From dcfd2ba0054c110a982e8276f224d84954ca135f Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 29 Jul 2024 20:51:57 +0300 Subject: 2024-07-29 --- modules/nginx.nix | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) (limited to 'modules') diff --git a/modules/nginx.nix b/modules/nginx.nix index 2ac6d1b..6cb47b4 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -29,13 +29,16 @@ in config = mkIf cfg.enable { _module.args.libNginx.config = { internalOnly = '' + add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; + access_log off; if ($internal != 1) { return 403; } - access_log off; ''; - # FIXME This stopped working. appendHead = text: '' + brotli off; + gzip off; + zstd off; sub_filter '' '${lib.concatStrings text}'; sub_filter_once on; ''; @@ -48,25 +51,36 @@ in services = { nginx = { enable = true; + enableReload = true; package = pkgs.nginxMainline; - statusPage = true; + statusPage = mkDefault true; + + recommendedOptimisation = mkDefault true; + recommendedProxySettings = mkDefault true; + recommendedTlsSettings = mkDefault true; - serverTokens = false; + recommendedBrotliSettings = mkDefault true; + recommendedGzipSettings = mkDefault true; + recommendedZstdSettings = mkDefault true; - recommendedBrotliSettings = lib.mkDefault true; - recommendedGzipSettings = lib.mkDefault true; - recommendedOptimisation = lib.mkDefault true; - recommendedProxySettings = lib.mkDefault true; - recommendedTlsSettings = lib.mkDefault true; - recommendedZstdSettings = lib.mkDefault true; + resolver.addresses = + let + isIPv6 = addr: builtins.match ".*:.*:.*" addr != null; + escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr; + resolvers = + if config.networking.nameservers != [ ] then + config.networking.nameservers + else + dns.const.quad9.default; + in + map escapeIPv6 resolvers; commonHttpConfig = concatStrings [ '' access_log syslog:server=unix:/dev/log; - add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"; '' (optionalString (hasAttr "wireguard" this) ( with config.nixfiles.modules.wireguard; -- cgit 1.4.1