Merge pull request #188002 from Izorkin/update-nginx-brotli

          option.

        </para>

      </listitem>

      <listitem>

        <para>

          A new option <literal>recommendedBrotliSettings</literal> has

          been added to <literal>services.nginx</literal>. Learn more

          about compression in Brotli format

          <link xlink:href="https://github.com/google/ngx_brotli/blob/master/README.md">here</link>.

        </para>

      </listitem>

      <listitem>

        <para>

          Resilio sync secret keys can now be provided using a secrets

- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.

- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).

- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.

    services.nginx = lib.mkIf cfg.nginx.enable {

      enable = true;

      additionalModules = [ pkgs.nginxModules.brotli ];

      recommendedTlsSettings = true;

      recommendedOptimisation = true;

      recommendedBrotliSettings = true;

      recommendedGzipSettings = true;

      recommendedProxySettings = true;

  ) cfg.virtualHosts;

  enableIPv6 = config.networking.enableIPv6;

  # Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli

  # and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx

  compressMimeTypes = [

    "application/atom+xml"

    "application/geo+json"

    "application/json"

    "application/ld+json"

    "application/manifest+json"

    "application/rdf+xml"

    "application/vnd.ms-fontobject"

    "application/wasm"

    "application/x-rss+xml"

    "application/x-web-app-manifest+json"

    "application/xhtml+xml"

    "application/xliff+xml"

    "application/xml"

    "font/collection"

    "font/otf"

    "font/ttf"

    "image/bmp"

    "image/svg+xml"

    "image/vnd.microsoft.icon"

    "text/cache-manifest"

    "text/calendar"

    "text/css"

    "text/csv"

    "text/html"

    "text/javascript"

    "text/markdown"

    "text/plain"

    "text/vcard"

    "text/vnd.rim.location.xloc"

    "text/vtt"

    "text/x-component"

    "text/xml"

  ];

  defaultFastcgiParams = {

    SCRIPT_FILENAME   = "$document_root$fastcgi_script_name";

    QUERY_STRING      = "$query_string";

        ssl_stapling_verify on;

      ''}

      ${optionalString (cfg.recommendedBrotliSettings) ''

        brotli on;

        brotli_static on;

        brotli_comp_level 5;

        brotli_window 512k;

        brotli_min_length 256;

        brotli_types ${lib.concatStringsSep " " compressMimeTypes};

        brotli_buffers 32 8k;

      ''}

      ${optionalString (cfg.recommendedGzipSettings) ''

        gzip on;

        gzip_proxied any;

        '';

      };

      recommendedBrotliSettings = mkOption {

        default = false;

        type = types.bool;

        description = lib.mdDoc ''

          Enable recommended brotli settings. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).

          This adds `pkgs.nginxModules.brotli` to `services.nginx.additionalModules`.

        '';

      };

      recommendedGzipSettings = mkOption {

        default = false;

        type = types.bool;

      additionalModules = mkOption {

        default = [];

        type = types.listOf (types.attrsOf types.anything);

        example = literalExpression "[ pkgs.nginxModules.brotli ]";

        example = literalExpression "[ pkgs.nginxModules.echo ]";

        description = lib.mdDoc ''

          Additional [third-party nginx modules](https://www.nginx.com/resources/wiki/modules/)

          to install. Packaged modules are available in

          `pkgs.nginxModules`.

          to install. Packaged modules are available in `pkgs.nginxModules`.

        '';

      };

      groups = config.users.groups;

    }) dependentCertNames;

    services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli;

    systemd.services.nginx = {

      description = "Nginx Web Server";

      wantedBy = [ "multi-user.target" ];

  brotli = {

    name = "brotli";

    src = let gitsrc = fetchFromGitHub {

    src = let src' = fetchFromGitHub {

      name = "brotli";

      owner = "google";

      repo = "ngx_brotli";

      rev = "25f86f0bac1101b6512135eac5f93c49c63609e3";

      sha256 = "02hfvfa6milj40qc2ikpb9f95sxqvxk4hly3x74kqhysbdi06hhv";

      rev = "6e975bcb015f62e1f303054897783355e2a877dc";

      sha256 = "sha256-G0IDYlvaQzzJ6cNTSGbfuOuSXFp3RsEwIJLGapTbDgo=";

    }; in

      runCommand "ngx_brotli-src" { } ''

        cp -a ${gitsrc} $out

      runCommand "brotli" { } ''

        cp -a ${src'} $out

        substituteInPlace $out/filter/config \

          --replace '$ngx_addon_dir/deps/brotli/c' ${lib.getDev brotli}

      '';