forked from emily/nixfiles
nginx: enable http3
This commit is contained in:
parent
03c32f38d0
commit
992b4796ad
4 changed files with 11 additions and 6 deletions
|
@ -231,7 +231,6 @@
|
|||
pkgs.postgresql15Packages.rum
|
||||
];
|
||||
services.nginx = {
|
||||
package = pkgs.tengine;
|
||||
clientMaxBodySize = "256m";
|
||||
commonHttpConfig = ''
|
||||
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
{ config, lib, ... }: with lib; {
|
||||
{ config, lib, pkgs, ... }: let
|
||||
inherit (lib) mkDefault;
|
||||
in {
|
||||
kyouma.deployment.tags = [ "web" ];
|
||||
security.dhparams.enable = true;
|
||||
security.dhparams.params.nginx = {};
|
||||
|
@ -9,9 +11,10 @@
|
|||
email = "noc@kyouma.net";
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
#package = pkgs.nginxQuic;
|
||||
package = mkDefault pkgs.nginxQuic;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
@ -32,6 +35,7 @@
|
|||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Referrer-Policy "same-origin" always;
|
||||
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
'';
|
||||
eventsConfig = ''
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
cfg = config.kyouma.nginx;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
@ -9,11 +10,11 @@
|
|||
add_header Referrer-Policy "same-origin" always;
|
||||
'';
|
||||
createHost = vhostName: vhostCfg: {
|
||||
extraConfig = (lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) vhostCfg.extraConfig) + "\n" + extraConfig;
|
||||
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
|
||||
forceSSL = true;
|
||||
#kTLS = true;
|
||||
#http3 = true;
|
||||
#quic = true;
|
||||
http3 = true;
|
||||
quic = true;
|
||||
} //
|
||||
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
|
||||
enableACME = true;
|
||||
|
|
|
@ -6,4 +6,5 @@ final: prev: {
|
|||
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
|
||||
librespeed-go = final.callPackage ./librespeed-go/default.nix {};
|
||||
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
|
||||
nginxQuic = prev.nginxQuic.override { withSlice = true; };
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue