's a niche use
case and it's still possible using extraConfig, which up until now was
the only option

Nginx allows the fastcgi_param directive in http and server scopes as
well as location, but here I only support location.  It would be
possible to support the others, but I don't think it's worth it.  It
would be a possible future enhancement if somebody has a need for it.
2021-01-05 03:36:18 +00:00
Maximilian Bosch 55ef9612a2
nixos/nginx: improve documentation for config
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.

To slightly improve the situation, I changed the documentation like
this:

* Added `types.str` as type since `config` is not mergeable on purpose.
  It must be a string as it's rendered verbatim into `nginx.conf` and if
  the type is `unspecified`, it can be confused with RFC42-like options.

* Mention which config options that don't generate config in
  `nginx.conf` are NOT mutually exclusive.
2020-12-06 17:26:13 +01:00
Jörg Thalheim 6f330ccedf
nixos/nginx: add streamConfig option 2020-11-29 10:55:01 +01:00
Graham Christensen 3361a037b9
nginx: add a warning that nginx's basic auth isn't very good. 2020-11-02 08:16:01 -05:00
Graham Christensen c7bf3828f0
nginx: add basic auth support for locations 2020-11-02 08:16:00 -05:00
Graham Christensen 33cf4f0e8e
nginx: factor out the generation of basic auth generation 2020-11-02 08:16:00 -05:00
lf- b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
Aneesh Agrawal 924035bb97 nixos/nginx: Allow unsetting ssl_ciphers
When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
2020-10-26 00:35:29 -04:00
Dustin Frisch 762ca640c4
nixos/nginx: Do not remove headers while proxying
Removing the `Accept-Encoding` header breaks applications which may
produce already compressed content.

Removing this header is staded in the nginx docs but is ment as an
example, not as an recomendation.
2020-10-16 12:50:52 +02:00
Izorkin 535896671b
nixos/nginx: remove option enableSandbox 2020-09-10 08:19:20 +03:00
Lucas Savva 982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Florian Klink 300049ca51 nixos/nginx: move configuration testing script into reload command
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.

This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
2020-08-12 18:13:29 +02:00
Arian van Putten 681cc105ce nixos/acme: Make sure nginx is running before certs are requested
This fixes https://github.com/NixOS/nixpkgs/issues/81842

We should probably also fix this for Apache, which recently also learned
to use ACME.
2020-06-15 11:04:59 +02:00
Florian Klink a3678ed347 nixos/nginx: always run systemctl of the currently running systemd
Also, make the postRun script refer to that systemctl, and not just rely
on $PATH for consistency.
2020-05-21 10:31:47 +02:00
Izorkin 94391fce1d nixos/nginx: add option enableSandbox 2020-05-12 20:03:29 +03:00
Izorkin aa12fb8adb nginxModules: add option allowMemoryWriteExecute
The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.
2020-05-12 20:03:29 +03:00
Izorkin 628354c686 nixos/nginx: enable sandboxing 2020-05-12 20:03:27 +03:00
Izorkin 4d988ff0d0 nixos/nginx: change log and cache directories 2020-05-04 16:36:37 +03:00
Jan Tojnar 3c4ab13243
nixos/nginx: fix eval
Fixes a typo introduced in https://github.com/NixOS/nixpkgs/pull/83611
2020-03-29 00:20:07 +01:00
Vincent Bernat 7c451c3b6b
nginx: increase types_hash_max_size to 4096 (#83609)
After upgrading to NixOS 20.03, I've got the following warning:

    nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

The documentation states that "if nginx emits the message requesting
to increase either hash max size or hash bucket size then the first
parameter should first be increased" (aka types_hash_max_size).

In 19.03, the size of mime.types was around 100 entries. In 20.03, we
are around 900 entries. This is due to ff0148d868 which makes nginx
use mailcap mime.types.
2020-03-28 20:40:44 +01:00
Vincent Bernat 8f8cbec985
nixos/nginx: use mailcap mimetypes in all cases (#83611)
In ff0148d868, nginx configuration was modified to use mime.types
from mailcap package as it is more complete. However, there are two
places where mime.types is included in configuration. When the user
was setting `cfg.httpConfig`, the mime.types from nginx was still
used. This commit fix that by moving the common snippet in a variable
of its own and ensure it is used at both places.
2020-03-28 20:29:09 +01:00
Emily 4ed98d69ed nixos/nginx: use Mozilla Intermediate TLS configuration
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189.

Resolves #80952.
2020-03-06 13:08:56 +00:00
Aaron Andersen fc1bee555e
Merge pull request #75602 from vanyaklimenko/nginx-gitweb-more-options
nixos/nginx/gitweb: add some (crucial) options
2020-01-15 21:16:24 -05:00
Vanya Klimenko ed52a6567c nixos/nginx/gitweb: add some (crucial) options
This replaces some hardcoded values in nginx's VirtualHosts's
configuration with customizable options. Previous values are kept as
default, so nothing should break for existing users.

Co-Authored-By: Florian Klink <flokli@flokli.de>
2020-01-14 00:11:10 +00:00
rnhmjoj 1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Danylo Hlynskyi cef68c4580
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch with reload enabled (#76179)
nixos/nginx: don't hide nginx config errors on nixos-rebuild --switch
with reload enabled

Closes https://github.com/NixOS/nixpkgs/issues/73455
2020-01-05 00:39:23 +02:00
danbst 50d6e93dc8 nixos/nginx: fixup permissions for Nginx state dir
The commit b0bbacb521 was a bit too fast
It did set executable bit for log files.

Also, it didn't account for other directories in state dir:
```
 # ls -la /var/spool/nginx/
total 32
drwxr-x--- 8 nginx nginx 4096 Dec 26 12:00 .
drwxr-xr-x 4 root  root  4096 Oct 10 20:24 ..
drwx------ 2 root  root  4096 Oct 10 20:24 client_body_temp
drwx------ 2 root  root  4096 Oct 10 20:24 fastcgi_temp
drwxr-x--- 2 nginx nginx 4096 Dec 26 12:00 logs
drwx------ 2 root  root  4096 Oct 10 20:24 proxy_temp
drwx------ 2 root  root  4096 Oct 10 20:24 scgi_temp
drwx------ 2 root  root  4096 Oct 10 20:24 uwsgi_temp
```

With proposed change, only ownership is changed for state files, and mode is left as is
except that statedir/logs is now group accessible.
2019-12-26 14:16:29 +02:00
Yurii Izorkin b0bbacb521 nixos/nginx: recursively change logs directory owner/group (#76174)
This change brings pre-existing installations (where the logfiles
are owned by root) in line with the new permssions (where logfiles
are owned by the nginx user)
2019-12-26 13:51:10 +02:00
Florian Klink 0a41dae98b
Merge pull request #56255 from Izorkin/nginx-temp1
nginx: do not run anything as root
2019-12-20 23:34:55 +01:00
brprice 5b210859f6 nixos/nginx: drop extra semicolon in return example (#76055) 2019-12-19 21:59:01 +02:00
Izorkin 2a413da57e nixos/nginx: do not run anything as root 2019-12-15 11:21:08 +03:00
paumr 5a1c15da12 improved nginx.basicAuthFile description 2019-12-03 14:05:46 +01:00