From 42a3ce22af4fbc54d8676c696fc325d2e2a5d0e3 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sun, 5 Jun 2022 18:18:43 +0100
Subject: [PATCH] nixos/middleman: Improve basic nginx configuration

---
 .../colony/vms/shill/containers/middleman.nix |  62 +++++++++++++++++-
 .../vms/shill/containers/vaultwarden.nix      |   2 +-
 secrets/dhparams.pem.age                      | Bin 0 -> 1119 bytes
 3 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 secrets/dhparams.pem.age

diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix
index f5de0a9..a727a16 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.middleman = {
     system = "x86_64-linux";
     nixpkgs = "mine";
@@ -16,7 +16,7 @@
       };
     };
 
-    configuration = { lib, config, assignments, ... }:
+    configuration = { lib, config, assignments, allAssignments, ... }:
     let
       inherit (lib) mkMerge mkIf;
       inherit (lib.my) networkdAssignment;
@@ -29,6 +29,7 @@
 
             secrets = {
               key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
+              files."dhparams.pem" = {};
             };
 
             firewall = {
@@ -47,6 +48,63 @@
             nginx = {
               enable = true;
               enableReload = true;
+
+              recommendedTlsSettings = true;
+              clientMaxBodySize = "0";
+              serverTokens = true;
+              resolver = {
+                addresses = [ "[${allAssignments.estuary.base.ipv6.address}]" ];
+                valid = "5s";
+              };
+              proxyResolveWhileRunning = true;
+              sslDhparam = config.age.secrets."dhparams.pem".path;
+
+              # Based on recommended*Settings, but probably better to be explicit about these
+              appendHttpConfig = ''
+                # NixOS provides a logrotate config that auto-compresses :)
+                access_log /var/log/nginx/access.log combined;
+
+                # optimisation
+                sendfile on;
+                tcp_nopush on;
+                tcp_nodelay on;
+                keepalive_timeout 65;
+
+                # gzip
+                gzip on;
+                gzip_proxied any;
+                gzip_comp_level 5;
+                gzip_types
+                  application/atom+xml
+                  application/javascript
+                  application/json
+                  application/xml
+                  application/xml+rss
+                  image/svg+xml
+                  text/css
+                  text/javascript
+                  text/plain
+                  text/xml;
+                gzip_vary on;
+
+                # proxying
+                proxy_buffering off;
+                proxy_redirect off;
+                proxy_connect_timeout 60s;
+                proxy_read_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_http_version 1.1;
+
+                # proxy headers
+                proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-Server $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Protocol $scheme;
+                proxy_set_header X-Scheme $scheme;
+              '';
             };
           };
         }
diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
index 7cd34f1..cccc01f 100644
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.vaultwarden = {
     system = "x86_64-linux";
     nixpkgs = "mine";
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..49d2a75ea1487441748d8fbe7db16256f96b6b28
GIT binary patch
literal 1119
zcmV-l1fct2XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LNHI1tY*8S3
zWoKzMPD^xjWjSS2X)9r9Y-&L?QdC(sQ+8`oN^dbnQ%H7aO=ng}crXexXhbnFb!s?z
zX+%>qGi7x_Qdl=qR%B#ab4O5ZLr^bmNor46YG_PmICBauJ|I{!H8n9gAV)HKD@ac?
zPi$IfN@6ouQFSYHK}&g1T32&bFfm6$GBGu6L}@fONL4{|3VL*FSx<3eHY-v=Filxj
zM@mm*IZRqhL|QXtSV>M&I9F6@RdZ8jSxi@J3N1b$WJD=DSWzu!a%Ew2WgvV?AZ#Ek
zK{#$rATBItR&;($3QtB^3N0-yAX#x~MKX3YY)eZ?P(gJ^Ia5JRH*`ZZQetp3D`<6Y
zD`in}b4qnlWLjZa3b>HTY}!P>=iwEqJ@?v+D?}^J7@tEYBJEAlccz!%hY{KX>H23K
zxy|>Qz^vcCz7AKkm=ErdrZ_p?onMK(aht*`Dx!Kh-O@&{LnR9<&|*Ile_8plDonWt
zo0WfTdTyyc+pLYP|8k2oDjUQsB?;0;Mu|)&>x7xy<e$OnHZ}djXiFRM^>k8!k<9%q
zE`RrwI)6waFMB42?SmbPvgW_lp;g7_b+T|Av>#J`eSq+cNo`&zN6jAy;gHIMV)%_k
z+E1Y9dt8ybU=!pFm7qn!B}MV{a)Be{qEjAu>w$F&an1%M>nlU!%no7AX_inUot>kX
z{*m9bO&U|je5lGNh)q*VBT~F&n#2(TFe`hdSbKt1m0LvAYx}oUnx*F-;MEYB&?~3J
z0y1RIlH_3f`CIFJw99z<9cg27SJEu{8^+G_p_*n~!_Wr9>KXi9gFEp3up5s6G*KXA
zp69caq(8kO>cu2^iqr8W0Wf#OV$6g#;ufyLkqy<Vd&l_t?fp183+JgX_19fBc(XMd
z7jjZHxrf3yUpIP(EeG7UG8YeyZX`(x(#*syh={U+99GOnXR<V9pW`{2gLGN0qEmRU
zsoxbb;$%&Nulu>0uLH3BKOYrih449XZ&7nQ^hXnD^t8NsxxCONtj|gBvK|oKxFle-
zzzIEVDug}r2&_}AAN#k*-ux9NpN+A%)ug}`c1@iQRBmKxYtTm#jjCM!UmtwYb43&l
zHSM510Tg=TL84jB7@T;T{T*0j*kPaY3^?|{ukeEll$9FqkQDq&YGOhHGm#V?d&!kn
zn0yC}D4lTmQF6gHES3I>tr{+)4^9^u8C>8vRGB2xHsCvQ6+D4_!8cESF$Ac<YFwpG
z<5uFK>2<fy0mrV*Z<?}^GiT8S=gnu_eK={hd{LO6aCOEhosNr5ujtyp*+G1&k+swG
z*W!Rdk*zT~lW<qNY?}sSqyuf@LX^+%r?)@K9(Fy3<`^=Kif8}gW_%^%-r!OTNiKL}
lyA9tm%Y*qTsq9>y8iJM>QHlT#TWPwS9H2;<nKszTLYQF(^A-RA

literal 0
HcmV?d00001