colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: nginx: enable gzip and TLS optimizations

Browse Source
This commit is contained in:
colin
2022-11-11 10:57:57 +00:00
parent 7cacbd9580
commit be286cd190
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
machines/servo/services/nginx.nix
View File

@@ -8,9 +8,16 @@ let
access_log /var/log/nginx/public.log vcombined; access_log /var/log/nginx/public.log vcombined;
''; '';
}; };
kTLS = true; # in-kernel TLS for better perf
in in
{ {
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.appendConfig = ''
# use 1 process per core.
# may want to increase worker_connections too, but `ulimit -n` must be increased first.
worker_processes auto;
'';
# this is the standard `combined` log format, with the addition of $host # this is the standard `combined` log format, with the addition of $host
# so that we have the virtualHost in the log. # so that we have the virtualHost in the log.
@@ -21,6 +28,13 @@ in
log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
access_log /var/log/nginx/private.log vcombined; access_log /var/log/nginx/private.log vcombined;
''; '';
# sets gzip_comp_level = 5
services.nginx.recommendedGzipSettings = true;
# enables OCSP stapling (so clients don't need contact the OCSP server -- i do instead)
# caches TLS sessions for 10m
services.nginx.recommendedTlsSettings = true;
# enables sendfile, tcp_nopush, tcp_nodelay, keepalive_timeout 65
services.nginx.recommendedOptimisation = true;
# web blog/personal site # web blog/personal site
services.nginx.virtualHosts."uninsane.org" = publog { services.nginx.virtualHosts."uninsane.org" = publog {
@@ -30,6 +44,7 @@ in
# and things don't look right. so force SSL. # and things don't look right. so force SSL.
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
# uninsane.org/share/foo => /var/lib/uninsane/root/share/foo. # uninsane.org/share/foo => /var/lib/uninsane/root/share/foo.
# yes, nginx does not strip the prefix when evaluating against the root. # yes, nginx does not strip the prefix when evaluating against the root.
@@ -79,6 +94,7 @@ in
services.nginx.virtualHosts."sink.uninsane.org" = { services.nginx.virtualHosts."sink.uninsane.org" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
root = "/var/lib/uninsane/sink"; root = "/var/lib/uninsane/sink";
locations."/ws" = { locations."/ws" = {
@@ -99,6 +115,7 @@ in
services.nginx.virtualHosts."fed.uninsane.org" = publog { services.nginx.virtualHosts."fed.uninsane.org" = publog {
forceSSL = true; # pleroma redirects to https anyway forceSSL = true; # pleroma redirects to https anyway
enableACME = true; enableACME = true;
inherit kTLS;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4000"; proxyPass = "http://127.0.0.1:4000";
# documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx # documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
@@ -140,6 +157,7 @@ in
# basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL # basicAuth is literally cleartext user/pw, so FORCE this to happen over SSL
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
locations."/" = { locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9091"; # proxyPass = "http://ovpns.uninsane.org:9091";
proxyPass = "http://10.0.1.6:9091"; proxyPass = "http://10.0.1.6:9091";
@@ -150,6 +168,7 @@ in
services.nginx.virtualHosts."jackett.uninsane.org" = { services.nginx.virtualHosts."jackett.uninsane.org" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
locations."/" = { locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9117"; # proxyPass = "http://ovpns.uninsane.org:9117";
proxyPass = "http://10.0.1.6:9117"; proxyPass = "http://10.0.1.6:9117";
@@ -160,6 +179,7 @@ in
services.nginx.virtualHosts."matrix.uninsane.org" = publog { services.nginx.virtualHosts."matrix.uninsane.org" = publog {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
# TODO colin: replace this with something helpful to the viewer # TODO colin: replace this with something helpful to the viewer
# locations."/".extraConfig = '' # locations."/".extraConfig = ''
@@ -186,6 +206,7 @@ in
services.nginx.virtualHosts."web.matrix.uninsane.org" = { services.nginx.virtualHosts."web.matrix.uninsane.org" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
root = pkgs.element-web.override { root = pkgs.element-web.override {
conf = { conf = {
@@ -201,6 +222,7 @@ in
services.nginx.virtualHosts."git.uninsane.org" = publog { services.nginx.virtualHosts."git.uninsane.org" = publog {
forceSSL = true; # gitea complains if served over a different protocol than its config file says forceSSL = true; # gitea complains if served over a different protocol than its config file says
enableACME = true; enableACME = true;
inherit kTLS;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
@@ -212,6 +234,7 @@ in
services.nginx.virtualHosts."jelly.uninsane.org" = { services.nginx.virtualHosts."jelly.uninsane.org" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:8096";
@@ -258,12 +281,14 @@ in
services.nginx.virtualHosts."music.uninsane.org" = { services.nginx.virtualHosts."music.uninsane.org" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
locations."/".proxyPass = "http://127.0.0.1:4533"; locations."/".proxyPass = "http://127.0.0.1:4533";
}; };
services.nginx.virtualHosts."rss.uninsane.org" = { services.nginx.virtualHosts."rss.uninsane.org" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
# the routing is handled by freshrss.nix # the routing is handled by freshrss.nix
}; };
@@ -272,6 +297,7 @@ in
# ideally we'd disable ssl entirely, but some places assume it? # ideally we'd disable ssl entirely, but some places assume it?
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
default = true; default = true;
@@ -297,6 +323,7 @@ in
services.nginx.virtualHosts."nixcache.uninsane.org" = { services.nginx.virtualHosts."nixcache.uninsane.org" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
inherit kTLS;
# serverAliases = [ "nixcache" ]; # serverAliases = [ "nixcache" ];
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};