]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/websites/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
WIP upgrade
[perso/Immae/Config/Nix.git] / modules / websites / default.nix
1 { lib, config, pkgs, ... }: with lib;
2 let
3 cfg = config.services.websites;
4 in
5 {
6 options.services.websites = with types; {
7 certs = mkOption {
8 description = "Default websites configuration for certificates as accepted by acme";
9 };
10 env = mkOption {
11 default = {};
12 description = "Each type of website to enable will target a distinct httpd server";
13 type = attrsOf (submodule {
14 options = {
15 enable = mkEnableOption "Enable websites of this type";
16 adminAddr = mkOption {
17 type = str;
18 description = "Admin e-mail address of the instance";
19 };
20 httpdName = mkOption {
21 type = str;
22 description = "Name of the httpd instance to assign this type to";
23 };
24 ips = mkOption {
25 type = listOf str;
26 default = [];
27 description = "ips to listen to";
28 };
29 modules = mkOption {
30 type = listOf str;
31 default = [];
32 description = "Additional modules to load in Apache";
33 };
34 extraConfig = mkOption {
35 type = listOf lines;
36 default = [];
37 description = "Additional configuration to append to Apache";
38 };
39 nosslVhost = mkOption {
40 description = "A default nossl vhost for captive portals";
41 default = {};
42 type = submodule {
43 options = {
44 enable = mkEnableOption "Add default no-ssl vhost for this instance";
45 host = mkOption {
46 type = str;
47 description = "The hostname to use for this vhost";
48 };
49 root = mkOption {
50 type = path;
51 default = ./nosslVhost;
52 description = "The root folder to serve";
53 };
54 indexFile = mkOption {
55 type = str;
56 default = "index.html";
57 description = "The index file to show.";
58 };
59 };
60 };
61 };
62 fallbackVhost = mkOption {
63 description = "The fallback vhost that will be defined as first vhost in Apache";
64 type = submodule {
65 options = {
66 certName = mkOption { type = str; };
67 hosts = mkOption { type = listOf str; };
68 root = mkOption { type = nullOr path; };
69 forceSSL = mkOption {
70 type = bool;
71 default = true;
72 description = ''
73 Automatically create a corresponding non-ssl vhost
74 that will only redirect to the ssl version
75 '';
76 };
77 extraConfig = mkOption { type = listOf lines; default = []; };
78 };
79 };
80 };
81 vhostNoSSLConfs = mkOption {
82 default = {};
83 description = "List of no ssl vhosts to define for Apache";
84 type = attrsOf (submodule {
85 options = {
86 hosts = mkOption { type = listOf str; };
87 root = mkOption { type = nullOr path; };
88 extraConfig = mkOption { type = listOf lines; default = []; };
89 };
90 });
91 };
92 vhostConfs = mkOption {
93 default = {};
94 description = "List of vhosts to define for Apache";
95 type = attrsOf (submodule {
96 options = {
97 certName = mkOption { type = str; };
98 addToCerts = mkOption {
99 type = bool;
100 default = false;
101 description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
102 };
103 certMainHost = mkOption {
104 type = nullOr str;
105 description = "Use that host as 'main host' for acme certs";
106 default = null;
107 };
108 hosts = mkOption { type = listOf str; };
109 root = mkOption { type = nullOr path; };
110 forceSSL = mkOption {
111 type = bool;
112 default = true;
113 description = ''
114 Automatically create a corresponding non-ssl vhost
115 that will only redirect to the ssl version
116 '';
117 };
118 extraConfig = mkOption { type = listOf lines; default = []; };
119 };
120 });
121 };
122 watchPaths = mkOption {
123 type = listOf str;
124 default = [];
125 description = ''
126 Paths to watch that should trigger a reload of httpd
127 '';
128 };
129 };
130 });
131 };
132 };
133
134 config.services.httpd = let
135 nosslVhost = ips: cfg: {
136 listen = map (ip: { inherit ip; port = 80; }) ips;
137 hostName = cfg.host;
138 logFormat = "combinedVhost";
139 documentRoot = cfg.root;
140 extraConfig = ''
141 <Directory ${cfg.root}>
142 DirectoryIndex ${cfg.indexFile}
143 AllowOverride None
144 Require all granted
145
146 RewriteEngine on
147 RewriteRule ^/(.+) / [L]
148 </Directory>
149 '';
150 };
151 toVhost = ips: vhostConf: {
152 acmeRoot = "/var/lib/acme/acme-challenges";
153 forceSSL = vhostConf.forceSSL or true;
154 useACMEHost = vhostConf.certName;
155 logFormat = "combinedVhost";
156 listen = if vhostConf.forceSSL
157 then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
158 else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
159 hostName = builtins.head vhostConf.hosts;
160 serverAliases = builtins.tail vhostConf.hosts or [];
161 documentRoot = vhostConf.root;
162 extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
163 };
164 toVhostNoSSL = ips: vhostConf: {
165 logFormat = "combinedVhost";
166 listen = map (ip: { inherit ip; port = 80; }) ips;
167 hostName = builtins.head vhostConf.hosts;
168 serverAliases = builtins.tail vhostConf.hosts or [];
169 documentRoot = vhostConf.root;
170 extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
171 };
172 in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
173 icfg.httpdName (mkIf icfg.enable {
174 enable = true;
175 logPerVirtualHost = true;
176 multiProcessingModule = "worker";
177 # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
178 # test with https://www.ssllabs.com/ssltest/analyze.html?d=www.immae.eu&s=176.9.151.154&latest
179 sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
180 sslCiphers = builtins.concatStringsSep ":" [
181 "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
182 "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
183 "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
184 "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
185 ];
186 inherit (icfg) adminAddr;
187 logFormat = "combinedVhost";
188 extraModules = lists.unique icfg.modules;
189 extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
190
191 virtualHosts = with attrsets; {
192 ___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
193 } // (optionalAttrs icfg.nosslVhost.enable {
194 nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
195 }) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
196 // (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
197 })
198 ) cfg.env;
199
200 config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
201 "httpd${icfg.httpdName}" {
202 paths = icfg.watchPaths;
203 waitTime = 5;
204 }
205 ) cfg.env;
206
207 config.security.acme.certs = let
208 typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
209 flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
210 attrValues v.vhostConfs
211 ) typesToManage);
212 groupedCerts = attrsets.filterAttrs
213 (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
214 (lists.groupBy (v: v.certName) flatVhosts);
215 groupToDomain = group:
216 let
217 nonNull = builtins.filter (v: !isNull v.certMainHost) group;
218 domains = lists.unique (map (v: v.certMainHost) nonNull);
219 in
220 if builtins.length domains == 0
221 then null
222 else assert (builtins.length domains == 1); (elemAt domains 0);
223 extraDomains = group:
224 let
225 mainDomain = groupToDomain group;
226 in
227 lists.remove mainDomain (
228 lists.unique (
229 lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
230 )
231 );
232 in attrsets.mapAttrs (k: g:
233 if (!isNull (groupToDomain g))
234 then cfg.certs // {
235 domain = groupToDomain g;
236 extraDomainNames = extraDomains g;
237 }
238 else {
239 extraDomainNames = extraDomains g;
240 }
241 ) groupedCerts;
242
243 config.systemd.services = let
244 package = httpdName: config.services.httpd.${httpdName}.package.out;
245 cfgFile = httpdName: config.services.httpd.${httpdName}.configFile;
246 serviceChange = attrsets.mapAttrs' (name: icfg:
247 attrsets.nameValuePair
248 "httpd${icfg.httpdName}" {
249 stopIfChanged = false;
250 serviceConfig.ExecStart =
251 lib.mkForce "@${package icfg.httpdName}/bin/httpd httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf";
252 serviceConfig.ExecStop =
253 lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful-stop";
254 serviceConfig.ExecReload =
255 lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful";
256 }
257 ) cfg.env;
258 serviceReload = attrsets.mapAttrs' (name: icfg:
259 attrsets.nameValuePair
260 "httpd${icfg.httpdName}-config-reload" {
261 wants = [ "httpd${icfg.httpdName}.service" ];
262 wantedBy = [ "multi-user.target" ];
263 restartTriggers = [ (cfgFile icfg.httpdName) ];
264 # commented, because can cause extra delays during activate for this config:
265 # services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
266 # stopIfChanged = false;
267 serviceConfig.Type = "oneshot";
268 serviceConfig.TimeoutSec = 60;
269 script = ''
270 if ${pkgs.systemd}/bin/systemctl -q is-active httpd${icfg.httpdName}.service ; then
271 ${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -t && \
272 ${pkgs.systemd}/bin/systemctl reload httpd${icfg.httpdName}.service
273 fi
274 '';
275 serviceConfig.RemainAfterExit = true;
276 }
277 ) cfg.env;
278 in
279 serviceChange // serviceReload;
280 }
My infrastructure configuration