Commit Graph

39 Commits

Author SHA1 Message Date
pennae
1d41cff3dc nixos/*: convert straggler options to MD 2022-08-31 17:27:38 +02:00
pennae
6039648c50 nixos/*: automatically convert option docs 2022-08-19 22:40:58 +02:00
pennae
72b507d5a2 nixos/*: convert some markdown in docbook to tags
a lot of markdown syntax has already snuck into option docs, many of it
predating the intent to migrate to markdown. we don't convert all of it
here, just that which is accompanied by docbook tags as well. the rest
can be converted by simply adding the mdDoc marker.
2022-08-19 22:40:58 +02:00
pennae
087472b1e5 nixos/*: automatically convert option docs 2022-08-06 20:39:12 +02:00
Luflosi
320e4dbcc3
nixos/nginx: fix broken listenAddresses example
When using the example without the square brackets, nginx fails to start:
```
nginx-pre-start: nginx: [emerg] invalid port in "::1:80" of the "listen" directive in /nix/store/xyz-nginx.conf:29
nginx-pre-start: nginx: configuration file /nix/store/xyz-nginx.conf test failed
```
2022-07-04 19:46:18 +02:00
Winter
6c53004840 nixos/nginx: allow recommended proxy settings to be enabled per location 2022-06-12 19:52:35 -04:00
Izorkin
c508da303b nixos/nginx: add reuseport option 2022-04-11 22:33:12 +02:00
Lucas Savva
377c6bcefc
nixos/acme: Add defaults and inheritDefaults option
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.

With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.

The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
2021-12-26 16:44:10 +00:00
Izorkin
78546bbbc5
nixos/nginx: add kTLS option 2021-11-27 09:39:57 +03:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Maciej Krüger
5d73f669a8
Merge pull request #131962 from mkg20001/fc-nginx 2021-08-12 14:07:48 +02:00
Vincent Bernat
85209382c1 nginx: allow overriding SSL trusted certificates when using ACME
Some ACME providers (like Buypass) are using a different certificate
to sign OCSP responses than for server certificates. Therefore,
sslTrustedCertificate should be provided by the user and we need to
allow that.
2021-08-08 16:07:11 +02:00
Maciej Krüger
a4ca45acd7
nginx: add listenAddresses
This allows the user to manually specify the addresses nginx shoud 
listen on, while still having the convinience to use the *SSL options 
and have the ports automatically applied
2021-07-29 16:33:10 +02:00
Johannes Arnold
3a30f52676
nixos/nginx: fix typo 2021-06-28 18:08:31 +02:00
Naïm Favier
821ca7d4cc
nixos/nginx: add option rejectSSL exposing ssl_reject_handshake 2021-05-24 15:10:09 +02:00
Maciej Krüger
9530794548
nginx: add vhost.http3
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
2021-04-18 20:20:24 +02:00
Graham Christensen
3361a037b9
nginx: add a warning that nginx's basic auth isn't very good. 2020-11-02 08:16:01 -05:00
paumr
5a1c15da12 improved nginx.basicAuthFile description 2019-12-03 14:05:46 +01:00
Renaud
bf6217cbf1
nixos/nginx: correct header
Apache -> Nginx
2019-11-18 23:25:17 +01:00
Janne Heß
3de5726e9b nixos/nginx: Support additional listen parameters (#56835) 2019-03-06 11:42:46 +02:00
Jappie Klooster
e576c3b385 doc: Fix insecure nginx docs (#51840) 2018-12-11 11:02:56 +00:00
Uli Baum
15e6e1ff6f nixos/nginx: fix type of sslTrustedCertificate option
The option was added in 1251b34b5b
with type `types.path` but default `null`, so eval failed with
the default setting. This broke the acme and certmgr tests.

cc: @vincentbernat @fpletz
2018-09-02 01:35:59 +02:00
Vincent Bernat
1251b34b5b nixos/nginx: ensure TLS OCSP stapling works out of the box with LE
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

    openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

    OCSP response: no response sent

After this change, we get:

    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 30 20:46:00 2018 GMT
2018-08-30 22:47:41 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Jan Tojnar
bd648f321c
nixos/nginx: emphasize that useACMEHost does not create certs
It was not entirely clean that `services.nginx.virtualHosts.<name>.useACMEHost` does not create certificates, see https://github.com/NixOS/nixpkgs/issues/40593
2018-05-17 20:48:02 +02:00
Ben Wolsieffer
4d40adb86d nginx: allow basic auth passwords to be specified in a file 2018-04-25 15:37:09 +02:00
Jan Tojnar
41d252d7a4
nixos/nginx: allow using existing ACME certificate
When a domain has a lot of subdomains, it is quite easy to hit the rate limit:

https://letsencrypt.org/docs/rate-limits/

Instead you can define the certificate manually in `security.acme.certs` and list the subdomains in the `extraDomains` option.
2018-01-15 13:48:45 +01:00
Niklas Hambüchen
afa97cb981 nginx service: Make http2 an option.
HTTP 2 can break some things, for example due to this Chrome bug:

  https://bugs.chromium.org/p/chromium/issues/detail?id=796199

So the service hardcoding it to be enabled is not helpful.

This commit adds an option so you can turn it off.
2017-12-19 19:59:15 +01:00
Jan Tojnar
3c48a1e06d nixos/services.nginx: Fix globalRedirect example
Virtual host globalRedirect attribute accepts a hostname not a URL

09a9a472ee/nixos/modules/services/web-servers/nginx/default.nix (L167)
2017-10-22 15:38:08 +02:00
Robin Gloster
0371f2b5cc
nginx module: clean up SSL/listen handling 2017-08-30 21:01:52 +02:00
rnhmjoj
a912a6a291
nginx: make enabling SSL port-specific 2017-07-27 03:45:53 +02:00
rnhmjoj
e40f3bea3e
nginx: make listen addresses configurable 2017-07-14 21:26:54 +02:00
Bob van der Linden
d9987f360a nginx: added serverName option for virtualHosts
This allows overriding the `server_name` attribute of virtual
hosts. By doing so it is possible to have multiple virtualHost
definitions that share the same `server_name`. This is useful in
particular when you need a HTTP as well as a HTTPS virtualhost: same
server_name, different port.
2017-01-25 14:55:55 +01:00
Alexander Ried
e84b803300 security.acme: remove loop when no fallbackHost is given 2016-09-06 17:47:00 +02:00
Robin Gloster
5dd7cf964a nginx module: improve documentation 2016-07-28 11:59:13 +00:00
Robin Gloster
3830a890ab nginx module: add option to make vhost default 2016-07-28 11:59:13 +00:00
Franz Pletz
4e5c7913e9 nginx module: Add acmeFallbackHost vhost option 2016-07-28 11:59:13 +00:00
Tristan Helmich
4676983990 nginx module: Add ACME support for ssl sites 2016-07-28 11:59:13 +00:00
Robin Gloster
f298be9ef4 nginx module: declarative config 2016-07-28 11:58:37 +00:00