From 992b4796ad3a6743bf47adfe294077e0db2a1434 Mon Sep 17 00:00:00 2001 From: emily Date: Mon, 4 Nov 2024 18:51:13 +0100 Subject: [PATCH] nginx: enable http3 --- config/services/akkoma/default.nix | 1 - config/services/nginx.nix | 8 ++++++-- modules/nginx/default.nix | 7 ++++--- pkgs/overlay.nix | 1 + 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/config/services/akkoma/default.nix b/config/services/akkoma/default.nix index c9d0d85..a2ad317 100644 --- a/config/services/akkoma/default.nix +++ b/config/services/akkoma/default.nix @@ -231,7 +231,6 @@ pkgs.postgresql15Packages.rum ]; services.nginx = { - package = pkgs.tengine; clientMaxBodySize = "256m"; commonHttpConfig = '' proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 1a11e0a..f76663f 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,4 +1,6 @@ -{ config, lib, ... }: with lib; { +{ config, lib, pkgs, ... }: let + inherit (lib) mkDefault; +in { kyouma.deployment.tags = [ "web" ]; security.dhparams.enable = true; security.dhparams.params.nginx = {}; @@ -9,9 +11,10 @@ email = "noc@kyouma.net"; }; }; + networking.firewall.allowedUDPPorts = [ 443 ]; services.nginx = { enable = true; - #package = pkgs.nginxQuic; + package = mkDefault pkgs.nginxQuic; recommendedGzipSettings = true; recommendedOptimisation = true; @@ -32,6 +35,7 @@ add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; + add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; ''; eventsConfig = '' diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 44b3783..644a2c7 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -2,6 +2,7 @@ cfg = config.kyouma.nginx; extraConfig = '' add_header Strict-Transport-Security $hsts_header; + add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; @@ -9,11 +10,11 @@ add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { - extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig; + extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); forceSSL = true; #kTLS = true; - #http3 = true; - #quic = true; + http3 = true; + quic = true; } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { enableACME = true; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 571bfe8..72ef525 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -6,4 +6,5 @@ final: prev: { librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; + nginxQuic = prev.nginxQuic.override { withSlice = true; }; }