174 lines
5.5 KiB
Nix
174 lines
5.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.nginxssl;
|
|
sslcfg = dir: ''
|
|
ssl on;
|
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
|
ssl_certificate_key ${dir}/key.pem;
|
|
ssl_certificate ${dir}/fullchain.pem;
|
|
ssl_trusted_certificate ${dir}/fullchain.pem;
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
ssl_protocols TLSv1.1 TLSv1.2;
|
|
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
|
ssl_prefer_server_ciphers on;
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
'';
|
|
|
|
makeChallenges = servername: key_webroot: ''
|
|
server {
|
|
listen 80;
|
|
server_name ${servername};
|
|
server_tokens off;
|
|
location /.well-known/acme-challenge {
|
|
default_type text/plain;
|
|
alias ${key_webroot}/.well-known/acme-challenge;
|
|
}
|
|
}
|
|
'';
|
|
makeServerBlock = servername: {key_root, key_webroot, contents, ...}: ''
|
|
server {
|
|
listen 80;
|
|
server_name ${servername};
|
|
server_tokens off;
|
|
location /.well-known/acme-challenge {
|
|
default_type text/plain;
|
|
alias ${key_webroot}/.well-known/acme-challenge;
|
|
}
|
|
location / {
|
|
rewrite ^(.*) https://$host$1 permanent;
|
|
}
|
|
}
|
|
server {
|
|
listen 443;
|
|
server_name ${servername};
|
|
server_tokens off;
|
|
${sslcfg key_root}
|
|
${contents}
|
|
}
|
|
'';
|
|
#vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers));
|
|
servopts = {...}: {
|
|
options = {
|
|
key_webroot = mkOption {
|
|
type = types.string;
|
|
description = "The path where the acme challenge is stored";
|
|
};
|
|
key_root = mkOption {
|
|
type = types.string;
|
|
description = "The path where the SSL keys are stored";
|
|
};
|
|
contents = mkOption {
|
|
type = types.string;
|
|
description = "Extra server block contents, like location blocks";
|
|
example = "location / {}";
|
|
};
|
|
};
|
|
};
|
|
inherit (lib) mkEnableOption mkOption types mkIf;
|
|
in
|
|
{
|
|
options.nginxssl = {
|
|
enable = mkEnableOption "enable new nginx module";
|
|
no_vhost_keydir = mkOption {
|
|
type = types.string;
|
|
default = "/etc/sslcerts/no_vhost";
|
|
description = "The path where the SSL keys for the default are stored (can and will be self-signed)";
|
|
};
|
|
servers = mkOption {
|
|
type = types.attrsOf types.optionSet;
|
|
description = "The servers to host";
|
|
default = {};
|
|
example = {"git.domain.com" = {
|
|
contents = "location / {}";
|
|
key_root = "/var/lib/acme/git.domain.com";
|
|
key_webroot = "/etc/sslcerts/acmeroot";
|
|
};
|
|
};
|
|
options = [ servopts ];
|
|
};
|
|
challenges = mkOption {
|
|
type = types.attrsOf types.string;
|
|
default = {};
|
|
example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";};
|
|
description = "Other domains to host challenges for";
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
services.nginx = {
|
|
enable = true;
|
|
httpConfig = ''
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log logs/access.log main;
|
|
sendfile on;
|
|
#tcp_nopush on;
|
|
|
|
#keepalive_timeout 0;
|
|
keepalive_timeout 65;
|
|
|
|
server_tokens off;
|
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
|
|
gzip on;
|
|
# the default thing, for if no vhost is given
|
|
# generate default.pem and default.key manually
|
|
# and self-sign, if you feel like it
|
|
server {
|
|
listen 80 default_server;
|
|
server_name "";
|
|
location / {
|
|
rewrite ^(.*) https://$host$1 permanent;
|
|
}
|
|
}
|
|
server {
|
|
listen 443 default_server spdy deferred;
|
|
server_name "";
|
|
|
|
${sslcfg cfg.no_vhost_keydir}
|
|
|
|
location / {
|
|
root ${pkgs.nginx}/html;
|
|
index index.html index.htm;
|
|
}
|
|
|
|
location = /50x.html {
|
|
root ${pkgs.nginx}/html;
|
|
}
|
|
}
|
|
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)}
|
|
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)}
|
|
|
|
'';
|
|
};
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
system.activationScripts.nginxdhparams =
|
|
''
|
|
if ! [[ -e /etc/nginx/dhparam.pem ]]; then
|
|
mkdir -p /etc/nginx/
|
|
${pkgs.openssl}/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
|
|
fi
|
|
# self-sign certs in case an invalid vhost is looked up
|
|
dir=${cfg.no_vhost_keydir}
|
|
mkdir -m 0700 -p $dir
|
|
if ! [[ -e $dir/key.pem ]]; then
|
|
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
|
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
|
-subj "/C=NL/CN=www.example.com"
|
|
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
|
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
|
fi
|
|
'';
|
|
};
|
|
|
|
|
|
}
|