summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/nginx.nix58
1 files changed, 50 insertions, 8 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index ec39715d8..023988dd5 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -39,6 +39,34 @@ let
type = with types; string;
default = "";
};
+ ssl = mkOption {
+ type = with types; submodule ({
+ options = {
+ enable = mkEnableOption "ssl";
+ certificate = mkOption {
+ type = str;
+ };
+ certificate_key = mkOption {
+ type = str;
+ };
+ #TODO: check for valid cipher
+ ciphers = mkOption {
+ type = str;
+ default = "AES128+EECDH:AES128+EDH";
+ };
+ prefer_server_ciphers = mkOption {
+ type = bool;
+ default = true;
+ };
+ protocols = mkOption {
+ type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
+ default = [ "TLSv1.1" "TLSv1.2" ];
+
+ };
+ };
+ });
+ default = {};
+ };
};
});
default = {};
@@ -73,14 +101,28 @@ let
}
'';
- to-server = { server-names, listen, locations, extraConfig, ... }: ''
- server {
- ${concatMapStringsSep "\n" (x: "listen ${x};") listen}
- server_name ${toString server-names};
- ${indent extraConfig}
- ${indent (concatMapStrings to-location locations)}
- }
- '';
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }:
+ let
+ _extraConfig = if ssl.enable then
+ extraConfig + ''
+ ssl_certificate ${ssl.certificate};
+ ssl_certificate_key ${ssl.certificate_key};
+ ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ ''
+ else
+ extraConfig
+ ;
+
+ in ''
+ server {
+ ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")}
+ server_name ${toString server-names};
+ ${indent _extraConfig}
+ ${indent (concatMapStrings to-location locations)}
+ }
+ '';
in
out