1 { lib, config, ... }: with lib;
3 cfg = config.services.websites;
6 options.services.websitesCerts = mkOption {
7 description = "Default websites configuration for certificates as accepted by acme";
9 options.services.websites = with types; mkOption {
11 description = "Each type of website to enable will target a distinct httpd server";
12 type = attrsOf (submodule {
14 enable = mkEnableOption "Enable websites of this type";
15 adminAddr = mkOption {
17 description = "Admin e-mail address of the instance";
19 httpdName = mkOption {
21 description = "Name of the httpd instance to assign this type to";
26 description = "ips to listen to";
31 description = "Additional modules to load in Apache";
33 extraConfig = mkOption {
36 description = "Additional configuration to append to Apache";
38 nosslVhost = mkOption {
39 description = "A default nossl vhost for captive portals";
43 enable = mkEnableOption "Add default no-ssl vhost for this instance";
46 description = "The hostname to use for this vhost";
50 default = ./nosslVhost;
51 description = "The root folder to serve";
53 indexFile = mkOption {
55 default = "index.html";
56 description = "The index file to show.";
61 fallbackVhost = mkOption {
62 description = "The fallback vhost that will be defined as first vhost in Apache";
65 certName = mkOption { type = string; };
66 hosts = mkOption { type = listOf string; };
67 root = mkOption { type = nullOr path; };
68 extraConfig = mkOption { type = listOf lines; default = []; };
72 vhostConfs = mkOption {
74 description = "List of vhosts to define for Apache";
75 type = attrsOf (submodule {
77 certName = mkOption { type = string; };
78 addToCerts = mkOption {
81 description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
83 certMainHost = mkOption {
85 description = "Use that host as 'main host' for acme certs";
88 hosts = mkOption { type = listOf string; };
89 root = mkOption { type = nullOr path; };
90 extraConfig = mkOption { type = listOf lines; default = []; };
94 watchPaths = mkOption {
98 Paths to watch that should trigger a reload of httpd
105 config.services.httpd = let
106 redirectVhost = ips: { # Should go last, catchall http -> https redirect
107 listen = map (ip: { inherit ip; port = 80; }) ips;
108 hostName = "redirectSSL";
109 serverAliases = [ "*" ];
111 logFormat = "combinedVhost";
112 documentRoot = "${config.security.acme.directory}/acme-challenge";
115 RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
116 RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
117 # To redirect in specific "VirtualHost *:80", do
118 # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
119 # rather than rewrite
122 nosslVhost = ips: cfg: {
123 listen = map (ip: { inherit ip; port = 80; }) ips;
126 logFormat = "combinedVhost";
127 documentRoot = cfg.root;
129 <Directory ${cfg.root}>
130 DirectoryIndex ${cfg.indexFile}
135 RewriteRule ^/(.+) / [L]
139 toVhost = ips: vhostConf: {
141 sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
142 sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
143 sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
144 logFormat = "combinedVhost";
145 listen = map (ip: { inherit ip; port = 443; }) ips;
146 hostName = builtins.head vhostConf.hosts;
147 serverAliases = builtins.tail vhostConf.hosts or [];
148 documentRoot = vhostConf.root;
149 extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
151 in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
152 icfg.httpdName (mkIf icfg.enable {
154 listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
155 stateDir = "/run/httpd_${name}";
156 logPerVirtualHost = true;
157 multiProcessingModule = "worker";
158 inherit (icfg) adminAddr;
159 logFormat = "combinedVhost";
160 extraModules = lists.unique icfg.modules;
161 extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
162 virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
163 ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
164 ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
165 ++ [ (redirectVhost icfg.ips) ];
169 config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
170 "httpd${icfg.httpdName}" {
171 paths = icfg.watchPaths;
176 config.security.acme.certs = let
177 typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
178 flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
179 attrValues v.vhostConfs
181 groupedCerts = attrsets.filterAttrs
182 (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
183 (lists.groupBy (v: v.certName) flatVhosts);
184 groupToDomain = group:
186 nonNull = builtins.filter (v: !isNull v.certMainHost) group;
187 domains = lists.unique (map (v: v.certMainHost) nonNull);
189 if builtins.length domains == 0
191 else assert (builtins.length domains == 1); (elemAt domains 0);
192 extraDomains = group:
194 mainDomain = groupToDomain group;
196 lists.remove mainDomain (
198 lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
201 in attrsets.mapAttrs (k: g:
202 if (!isNull (groupToDomain g))
203 then config.services.websitesCerts // {
204 domain = groupToDomain g;
205 extraDomains = builtins.listToAttrs (
206 map (d: attrsets.nameValuePair d null) (extraDomains g));
209 extraDomains = builtins.listToAttrs (
210 map (d: attrsets.nameValuePair d null) (extraDomains g));