1 { config, lib, pkgs, ... }:
7 mainCfg = config.services.httpdTools;
9 httpd = mainCfg.package.out;
11 version24 = !versionOlder httpd.version "2.4";
13 httpdConf = mainCfg.configFile;
15 php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
17 phpMajorVersion = head (splitString "." php.version);
19 mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; };
21 defaultListen = cfg: if cfg.enableSSL
22 then [{ip = "*"; port = 443;}]
23 else [{ip = "*"; port = 80;}];
26 let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
28 then defaultListen cfg
31 listenToString = l: "${l.ip}:${toString l.port}";
33 extraModules = attrByPath ["extraModules"] [] mainCfg;
34 extraForeignModules = filter isAttrs extraModules;
35 extraApacheModules = filter isString extraModules;
38 makeServerInfo = cfg: {
39 # Canonical name must not include a trailing slash.
41 let defaultPort = (head (defaultListen cfg)).port; in
43 (if cfg.enableSSL then "https" else "http") + "://" +
45 (if port != defaultPort then ":${toString port}" else "")
46 ) (map (x: x.port) (getListen cfg));
48 # Admin address: inherit from the main server if not specified for
50 adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr;
53 serverConfig = mainCfg;
54 fullConfig = config; # machine config
58 allHosts = [mainCfg] ++ mainCfg.virtualHosts;
61 callSubservices = serverInfo: defs:
65 if svc ? function then svc.function
66 # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
67 else if svc ? serviceExpression then import (toString svc.serviceExpression)
68 else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
70 { modules = [ { options = res.options; config = svc.config or svc; } ];
88 res = defaults // svcFunction { inherit config lib pkgs serverInfo php; };
93 # !!! callSubservices is expensive
94 subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices;
96 mainSubservices = subservicesFor mainCfg;
98 allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts;
101 enableSSL = any (vhost: vhost.enableSSL) allHosts;
104 # Names of modules from ${httpd}/modules that we want to load.
106 [ # HTTP authentication mechanisms: basic and digest.
107 "auth_basic" "auth_digest"
109 # Authentication: is the user who he claims to be?
110 "authn_file" "authn_dbm" "authn_anon"
111 (if version24 then "authn_core" else "authn_alias")
113 # Authorization: is the user allowed access?
114 "authz_user" "authz_groupfile" "authz_host"
117 "ext_filter" "include" "log_config" "env" "mime_magic"
118 "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
119 "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
120 "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
121 "userdir" "alias" "rewrite" "proxy" "proxy_http"
123 ++ optionals version24 [
124 "mpm_${mainCfg.multiProcessingModule}"
130 # For compatibility with old configurations, the new module mod_access_compat is provided.
133 ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
134 ++ optional enableSSL "ssl"
135 ++ extraApacheModules;
138 allDenied = if version24 then ''
145 allGranted = if version24 then ''
153 loggingConf = (if mainCfg.logFormat != "none" then ''
154 ErrorLog ${mainCfg.logDir}/error_log
158 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
159 LogFormat "%h %l %u %t \"%r\" %>s %b" common
160 LogFormat "%{Referer}i -> %U" referer
161 LogFormat "%{User-agent}i" agent
163 CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
170 BrowserMatch "Mozilla/2" nokeepalive
171 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
172 BrowserMatch "RealPlayer 4\.0" force-response-1.0
173 BrowserMatch "Java/1\.0" force-response-1.0
174 BrowserMatch "JDK/1\.0" force-response-1.0
175 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
176 BrowserMatch "^WebDrive" redirect-carefully
177 BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
178 BrowserMatch "^gnome-vfs" redirect-carefully
183 SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
185 ${if version24 then "Mutex" else "SSLMutex"} posixsem
187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin
190 SSLProtocol All -SSLv2 -SSLv3
191 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
192 SSLHonorCipherOrder on
197 TypesConfig ${httpd}/conf/mime.types
199 AddType application/x-x509-ca-cert .crt
200 AddType application/x-pkcs7-crl .crl
201 AddType application/x-httpd-php .php .phtml
203 <IfModule mod_mime_magic.c>
204 MIMEMagicFile ${httpd}/conf/magic
209 perServerConf = isMainServer: cfg: let
211 serverInfo = makeServerInfo cfg;
213 subservices = callSubservices serverInfo cfg.extraSubservices;
215 maybeDocumentRoot = fold (svc: acc:
216 if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc
217 ) null ([ cfg ] ++ subservices);
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" {} "mkdir -p $out";
222 documentRootConf = ''
223 DocumentRoot "${documentRoot}"
225 <Directory "${documentRoot}">
226 Options Indexes FollowSymLinks
233 concatStringsSep "\n" (filter (x: x != "") (
234 # If this is a vhost, the include the entries for the main server as well.
235 (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
236 ++ [cfg.robotsEntries]
237 ++ (map (svc: svc.robotsEntries) subservices)));
240 ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)}
242 ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases}
244 ${if cfg.sslServerCert != null then ''
245 SSLCertificateFile ${cfg.sslServerCert}
246 SSLCertificateKeyFile ${cfg.sslServerKey}
247 ${if cfg.sslServerChain != null then ''
248 SSLCertificateChainFile ${cfg.sslServerChain}
252 ${if cfg.enableSSL then ''
254 '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */
259 ${if isMainServer || cfg.adminAddr != null then ''
260 ServerAdmin ${cfg.adminAddr}
263 ${if !isMainServer && mainCfg.logPerVirtualHost then ''
264 ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName}
265 CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
268 ${optionalString (robotsTxt != "") ''
269 Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
272 ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
274 ${if cfg.enableUserDir then ''
277 UserDir disabled root
279 <Directory "/home/*/public_html">
280 AllowOverride FileInfo AuthConfig Limit Indexes
281 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
282 <Limit GET POST OPTIONS>
285 <LimitExcept GET POST OPTIONS>
292 ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then ''
293 RedirectPermanent / ${cfg.globalRedirect}
297 let makeFileConf = elem: ''
298 Alias ${elem.urlPath} ${elem.file}
300 in concatMapStrings makeFileConf cfg.servedFiles
304 let makeDirConf = elem: ''
305 Alias ${elem.urlPath} ${elem.dir}/
306 <Directory ${elem.dir}>
312 in concatMapStrings makeDirConf cfg.servedDirs
315 ${concatMapStrings (svc: svc.extraConfig) subservices}
321 confFile = pkgs.writeText "httpd.conf" ''
325 ${optionalString version24 ''
326 DefaultRuntimeDir ${mainCfg.stateDir}/runtime
329 PidFile ${mainCfg.stateDir}/httpd.pid
331 ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
332 # mod_cgid requires this.
333 ScriptSock ${mainCfg.stateDir}/cgisock
337 MaxClients ${toString mainCfg.maxClients}
338 MaxRequestsPerChild ${toString mainCfg.maxRequestsPerChild}
342 listen = concatMap getListen allHosts;
343 toStr = listen: "Listen ${listenToString listen}\n";
344 uniqueListen = uniqList {inputList = map toStr listen;};
345 in concatStrings uniqueListen
349 Group ${mainCfg.group}
352 load = {name, path}: "LoadModule ${name}_module ${path}\n";
354 concatMap (svc: svc.extraModulesPre) allSubservices
355 ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
356 ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
357 ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
358 ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
359 ++ concatMap (svc: svc.extraModules) allSubservices
360 ++ extraForeignModules;
361 in concatMapStrings load allModules
364 AddHandler type-map var
374 Include ${httpd}/conf/extra/httpd-default.conf
375 Include ${httpd}/conf/extra/httpd-autoindex.conf
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf
379 ${if enableSSL then sslConf else ""}
381 # Fascist default - deny access to everything.
383 Options FollowSymLinks
388 # Generate directives for the main server.
389 ${perServerConf true mainCfg}
391 # Always enable virtual hosts; it doesn't seem to hurt.
393 listen = concatMap getListen allHosts;
394 uniqueListen = uniqList {inputList = listen;};
395 directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
396 in optionalString (!version24) directives
400 makeVirtualHost = vhost: ''
401 <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
402 ${perServerConf false vhost}
405 in concatMapStrings makeVirtualHost mainCfg.virtualHosts
410 enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
412 enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices;
415 # Generate the PHP configuration file. Should probably be factored
416 # out into a separate module.
417 phpIni = pkgs.runCommand "php.ini"
418 { options = concatStringsSep "\n"
419 ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
422 cat ${php}/etc/php.ini > $out
423 echo "$options" >> $out
435 services.httpdTools = {
440 description = "Whether to enable the Apache HTTP Server.";
444 type = types.package;
445 default = pkgs.apacheHttpd;
446 defaultText = "pkgs.apacheHttpd";
448 Overridable attribute of the Apache HTTP Server package to use.
452 configFile = mkOption {
455 defaultText = "confFile";
456 example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
458 Override the configuration file used by Apache. By default,
459 NixOS generates one automatically.
463 extraConfig = mkOption {
467 Cnfiguration lines appended to the generated Apache
468 configuration file. Note that this mechanism may not work
469 when <option>configFile</option> is overridden.
473 extraModules = mkOption {
474 type = types.listOf types.unspecified;
476 example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
478 Additional Apache modules to be used. These can be
479 specified as a string in the case of modules distributed
480 with Apache, or as an attribute set specifying the
481 <varname>name</varname> and <varname>path</varname> of the
486 logPerVirtualHost = mkOption {
490 If enabled, each virtual host gets its own
491 <filename>access_log</filename> and
492 <filename>error_log</filename>, namely suffixed by the
493 <option>hostName</option> of the virtual host.
501 User account under which httpd runs. The account is created
502 automatically if it doesn't exist.
510 Group under which httpd runs. The account is created
511 automatically if it doesn't exist.
517 default = "/var/log/httpd";
519 Directory for Apache's log files. It is created automatically.
523 stateDir = mkOption {
525 default = "/run/httpd";
527 Directory for Apache's transient runtime state (such as PID
528 files). It is created automatically. Note that the default,
529 <filename>/run/httpd</filename>, is deleted at boot time.
533 virtualHosts = mkOption {
534 type = types.listOf (types.submodule (
535 { options = import ./per-server-options.nix {
537 forMainServer = false;
543 documentRoot = "/data/webroot-foo";
546 documentRoot = "/data/webroot-bar";
550 Specification of the virtual hosts served by Apache. Each
551 element should be an attribute set specifying the
552 configuration of the virtual host. The available options
553 are the non-global options permissible for the main host.
557 enableMellon = mkOption {
560 description = "Whether to enable the mod_auth_mellon module.";
563 enablePHP = mkOption {
566 description = "Whether to enable the PHP module.";
569 phpPackage = mkOption {
570 type = types.package;
572 defaultText = "pkgs.php";
574 Overridable attribute of the PHP package to use.
578 enablePerl = mkOption {
581 description = "Whether to enable the Perl module (mod_perl).";
584 phpOptions = mkOption {
589 date.timezone = "CET"
592 "Options appended to the PHP configuration file <filename>php.ini</filename>.";
595 multiProcessingModule = mkOption {
601 Multi-processing module to be used by Apache. Available
602 modules are <literal>prefork</literal> (the default;
603 handles each request in a separate child process),
604 <literal>worker</literal> (hybrid approach that starts a
605 number of child processes each running a number of
606 threads) and <literal>event</literal> (a recent variant of
607 <literal>worker</literal> that handles persistent
608 connections more efficiently).
612 maxClients = mkOption {
616 description = "Maximum number of httpd processes (prefork)";
619 maxRequestsPerChild = mkOption {
624 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
628 # Include the options shared between the main server and virtual hosts.
629 // (import ./per-server-options.nix {
631 forMainServer = true;
637 ###### implementation
639 config = mkIf config.services.httpdTools.enable {
641 assertions = [ { assertion = mainCfg.enableSSL == true
642 -> mainCfg.sslServerCert != null
643 && mainCfg.sslServerKey != null;
644 message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
647 warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
649 users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton
651 group = mainCfg.group;
652 description = "Apache httpd user";
653 uid = config.ids.uids.wwwrun;
656 users.groups = optionalAttrs (mainCfg.group == "wwwrun") (singleton
658 gid = config.ids.gids.wwwrun;
661 environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;
663 services.httpdTools.phpOptions =
665 ; Needed for PHP's mail() function.
666 sendmail_path = sendmail -t -i
667 '' + optionalString (!isNull config.time.timeZone) ''
669 ; Apparently PHP doesn't use $TZ.
670 date.timezone = "${config.time.timeZone}"
673 systemd.services.httpdTools =
674 { description = "Apache HTTPD";
676 wantedBy = [ "multi-user.target" ];
677 wants = [ "keys.target" ];
678 after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
681 [ httpd pkgs.coreutils pkgs.gnugrep ]
682 ++ # Needed for PHP's mail() function. !!! Probably the
683 # ssmtp module should export the path to sendmail in
685 optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
686 ++ concatMap (svc: svc.extraServerPath) allSubservices;
689 optionalAttrs enablePHP { PHPRC = phpIni; }
690 // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }
691 // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
695 mkdir -m 0750 -p ${mainCfg.stateDir}
696 [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
697 ${optionalString version24 ''
698 mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
699 [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
701 mkdir -m 0700 -p ${mainCfg.logDir}
703 # Get rid of old semaphores. These tend to accumulate across
704 # server restarts, eventually preventing it from restarting
706 for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do
707 ${pkgs.utillinux}/bin/ipcrm -s $i
710 # Run the startup hooks for the subservices.
711 for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do
712 echo Running Apache startup hook $i...
717 serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
718 serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
719 serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
720 serviceConfig.Type = "forking";
721 serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
722 serviceConfig.Restart = "always";
723 serviceConfig.RestartSec = "5s";