diff options
| author | Igor Pashev <pashev.igor@gmail.com> | 2016-12-20 21:56:13 +0300 |
|---|---|---|
| committer | Igor Pashev <pashev.igor@gmail.com> | 2016-12-20 21:56:13 +0300 |
| commit | 31609065cc1df85245e9adb6916d0a28f25d0bc8 (patch) | |
| tree | baec4abc411bef48027160d9cd76f6f95bf983f1 /modules/apps | |
| parent | ae37f7b55f5a6b8c5fef7236530e58e45613d4a6 (diff) | |
| download | nixsap-31609065cc1df85245e9adb6916d0a28f25d0bc8.tar.gz | |
nginx: allow arbitrary http context
Diffstat (limited to 'modules/apps')
| -rw-r--r-- | modules/apps/nginx.nix | 62 |
1 files changed, 40 insertions, 22 deletions
diff --git a/modules/apps/nginx.nix b/modules/apps/nginx.nix index 3490a4b..b9ba7e4 100644 --- a/modules/apps/nginx.nix +++ b/modules/apps/nginx.nix @@ -47,31 +47,16 @@ let } http { - include ${pkgs.nginx}/conf/mime.types; - default_type application/octet-stream; - - access_log off; - error_log stderr info; - - gzip on; - keepalive_timeout 65; - sendfile on; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - tcp_nodelay on; - tcp_nopush on; - types_hash_max_size 2048; - - # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ - fastcgi_param HTTP_PROXY ""; - proxy_set_header Proxy ""; + ${cfg.conf.http.context} - ${concatMapStrings (s: "include ${s};\n") (mapAttrsToList mkServer cfg.conf.http.servers)} + ${concatMapStrings (s: "include ${s};\n") (mapAttrsToList mkServer cfg.conf.http.servers)} } ''; exec = "${pkgs.nginx}/bin/nginx -c ${nginx-conf} -p ${cfg.stateDir}"; + enabled = {} != explicit cfg.conf.http.servers; + in { options.nixsap.apps.nginx = { @@ -116,13 +101,46 @@ in { http = default {} (attrs { servers = default {} (attrsOf lines); + context = mkOption { + description = '' + Default directives in the http context. You normally don't + need to change it, because most of directives can be overriden + in server or location contexts. This parameter has a reasonale + default value which you should append in nixos modules, i. e. by + adding geoip directives or maps. Use `lib.mkForce` to completely + omit default directives. + ''; + type = lines; + }; }); }); }; - config = mkIf ({} != explicit cfg.conf.http.servers) { - nixsap.system.users.daemons = [ cfg.user ]; - systemd.services.nginx = { + config = { + nixsap.apps.nginx.conf.http.context = '' + include ${pkgs.nginx}/conf/mime.types; + default_type application/octet-stream; + + access_log off; + error_log stderr info; + + gzip on; + keepalive_timeout 65; + sendfile on; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + tcp_nodelay on; + tcp_nopush on; + types_hash_max_size 2048; + + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + fastcgi_param HTTP_PROXY ""; + proxy_set_header Proxy ""; + ''; + + nixsap.system.users.daemons = mkIf enabled [ cfg.user ]; + + systemd.services.nginx = mkIf enabled { description = "web/proxy server"; wants = [ "keys.target" ]; after = [ "keys.target" "local-fs.target" "network.target" ]; |