raito
8c0c7b517f
This help us getting rid of useless traffic by crawlers. It is enabled for gerrit01 which is suffering the most from this. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
38 lines
1.1 KiB
Nix
38 lines
1.1 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
inherit (lib) mkIf;
|
|
cfg = config.bagel.services.gerrit;
|
|
in
|
|
{
|
|
config = mkIf cfg.enable {
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
appendHttpConfig = ''
|
|
add_header Permissions-Policy "interest-cohort=()";
|
|
'';
|
|
recommendedProxySettings = false;
|
|
};
|
|
services.nginx.virtualHosts.gerrit = {
|
|
serverName = builtins.head cfg.domains;
|
|
serverAliases = builtins.tail cfg.domains;
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
extraConfig = ''
|
|
location / {
|
|
proxy_pass http://localhost:4778;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
|
|
proxy_set_header Host $host:443;
|
|
# Gerrit can throw a lot of data.
|
|
proxy_buffering off;
|
|
# NGINX should not give up super fast. Things can take time.
|
|
proxy_read_timeout 3600;
|
|
}
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
|
};
|
|
}
|