]>
Commit | Line | Data |
---|---|---|
daf64e3f IB |
1 | { lib, config, ... }: with lib; |
2 | let | |
29f8cb85 | 3 | cfg = config.services.websites; |
daf64e3f IB |
4 | in |
5 | { | |
29f8cb85 IB |
6 | options.services.websites = with types; { |
7 | certs = mkOption { | |
8 | description = "Default websites configuration for certificates as accepted by acme"; | |
9 | }; | |
10 | webappDirs = mkOption { | |
11 | description = '' | |
12 | Defines a symlink between /run/current-system/webapps and a store | |
13 | app directory to be used in http configuration. Permits to avoid | |
14 | restarting httpd when only the folder name changes. | |
15 | ''; | |
16 | type = types.attrsOf types.path; | |
17 | default = {}; | |
18 | }; | |
19 | webappDirsName = mkOption { | |
20 | type = str; | |
21 | default = "webapps"; | |
22 | description = '' | |
23 | Name of the webapp dir to create in /run/current-system | |
24 | ''; | |
25 | }; | |
29f8cb85 IB |
26 | env = mkOption { |
27 | default = {}; | |
28 | description = "Each type of website to enable will target a distinct httpd server"; | |
29 | type = attrsOf (submodule { | |
30 | options = { | |
31 | enable = mkEnableOption "Enable websites of this type"; | |
32 | adminAddr = mkOption { | |
33 | type = str; | |
34 | description = "Admin e-mail address of the instance"; | |
35 | }; | |
36 | httpdName = mkOption { | |
37 | type = str; | |
38 | description = "Name of the httpd instance to assign this type to"; | |
39 | }; | |
40 | ips = mkOption { | |
41 | type = listOf string; | |
42 | default = []; | |
43 | description = "ips to listen to"; | |
44 | }; | |
45 | modules = mkOption { | |
46 | type = listOf str; | |
47 | default = []; | |
48 | description = "Additional modules to load in Apache"; | |
49 | }; | |
50 | extraConfig = mkOption { | |
51 | type = listOf lines; | |
52 | default = []; | |
53 | description = "Additional configuration to append to Apache"; | |
54 | }; | |
55 | nosslVhost = mkOption { | |
56 | description = "A default nossl vhost for captive portals"; | |
57 | default = {}; | |
58 | type = submodule { | |
59 | options = { | |
60 | enable = mkEnableOption "Add default no-ssl vhost for this instance"; | |
61 | host = mkOption { | |
62 | type = string; | |
63 | description = "The hostname to use for this vhost"; | |
64 | }; | |
65 | root = mkOption { | |
66 | type = path; | |
67 | default = ./nosslVhost; | |
68 | description = "The root folder to serve"; | |
69 | }; | |
70 | indexFile = mkOption { | |
71 | type = string; | |
72 | default = "index.html"; | |
73 | description = "The index file to show."; | |
74 | }; | |
daf64e3f IB |
75 | }; |
76 | }; | |
77 | }; | |
29f8cb85 IB |
78 | fallbackVhost = mkOption { |
79 | description = "The fallback vhost that will be defined as first vhost in Apache"; | |
80 | type = submodule { | |
81 | options = { | |
82 | certName = mkOption { type = string; }; | |
83 | hosts = mkOption { type = listOf string; }; | |
84 | root = mkOption { type = nullOr path; }; | |
85 | extraConfig = mkOption { type = listOf lines; default = []; }; | |
86 | }; | |
daf64e3f IB |
87 | }; |
88 | }; | |
29f8cb85 IB |
89 | vhostConfs = mkOption { |
90 | default = {}; | |
91 | description = "List of vhosts to define for Apache"; | |
92 | type = attrsOf (submodule { | |
93 | options = { | |
94 | certName = mkOption { type = string; }; | |
95 | addToCerts = mkOption { | |
96 | type = bool; | |
97 | default = false; | |
98 | description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; | |
99 | }; | |
100 | certMainHost = mkOption { | |
101 | type = nullOr string; | |
102 | description = "Use that host as 'main host' for acme certs"; | |
103 | default = null; | |
104 | }; | |
105 | hosts = mkOption { type = listOf string; }; | |
106 | root = mkOption { type = nullOr path; }; | |
107 | extraConfig = mkOption { type = listOf lines; default = []; }; | |
7df420c2 | 108 | }; |
29f8cb85 IB |
109 | }); |
110 | }; | |
111 | watchPaths = mkOption { | |
112 | type = listOf string; | |
113 | default = []; | |
114 | description = '' | |
115 | Paths to watch that should trigger a reload of httpd | |
116 | ''; | |
117 | }; | |
17f6eae9 | 118 | }; |
29f8cb85 IB |
119 | }); |
120 | }; | |
717ccfd9 IB |
121 | # Readonly variables |
122 | webappDirsPaths = mkOption { | |
123 | type = attrsOf path; | |
124 | readOnly = true; | |
125 | description = '' | |
126 | Full paths of the webapp dir | |
127 | ''; | |
128 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | |
129 | name "/run/current-system/${cfg.webappDirsName}/${name}" | |
130 | ) cfg.webappDirs; | |
131 | }; | |
daf64e3f IB |
132 | }; |
133 | ||
134 | config.services.httpd = let | |
135 | redirectVhost = ips: { # Should go last, catchall http -> https redirect | |
136 | listen = map (ip: { inherit ip; port = 80; }) ips; | |
137 | hostName = "redirectSSL"; | |
138 | serverAliases = [ "*" ]; | |
139 | enableSSL = false; | |
140 | logFormat = "combinedVhost"; | |
9ade8f6e | 141 | documentRoot = "${config.security.acme.directory}/acme-challenge"; |
daf64e3f IB |
142 | extraConfig = '' |
143 | RewriteEngine on | |
144 | RewriteCond "%{REQUEST_URI}" "!^/\.well-known" | |
145 | RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] | |
146 | # To redirect in specific "VirtualHost *:80", do | |
147 | # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 | |
148 | # rather than rewrite | |
149 | ''; | |
150 | }; | |
151 | nosslVhost = ips: cfg: { | |
152 | listen = map (ip: { inherit ip; port = 80; }) ips; | |
153 | hostName = cfg.host; | |
154 | enableSSL = false; | |
155 | logFormat = "combinedVhost"; | |
156 | documentRoot = cfg.root; | |
157 | extraConfig = '' | |
158 | <Directory ${cfg.root}> | |
159 | DirectoryIndex ${cfg.indexFile} | |
160 | AllowOverride None | |
161 | Require all granted | |
162 | ||
163 | RewriteEngine on | |
164 | RewriteRule ^/(.+) / [L] | |
165 | </Directory> | |
166 | ''; | |
167 | }; | |
168 | toVhost = ips: vhostConf: { | |
169 | enableSSL = true; | |
9ade8f6e IB |
170 | sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem"; |
171 | sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem"; | |
172 | sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem"; | |
daf64e3f IB |
173 | logFormat = "combinedVhost"; |
174 | listen = map (ip: { inherit ip; port = 443; }) ips; | |
175 | hostName = builtins.head vhostConf.hosts; | |
176 | serverAliases = builtins.tail vhostConf.hosts or []; | |
177 | documentRoot = vhostConf.root; | |
178 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; | |
179 | }; | |
180 | in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | |
181 | icfg.httpdName (mkIf icfg.enable { | |
182 | enable = true; | |
183 | listen = map (ip: { inherit ip; port = 443; }) icfg.ips; | |
184 | stateDir = "/run/httpd_${name}"; | |
185 | logPerVirtualHost = true; | |
186 | multiProcessingModule = "worker"; | |
187 | inherit (icfg) adminAddr; | |
188 | logFormat = "combinedVhost"; | |
189 | extraModules = lists.unique icfg.modules; | |
190 | extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; | |
191 | virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ] | |
192 | ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ] | |
193 | ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs) | |
194 | ++ [ (redirectVhost icfg.ips) ]; | |
195 | }) | |
f4da0504 | 196 | ) cfg.env; |
7df420c2 | 197 | |
17f6eae9 IB |
198 | config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
199 | "httpd${icfg.httpdName}" { | |
200 | paths = icfg.watchPaths; | |
201 | waitTime = 5; | |
202 | } | |
f4da0504 | 203 | ) cfg.env; |
17f6eae9 | 204 | |
7df420c2 | 205 | config.security.acme.certs = let |
f4da0504 | 206 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; |
7df420c2 IB |
207 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: |
208 | attrValues v.vhostConfs | |
209 | ) typesToManage); | |
210 | groupedCerts = attrsets.filterAttrs | |
211 | (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group) | |
212 | (lists.groupBy (v: v.certName) flatVhosts); | |
213 | groupToDomain = group: | |
214 | let | |
215 | nonNull = builtins.filter (v: !isNull v.certMainHost) group; | |
216 | domains = lists.unique (map (v: v.certMainHost) nonNull); | |
217 | in | |
218 | if builtins.length domains == 0 | |
219 | then null | |
220 | else assert (builtins.length domains == 1); (elemAt domains 0); | |
221 | extraDomains = group: | |
222 | let | |
223 | mainDomain = groupToDomain group; | |
224 | in | |
225 | lists.remove mainDomain ( | |
226 | lists.unique ( | |
227 | lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group) | |
228 | ) | |
229 | ); | |
230 | in attrsets.mapAttrs (k: g: | |
231 | if (!isNull (groupToDomain g)) | |
f4da0504 | 232 | then cfg.certs // { |
7df420c2 IB |
233 | domain = groupToDomain g; |
234 | extraDomains = builtins.listToAttrs ( | |
235 | map (d: attrsets.nameValuePair d null) (extraDomains g)); | |
236 | } | |
237 | else { | |
238 | extraDomains = builtins.listToAttrs ( | |
239 | map (d: attrsets.nameValuePair d null) (extraDomains g)); | |
240 | } | |
241 | ) groupedCerts; | |
f4da0504 IB |
242 | |
243 | config.system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues cfg.webappDirs) > 0) '' | |
29f8cb85 IB |
244 | mkdir -p $out/${cfg.webappDirsName} |
245 | ${builtins.concatStringsSep "\n" | |
246 | (attrsets.mapAttrsToList | |
247 | (name: path: "ln -s ${path} $out/${cfg.webappDirsName}/${name}") cfg.webappDirs) | |
248 | } | |
f4da0504 | 249 | ''; |
daf64e3f | 250 | } |