diff options
| author | lassulus <lass@aidsballs.de> | 2016-03-02 23:09:19 +0100 |
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2016-03-03 00:25:11 +0100 |
| commit | 1ba917c3337c9a954e5c251b137ea3ea2ce62f81 (patch) | |
| tree | f1d1db0e894a77f03d2e5fc5fd9aae52867975b8 /krebs | |
| parent | 6570fa8d8657c577e18225dfd860bce2e4c5e7df (diff) | |
k 3 nginx: add ssl options
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/nginx.nix | 58 |
1 files changed, 50 insertions, 8 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index ec39715d8..023988dd5 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -39,6 +39,34 @@ let type = with types; string; default = ""; }; + ssl = mkOption { + type = with types; submodule ({ + options = { + enable = mkEnableOption "ssl"; + certificate = mkOption { + type = str; + }; + certificate_key = mkOption { + type = str; + }; + #TODO: check for valid cipher + ciphers = mkOption { + type = str; + default = "AES128+EECDH:AES128+EDH"; + }; + prefer_server_ciphers = mkOption { + type = bool; + default = true; + }; + protocols = mkOption { + type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); + default = [ "TLSv1.1" "TLSv1.2" ]; + + }; + }; + }); + default = {}; + }; }; }); default = {}; @@ -73,14 +101,28 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ... }: '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") listen} - server_name ${toString server-names}; - ${indent extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: + let + _extraConfig = if ssl.enable then + extraConfig + '' + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '' + else + extraConfig + ; + + in '' + server { + ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} + server_name ${toString server-names}; + ${indent _extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out |