The beta release of NixOS 16.09 comes with a very cool config generator for your NGINX configuration. It makes it easy to:

  • Use Let’s Encrypt for certificates
  • Configure virtualhosts
  • Have good default configurations for SSL and headers
  • Avoid mistakes

Here’s a simple setup for serving SSL-only content on example.com:

{
  "example.com" = {
    forceSSL = true;  # 3
    enableACME = true;  # 4
    locations."/" = {
      root = "/var/www";
    };
  };
}

Line 3 forces traffic from unsecured HTTP (port 80) to HTTPS (port 443).

Line 4 tells NixOS to get a certificate from Let’s Encrypt (via the ACME protocol). This line does two things: NixOS generates a self-signed certificate to use as a placeholder until the ACME certificate arrives. It also enables a weekly systemd timer to renew the certificates in time - Let’s Encrypt certs are valid for only three months.

Lastly we want to enable NGINX with good default settings:

services.nginx = {
  enable = true;
  recommendedOptimisation = true;
  recommendedTlsSettings = true;
  recommendedGzipSettings = true;
  recommendedProxySettings = true;
  virtualHosts = import ./conf/example.com.nix;
};

This gives us a grade B on ssllabs.com (as of September 2016) which is a good compromise between supporting older browsers and being secure.