1 { config, lib, pkgs, ... }:
7 mainCfg = config.services.httpdTools;
9 httpd = mainCfg.package.out;
11 version24 = !versionOlder httpd.version "2.4";
13 httpdConf = mainCfg.configFile;
15 php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
17 phpMajorVersion = head (splitString "." php.version);
19 mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; };
21 defaultListen = cfg: if cfg.enableSSL
22 then [{ip = "*"; port = 443;}]
23 else [{ip = "*"; port = 80;}];
26 let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
28 then defaultListen cfg
31 listenToString = l: "${l.ip}:${toString l.port}";
33 extraModules = attrByPath ["extraModules"] [] mainCfg;
34 extraForeignModules = filter isAttrs extraModules;
35 extraApacheModules = filter isString extraModules;
38 makeServerInfo = cfg: {
39 # Canonical name must not include a trailing slash.
41 let defaultPort = (head (defaultListen cfg)).port; in
43 (if cfg.enableSSL then "https" else "http") + "://" +
45 (if port != defaultPort then ":${toString port}" else "")
46 ) (map (x: x.port) (getListen cfg));
48 # Admin address: inherit from the main server if not specified for
50 adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr;
53 serverConfig = mainCfg;
54 fullConfig = config; # machine config
58 allHosts = [mainCfg] ++ mainCfg.virtualHosts;
61 callSubservices = serverInfo: defs:
65 if svc ? function then svc.function
66 # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
67 else if svc ? serviceExpression then import (toString svc.serviceExpression)
68 else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
70 { modules = [ { options = res.options; config = svc.config or svc; } ];
88 res = defaults // svcFunction { inherit config lib pkgs serverInfo php; };
93 # !!! callSubservices is expensive
94 subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices;
96 mainSubservices = subservicesFor mainCfg;
98 allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts;
101 enableSSL = any (vhost: vhost.enableSSL) allHosts;
104 # Names of modules from ${httpd}/modules that we want to load.
106 [ # HTTP authentication mechanisms: basic and digest.
107 "auth_basic" "auth_digest"
109 # Authentication: is the user who he claims to be?
110 "authn_file" "authn_dbm" "authn_anon"
111 (if version24 then "authn_core" else "authn_alias")
113 # Authorization: is the user allowed access?
114 "authz_user" "authz_groupfile" "authz_host"
117 "ext_filter" "include" "log_config" "env" "mime_magic"
118 "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
119 "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
120 "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
121 "userdir" "alias" "rewrite" "proxy" "proxy_http"
123 ++ optionals version24 [
124 "mpm_${mainCfg.multiProcessingModule}"
130 # For compatibility with old configurations, the new module mod_access_compat is provided.
133 ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
134 ++ optional enableSSL "ssl"
135 ++ extraApacheModules;
138 allDenied = if version24 then ''
145 allGranted = if version24 then ''
153 loggingConf = (if mainCfg.logFormat != "none" then ''
154 ErrorLog ${mainCfg.logDir}/error_log
158 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
159 LogFormat "%h %l %u %t \"%r\" %>s %b" common
160 LogFormat "%{Referer}i -> %U" referer
161 LogFormat "%{User-agent}i" agent
163 CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
170 BrowserMatch "Mozilla/2" nokeepalive
171 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
172 BrowserMatch "RealPlayer 4\.0" force-response-1.0
173 BrowserMatch "Java/1\.0" force-response-1.0
174 BrowserMatch "JDK/1\.0" force-response-1.0
175 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
176 BrowserMatch "^WebDrive" redirect-carefully
177 BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
178 BrowserMatch "^gnome-vfs" redirect-carefully
183 SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
185 ${if version24 then "Mutex" else "SSLMutex"} posixsem
187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin
190 SSLProtocol ${mainCfg.sslProtocols}
191 SSLCipherSuite ${mainCfg.sslCiphers}
192 SSLHonorCipherOrder on
197 TypesConfig ${httpd}/conf/mime.types
199 AddType application/x-x509-ca-cert .crt
200 AddType application/x-pkcs7-crl .crl
201 AddType application/x-httpd-php .php .phtml
203 <IfModule mod_mime_magic.c>
204 MIMEMagicFile ${httpd}/conf/magic
209 perServerConf = isMainServer: cfg: let
211 serverInfo = makeServerInfo cfg;
213 subservices = callSubservices serverInfo cfg.extraSubservices;
215 maybeDocumentRoot = fold (svc: acc:
216 if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc
217 ) null ([ cfg ] ++ subservices);
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
222 documentRootConf = ''
223 DocumentRoot "${documentRoot}"
225 <Directory "${documentRoot}">
226 Options Indexes FollowSymLinks
233 concatStringsSep "\n" (filter (x: x != "") (
234 # If this is a vhost, the include the entries for the main server as well.
235 (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
236 ++ [cfg.robotsEntries]
237 ++ (map (svc: svc.robotsEntries) subservices)));
240 ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)}
242 ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases}
244 ${if cfg.sslServerCert != null then ''
245 SSLCertificateFile ${cfg.sslServerCert}
246 SSLCertificateKeyFile ${cfg.sslServerKey}
247 ${if cfg.sslServerChain != null then ''
248 SSLCertificateChainFile ${cfg.sslServerChain}
252 ${if cfg.enableSSL then ''
254 '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */
259 ${if isMainServer || cfg.adminAddr != null then ''
260 ServerAdmin ${cfg.adminAddr}
263 ${if !isMainServer && mainCfg.logPerVirtualHost then ''
264 ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName}
265 CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
268 ${optionalString (robotsTxt != "") ''
269 Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
272 ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
274 ${if cfg.enableUserDir then ''
277 UserDir disabled root
279 <Directory "/home/*/public_html">
280 AllowOverride FileInfo AuthConfig Limit Indexes
281 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
282 <Limit GET POST OPTIONS>
285 <LimitExcept GET POST OPTIONS>
292 ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then ''
293 RedirectPermanent / ${cfg.globalRedirect}
297 let makeFileConf = elem: ''
298 Alias ${elem.urlPath} ${elem.file}
300 in concatMapStrings makeFileConf cfg.servedFiles
304 let makeDirConf = elem: ''
305 Alias ${elem.urlPath} ${elem.dir}/
306 <Directory ${elem.dir}>
312 in concatMapStrings makeDirConf cfg.servedDirs
315 ${concatMapStrings (svc: svc.extraConfig) subservices}
321 confFile = pkgs.writeText "httpd.conf" ''
325 ${optionalString version24 ''
326 DefaultRuntimeDir ${mainCfg.stateDir}/runtime
329 PidFile ${mainCfg.stateDir}/httpd.pid
331 ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
332 # mod_cgid requires this.
333 ScriptSock ${mainCfg.stateDir}/cgisock
337 MaxClients ${toString mainCfg.maxClients}
338 MaxRequestsPerChild ${toString mainCfg.maxRequestsPerChild}
342 listen = concatMap getListen allHosts;
343 toStr = listen: "Listen ${listenToString listen}\n";
344 uniqueListen = uniqList {inputList = map toStr listen;};
345 in concatStrings uniqueListen
349 Group ${mainCfg.group}
352 load = {name, path}: "LoadModule ${name}_module ${path}\n";
354 concatMap (svc: svc.extraModulesPre) allSubservices
355 ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
356 ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
357 ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
358 ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
359 ++ concatMap (svc: svc.extraModules) allSubservices
360 ++ extraForeignModules;
361 in concatMapStrings load allModules
364 AddHandler type-map var
374 Include ${httpd}/conf/extra/httpd-default.conf
375 Include ${httpd}/conf/extra/httpd-autoindex.conf
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf
381 ${if enableSSL then sslConf else ""}
383 # Fascist default - deny access to everything.
385 Options FollowSymLinks
390 # Generate directives for the main server.
391 ${perServerConf true mainCfg}
393 # Always enable virtual hosts; it doesn't seem to hurt.
395 listen = concatMap getListen allHosts;
396 uniqueListen = uniqList {inputList = listen;};
397 directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
398 in optionalString (!version24) directives
402 makeVirtualHost = vhost: ''
403 <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
404 ${perServerConf false vhost}
407 in concatMapStrings makeVirtualHost mainCfg.virtualHosts
412 enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
414 enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices;
417 # Generate the PHP configuration file. Should probably be factored
418 # out into a separate module.
419 phpIni = pkgs.runCommand "php.ini"
420 { options = concatStringsSep "\n"
421 ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
424 cat ${php}/etc/php.ini > $out
425 echo "$options" >> $out
437 services.httpdTools = {
442 description = "Whether to enable the Apache HTTP Server.";
446 type = types.package;
447 default = pkgs.apacheHttpd;
448 defaultText = "pkgs.apacheHttpd";
450 Overridable attribute of the Apache HTTP Server package to use.
454 configFile = mkOption {
457 defaultText = "confFile";
458 example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
460 Override the configuration file used by Apache. By default,
461 NixOS generates one automatically.
465 extraConfig = mkOption {
469 Cnfiguration lines appended to the generated Apache
470 configuration file. Note that this mechanism may not work
471 when <option>configFile</option> is overridden.
475 extraModules = mkOption {
476 type = types.listOf types.unspecified;
478 example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
480 Additional Apache modules to be used. These can be
481 specified as a string in the case of modules distributed
482 with Apache, or as an attribute set specifying the
483 <varname>name</varname> and <varname>path</varname> of the
488 logPerVirtualHost = mkOption {
492 If enabled, each virtual host gets its own
493 <filename>access_log</filename> and
494 <filename>error_log</filename>, namely suffixed by the
495 <option>hostName</option> of the virtual host.
503 User account under which httpd runs. The account is created
504 automatically if it doesn't exist.
512 Group under which httpd runs. The account is created
513 automatically if it doesn't exist.
519 default = "/var/log/httpd";
521 Directory for Apache's log files. It is created automatically.
525 stateDir = mkOption {
527 default = "/run/httpd";
529 Directory for Apache's transient runtime state (such as PID
530 files). It is created automatically. Note that the default,
531 <filename>/run/httpd</filename>, is deleted at boot time.
535 virtualHosts = mkOption {
536 type = types.listOf (types.submodule (
537 { options = import ./per-server-options.nix {
539 forMainServer = false;
545 documentRoot = "/data/webroot-foo";
548 documentRoot = "/data/webroot-bar";
552 Specification of the virtual hosts served by Apache. Each
553 element should be an attribute set specifying the
554 configuration of the virtual host. The available options
555 are the non-global options permissible for the main host.
559 enableMellon = mkOption {
562 description = "Whether to enable the mod_auth_mellon module.";
565 enablePHP = mkOption {
568 description = "Whether to enable the PHP module.";
571 phpPackage = mkOption {
572 type = types.package;
574 defaultText = "pkgs.php";
576 Overridable attribute of the PHP package to use.
580 enablePerl = mkOption {
583 description = "Whether to enable the Perl module (mod_perl).";
586 phpOptions = mkOption {
591 date.timezone = "CET"
594 "Options appended to the PHP configuration file <filename>php.ini</filename>.";
597 multiProcessingModule = mkOption {
603 Multi-processing module to be used by Apache. Available
604 modules are <literal>prefork</literal> (the default;
605 handles each request in a separate child process),
606 <literal>worker</literal> (hybrid approach that starts a
607 number of child processes each running a number of
608 threads) and <literal>event</literal> (a recent variant of
609 <literal>worker</literal> that handles persistent
610 connections more efficiently).
614 maxClients = mkOption {
618 description = "Maximum number of httpd processes (prefork)";
621 maxRequestsPerChild = mkOption {
626 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
629 sslCiphers = mkOption {
631 default = "HIGH:!aNULL:!MD5:!EXP";
632 description = "Cipher Suite available for negotiation in SSL proxy handshake.";
635 sslProtocols = mkOption {
637 default = "All -SSLv2 -SSLv3 -TLSv1";
638 example = "All -SSLv2 -SSLv3";
639 description = "Allowed SSL/TLS protocol versions.";
643 # Include the options shared between the main server and virtual hosts.
644 // (import ./per-server-options.nix {
646 forMainServer = true;
652 ###### implementation
654 config = mkIf config.services.httpdTools.enable {
656 assertions = [ { assertion = mainCfg.enableSSL == true
657 -> mainCfg.sslServerCert != null
658 && mainCfg.sslServerKey != null;
659 message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
662 warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
664 users.users = optionalAttrs (mainCfg.user == "wwwrun") (singleton
666 group = mainCfg.group;
667 description = "Apache httpd user";
668 uid = config.ids.uids.wwwrun;
671 users.groups = optionalAttrs (mainCfg.group == "wwwrun") (singleton
673 gid = config.ids.gids.wwwrun;
676 environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;
678 services.httpdTools.phpOptions =
680 ; Needed for PHP's mail() function.
681 sendmail_path = sendmail -t -i
682 '' + optionalString (!isNull config.time.timeZone) ''
684 ; Apparently PHP doesn't use $TZ.
685 date.timezone = "${config.time.timeZone}"
688 systemd.services.httpdTools =
689 { description = "Apache HTTPD";
691 wantedBy = [ "multi-user.target" ];
692 wants = [ "keys.target" ];
693 after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
696 [ httpd pkgs.coreutils pkgs.gnugrep ]
697 ++ # Needed for PHP's mail() function. !!! Probably the
698 # ssmtp module should export the path to sendmail in
700 optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
701 ++ concatMap (svc: svc.extraServerPath) allSubservices;
704 optionalAttrs enablePHP { PHPRC = phpIni; }
705 // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }
706 // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
710 mkdir -m 0750 -p ${mainCfg.stateDir}
711 [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
712 ${optionalString version24 ''
713 mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
714 [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
716 mkdir -m 0700 -p ${mainCfg.logDir}
718 # Get rid of old semaphores. These tend to accumulate across
719 # server restarts, eventually preventing it from restarting
721 for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do
722 ${pkgs.utillinux}/bin/ipcrm -s $i
725 # Run the startup hooks for the subservices.
726 for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do
727 echo Running Apache startup hook $i...
732 serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
733 serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
734 serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
735 serviceConfig.Type = "forking";
736 serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
737 serviceConfig.Restart = "always";
738 serviceConfig.RestartSec = "5s";