From 42a3ce22af4fbc54d8676c696fc325d2e2a5d0e3 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sun, 5 Jun 2022 18:18:43 +0100
Subject: [PATCH] nixos/middleman: Improve basic nginx configuration

---
 .../colony/vms/shill/containers/middleman.nix |  62 +++++++++++++++++-
 .../vms/shill/containers/vaultwarden.nix      |   2 +-
 secrets/dhparams.pem.age                      | Bin 0 -> 1119 bytes
 3 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 secrets/dhparams.pem.age

diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix
index f5de0a9..a727a16 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.middleman = {
     system = "x86_64-linux";
     nixpkgs = "mine";
@@ -16,7 +16,7 @@
       };
     };
 
-    configuration = { lib, config, assignments, ... }:
+    configuration = { lib, config, assignments, allAssignments, ... }:
     let
       inherit (lib) mkMerge mkIf;
       inherit (lib.my) networkdAssignment;
@@ -29,6 +29,7 @@
 
             secrets = {
               key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
+              files."dhparams.pem" = {};
             };
 
             firewall = {
@@ -47,6 +48,63 @@
             nginx = {
               enable = true;
               enableReload = true;
+
+              recommendedTlsSettings = true;
+              clientMaxBodySize = "0";
+              serverTokens = true;
+              resolver = {
+                addresses = [ "[${allAssignments.estuary.base.ipv6.address}]" ];
+                valid = "5s";
+              };
+              proxyResolveWhileRunning = true;
+              sslDhparam = config.age.secrets."dhparams.pem".path;
+
+              # Based on recommended*Settings, but probably better to be explicit about these
+              appendHttpConfig = ''
+                # NixOS provides a logrotate config that auto-compresses :)
+                access_log /var/log/nginx/access.log combined;
+
+                # optimisation
+                sendfile on;
+                tcp_nopush on;
+                tcp_nodelay on;
+                keepalive_timeout 65;
+
+                # gzip
+                gzip on;
+                gzip_proxied any;
+                gzip_comp_level 5;
+                gzip_types
+                  application/atom+xml
+                  application/javascript
+                  application/json
+                  application/xml
+                  application/xml+rss
+                  image/svg+xml
+                  text/css
+                  text/javascript
+                  text/plain
+                  text/xml;
+                gzip_vary on;
+
+                # proxying
+                proxy_buffering off;
+                proxy_redirect off;
+                proxy_connect_timeout 60s;
+                proxy_read_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_http_version 1.1;
+
+                # proxy headers
+                proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-Server $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Protocol $scheme;
+                proxy_set_header X-Scheme $scheme;
+              '';
             };
           };
         }
diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
index 7cd34f1..cccc01f 100644
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ lib, ...}: {
+{ lib, ... }: {
   nixos.systems.vaultwarden = {
     system = "x86_64-linux";
     nixpkgs = "mine";
diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..49d2a75ea1487441748d8fbe7db16256f96b6b28
GIT binary patch
literal 1119
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlFf=pD2~?;`P0uv-
z^DZe#wM-4p)K1LE$#OIa3W+oeF3S$`$~SZi_9#pDO%L;^FyJ!Ia4|G2&9bP<bO|;#
zPAzo|iZBlfOG$|;b`QvP4$#l_%<_-O%J50EC<fUU0kO#4s7l+z-^4#BD#I(uI3loA
zyTsAEG9W6vIMl$<-O0$%G}k55#LOeqv6!o>Bs<c-FxgBy$kD(zGR)n}KgH4~%G)K%
zI5oo4FUTT1Br~))I4#mAJR4*~ii@UoM4)bZQEFmwszQyILXLutqeY&tf}T!#SV^4^
zm%m#im#(g^LS$j4t5KOrj<>gGfMcn<Ww4{Kd5N=0P*Q=hc1CHQc4}Z@u~%teN>pMb
z*NzD%b8flpfBsN(mF@Ri-P$hNXC>x4t1G?ry;#0%`h#}CTg)$irOWO-`+e4dHTU=J
z;|t$1ga6%xWfqqA=EisKDV%*sTWe93<=sne>z!4(wJ#*u3)M&d+^FTVlYREo`kbn~
zm3Ft+^sfD1)NP_AeMCo<^OCz;r;pm}mYH{+%s=?b%=GW!3~%X=UrT}-C!YDMt5^Sh
zidDUbl76*X+uLT@u1(MOUtJh_^m*x~0+}uH!F9C_A9_4<<22mQ%5yxNaH=`!N3ZKG
z{{=6qV<zrS5Prflb%E<4Ro9PSiW-%lEDDyZeBD^eRd|j~^|iM1<1>7TXEUb-D9@d{
zc>2GI_qX^;1s|_jaZ0_zH`rS_Xiw^_BZ5o@+SN-Vs+&TmM!Q_e{=Ge9*3#$l53UN#
zyr8}O2$NCDxk*nFe*cVqU9;tM#V^^+<f8CPI=`fko%_6SR$9#A3v7p9N&bm#w*K&U
zgLFTGNuWZ?yyu&zEV19K`0A)iW!L48s*DEZN0QF8m^~6(cW5H-)m7EUfBbs;*TRzf
z`AYq-*JDj9Hk(R|7X_K_Y(HcXZ(h}|%YJ9OkvM-}o{A^er87r#J32Ns$%LJ8Pv2yc
zI{&fdtmcx)b&G;4)~~!TYWOI{w`u+FowL?6Z}?*`FPhx?!Ll$vu-N*GyKu&rEqkhV
z?zy14=Dg?oO>zQvcc>(6IlyU~tJPxrnPW}x8u{PbkKg+vsy4rO<Myjd4v3cd&gBcq
zOUcZ>;4av^D&}9je9gsTR}o&*w+n0;MXDY-E{Z%WF{fhIU)hM18;SEj@mPF2u>M0c
z_mrtp?<a`-@y<$eVltj6B3FHKYS@e#_8yJ71wR9e4w~sq{nxctN^dd0pSYxC%ma&%
znJSmf9#|KN+BDW2H21GFWLa?_D`u(R<FH2yUzTn^&v<;@+5B0XCK{(-WPN@%{Z6e#
z=C+!^8S@KDk7>^B>-Js$;@19~jy0<$ZoT~F`lANNiE9llCl`e8&Y8`Yyo5RTk<*m(
z@0V}4KP6XY+xAStsJAQq|D&`T)yMZ91aW)nRV44`y>E27`KRW}H!<_1nx;tvb}{fp
TXYQIKv%q8KOtTv&on`<4VF&XT

literal 0
HcmV?d00001