summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/nginx.nix
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-04-07 20:29:33 +0200
committertv <tv@krebsco.de>2016-04-07 20:29:33 +0200
commite1a287c78bab2847fee7c4f1a18a765d89ca373f (patch)
tree336fc62199af9b1c38acf2de0a2bafbe8ed72efc /krebs/3modules/nginx.nix
parent033bf438bd2ae39d6a465c475500a24514cc2739 (diff)
parent66b7a76a26a40bd4ecca8c83aafe5f2e5fefa461 (diff)
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'krebs/3modules/nginx.nix')
-rw-r--r--krebs/3modules/nginx.nix58
1 files changed, 50 insertions, 8 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 8d0704e8c..816c2ff69 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -54,6 +54,34 @@ let
type = with types; string;
default = "";
};
+ ssl = mkOption {
+ type = with types; submodule ({
+ options = {
+ enable = mkEnableOption "ssl";
+ certificate = mkOption {
+ type = str;
+ };
+ certificate_key = mkOption {
+ type = str;
+ };
+ #TODO: check for valid cipher
+ ciphers = mkOption {
+ type = str;
+ default = "AES128+EECDH:AES128+EDH";
+ };
+ prefer_server_ciphers = mkOption {
+ type = bool;
+ default = true;
+ };
+ protocols = mkOption {
+ type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
+ default = [ "TLSv1.1" "TLSv1.2" ];
+
+ };
+ };
+ });
+ default = {};
+ };
};
});
default = {};
@@ -89,14 +117,28 @@ let
}
'';
- to-server = { server-names, listen, locations, extraConfig, ... }: ''
- server {
- ${concatMapStringsSep "\n" (x: "listen ${x};") listen}
- server_name ${toString server-names};
- ${indent extraConfig}
- ${indent (concatMapStrings to-location locations)}
- }
- '';
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }:
+ let
+ _extraConfig = if ssl.enable then
+ extraConfig + ''
+ ssl_certificate ${ssl.certificate};
+ ssl_certificate_key ${ssl.certificate_key};
+ ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ ''
+ else
+ extraConfig
+ ;
+
+ in ''
+ server {
+ ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")}
+ server_name ${toString server-names};
+ ${indent _extraConfig}
+ ${indent (concatMapStrings to-location locations)}
+ }
+ '';
in
out