diff options
author | tv <tv@krebsco.de> | 2016-04-07 20:29:33 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-04-07 20:29:33 +0200 |
commit | e1a287c78bab2847fee7c4f1a18a765d89ca373f (patch) | |
tree | 336fc62199af9b1c38acf2de0a2bafbe8ed72efc /krebs/3modules/nginx.nix | |
parent | 033bf438bd2ae39d6a465c475500a24514cc2739 (diff) | |
parent | 66b7a76a26a40bd4ecca8c83aafe5f2e5fefa461 (diff) |
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'krebs/3modules/nginx.nix')
-rw-r--r-- | krebs/3modules/nginx.nix | 58 |
1 files changed, 50 insertions, 8 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 8d0704e8c..816c2ff69 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -54,6 +54,34 @@ let type = with types; string; default = ""; }; + ssl = mkOption { + type = with types; submodule ({ + options = { + enable = mkEnableOption "ssl"; + certificate = mkOption { + type = str; + }; + certificate_key = mkOption { + type = str; + }; + #TODO: check for valid cipher + ciphers = mkOption { + type = str; + default = "AES128+EECDH:AES128+EDH"; + }; + prefer_server_ciphers = mkOption { + type = bool; + default = true; + }; + protocols = mkOption { + type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); + default = [ "TLSv1.1" "TLSv1.2" ]; + + }; + }; + }); + default = {}; + }; }; }); default = {}; @@ -89,14 +117,28 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ... }: '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") listen} - server_name ${toString server-names}; - ${indent extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: + let + _extraConfig = if ssl.enable then + extraConfig + '' + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '' + else + extraConfig + ; + + in '' + server { + ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} + server_name ${toString server-names}; + ${indent _extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out |