diff --git a/base.nix b/base.nix index 1c41ba04..19336eba 100644 --- a/base.nix +++ b/base.nix @@ -88,17 +88,44 @@ systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ]; - environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) { + environment.snakeoil-certs = lib.mkIf config.services.nginx.enable { "/etc/certs/nginx" = { owner = "nginx"; group = "nginx"; }; }; - services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) { + services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { sslCertificate = "/etc/certs/nginx.crt"; sslCertificateKey = "/etc/certs/nginx.key"; addSSL = true; extraConfig = "return 444;"; + + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + config = '' + pcre_jit on; + worker_processes auto; + worker_rlimit_nofile 100000; + ''; + eventsConfig = '' + worker_connections 2048; + use epoll; + multi_accept on; + ''; + }; + + systemd.services.nginx.serviceConfig = { + LimitNOFILE = 65536; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "drift@pvv.ntnu.no"; }; } diff --git a/hosts/bekkalokk/services/gitea/default.nix b/hosts/bekkalokk/services/gitea/default.nix index e79f30b0..fe51e65f 100644 --- a/hosts/bekkalokk/services/gitea/default.nix +++ b/hosts/bekkalokk/services/gitea/default.nix @@ -59,9 +59,9 @@ in { services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; + kTLS = true; locations."/" = { proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}"; - recommendedProxySettings = true; extraConfig = '' client_max_body_size 512M; ''; diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix index 0e6fd597..28e70639 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix @@ -180,6 +180,7 @@ in services.nginx.virtualHosts."idp2.pvv.ntnu.no" = { forceSSL = true; enableACME = true; + kTLS = true; root = "${package}/share/php/simplesamlphp/public"; locations = { # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix index 1cdda56f..ab64311c 100644 --- a/hosts/bekkalokk/services/mediawiki/default.nix +++ b/hosts/bekkalokk/services/mediawiki/default.nix @@ -152,6 +152,7 @@ in { users.groups.mediawiki.members = [ "nginx" ]; services.nginx.virtualHosts."wiki.pvv.ntnu.no" = { + kTLS = true; forceSSL = true; enableACME = true; locations = { diff --git a/hosts/bekkalokk/services/nginx/default.nix b/hosts/bekkalokk/services/nginx/default.nix index a1a22532..0ff747d8 100644 --- a/hosts/bekkalokk/services/nginx/default.nix +++ b/hosts/bekkalokk/services/nginx/default.nix @@ -4,19 +4,5 @@ ./ingress.nix ]; - security.acme = { - acceptTerms = true; - defaults.email = "drift@pvv.ntnu.no"; - }; - - services.nginx = { - enable = true; - - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.enable = true; } diff --git a/hosts/bekkalokk/services/nginx/ingress.nix b/hosts/bekkalokk/services/nginx/ingress.nix index 2950846b..3b48ca04 100644 --- a/hosts/bekkalokk/services/nginx/ingress.nix +++ b/hosts/bekkalokk/services/nginx/ingress.nix @@ -5,6 +5,7 @@ serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ]; addSSL = true; enableACME = true; + kTLS = true; locations = { # Proxy home directories diff --git a/hosts/bekkalokk/services/webmail/default.nix b/hosts/bekkalokk/services/webmail/default.nix index e61ad003..752d00a5 100644 --- a/hosts/bekkalokk/services/webmail/default.nix +++ b/hosts/bekkalokk/services/webmail/default.nix @@ -7,7 +7,7 @@ services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = { forceSSL = true; enableACME = true; - #locations."/" = lib.mkForce { }; + kTLS = true; locations."= /" = { return = "301 https://www.pvv.ntnu.no/mail/"; }; diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix index c47caaea..ef157acf 100644 --- a/hosts/bekkalokk/services/webmail/roundcube.nix +++ b/hosts/bekkalokk/services/webmail/roundcube.nix @@ -35,6 +35,7 @@ in services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { }; services.nginx.virtualHosts.${domain} = { + kTLS = true; locations."/roundcube" = { tryFiles = "$uri $uri/ =404"; index = "index.php"; diff --git a/hosts/bicep/services/matrix/element.nix b/hosts/bicep/services/matrix/element.nix index 1f6452a4..5963148a 100644 --- a/hosts/bicep/services/matrix/element.nix +++ b/hosts/bicep/services/matrix/element.nix @@ -5,6 +5,7 @@ in { services.nginx.virtualHosts."chat.pvv.ntnu.no" = { enableACME = true; forceSSL = true; + kTLS = true; root = pkgs.element-web.override { conf = { diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix index 2b0d1601..bcdb850f 100644 --- a/hosts/bicep/services/matrix/synapse.nix +++ b/hosts/bicep/services/matrix/synapse.nix @@ -217,6 +217,9 @@ in { services.redis.servers."".enable = true; services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ + ({ + kTLS = true; + }) ({ locations."/.well-known/matrix/server" = { return = '' diff --git a/hosts/bicep/services/nginx/default.nix b/hosts/bicep/services/nginx/default.nix index 4eb1e035..78786fad 100644 --- a/hosts/bicep/services/nginx/default.nix +++ b/hosts/bicep/services/nginx/default.nix @@ -1,15 +1,8 @@ { config, values, ... }: { - security.acme = { - acceptTerms = true; - defaults.email = "danio@pvv.ntnu.no"; - }; - services.nginx = { enable = true; - enableReload = true; - defaultListenAddresses = [ values.hosts.bicep.ipv4 "[${values.hosts.bicep.ipv6}]" @@ -20,7 +13,6 @@ ]; appendConfig = '' - pcre_jit on; worker_processes 8; worker_rlimit_nofile 8192; ''; @@ -29,17 +21,5 @@ multi_accept on; worker_connections 4096; ''; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - systemd.services.nginx.serviceConfig = { - LimitNOFILE = 65536; }; } diff --git a/hosts/ildkule/services/metrics/grafana.nix b/hosts/ildkule/services/metrics/grafana.nix index a2d24249..ca62f046 100644 --- a/hosts/ildkule/services/metrics/grafana.nix +++ b/hosts/ildkule/services/metrics/grafana.nix @@ -91,6 +91,7 @@ in { services.nginx.virtualHosts.${cfg.settings.server.domain} = { enableACME = true; forceSSL = true; + kTLS = true; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}"; diff --git a/hosts/ildkule/services/nginx/default.nix b/hosts/ildkule/services/nginx/default.nix index 90954a1b..c9e8f704 100644 --- a/hosts/ildkule/services/nginx/default.nix +++ b/hosts/ildkule/services/nginx/default.nix @@ -1,15 +1,8 @@ { config, values, ... }: { - security.acme = { - acceptTerms = true; - defaults.email = "drift@pvv.ntnu.no"; - }; - services.nginx = { enable = true; - enableReload = true; - defaultListenAddresses = [ values.hosts.ildkule.ipv4 "[${values.hosts.ildkule.ipv6}]" @@ -18,12 +11,5 @@ "127.0.0.2" "[::1]" ]; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/modules/grzegorz.nix b/modules/grzegorz.nix index 0bd9b74d..6c0600ba 100644 --- a/modules/grzegorz.nix +++ b/modules/grzegorz.nix @@ -24,15 +24,12 @@ in { services.grzegorz-webui.hostName = "${config.networking.fqdn}"; services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api"; - security.acme.acceptTerms = true; - security.acme.defaults.email = "pederbs@pvv.ntnu.no"; - services.nginx.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx.virtualHosts."${config.networking.fqdn}" = { forceSSL = true; enableACME = true; + kTLS = true; serverAliases = [ "${config.networking.hostName}.pvv.org" ];