nginx: enable http3

This commit is contained in:
emily 2024-11-04 18:51:13 +01:00
parent 03c32f38d0
commit 992b4796ad
Signed by: emily
GPG key ID: F6F4C66207FCF995
4 changed files with 11 additions and 6 deletions

View file

@ -231,7 +231,6 @@
pkgs.postgresql15Packages.rum pkgs.postgresql15Packages.rum
]; ];
services.nginx = { services.nginx = {
package = pkgs.tengine;
clientMaxBodySize = "256m"; clientMaxBodySize = "256m";
commonHttpConfig = '' commonHttpConfig = ''
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache

View file

@ -1,4 +1,6 @@
{ config, lib, ... }: with lib; { { config, lib, pkgs, ... }: let
inherit (lib) mkDefault;
in {
kyouma.deployment.tags = [ "web" ]; kyouma.deployment.tags = [ "web" ];
security.dhparams.enable = true; security.dhparams.enable = true;
security.dhparams.params.nginx = {}; security.dhparams.params.nginx = {};
@ -9,9 +11,10 @@
email = "noc@kyouma.net"; email = "noc@kyouma.net";
}; };
}; };
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = { services.nginx = {
enable = true; enable = true;
#package = pkgs.nginxQuic; package = mkDefault pkgs.nginxQuic;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
@ -32,6 +35,7 @@
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
''; '';
eventsConfig = '' eventsConfig = ''

View file

@ -2,6 +2,7 @@
cfg = config.kyouma.nginx; cfg = config.kyouma.nginx;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
@ -9,11 +10,11 @@
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
''; '';
createHost = vhostName: vhostCfg: { createHost = vhostName: vhostCfg: {
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig; extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
forceSSL = true; forceSSL = true;
#kTLS = true; #kTLS = true;
#http3 = true; http3 = true;
#quic = true; quic = true;
} // } //
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true; enableACME = true;

View file

@ -6,4 +6,5 @@ final: prev: {
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
librespeed-go = final.callPackage ./librespeed-go/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {};
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
nginxQuic = prev.nginxQuic.override { withSlice = true; };
} }