1 { config, lib, pkgs, ... }:
7 mainCfg = config.services.httpdInte;
9 httpd = mainCfg.package.out;
11 version24 = !versionOlder httpd.version "2.4";
13 httpdConf = mainCfg.configFile;
15 php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
17 phpMajorVersion = head (splitString "." php.version);
19 mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; };
21 defaultListen = cfg: if cfg.enableSSL
22 then [{ip = "*"; port = 443;}]
23 else [{ip = "*"; port = 80;}];
26 let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
28 then defaultListen cfg
31 listenToString = l: "${l.ip}:${toString l.port}";
33 extraModules = attrByPath ["extraModules"] [] mainCfg;
34 extraForeignModules = filter isAttrs extraModules;
35 extraApacheModules = filter isString extraModules;
38 makeServerInfo = cfg: {
39 # Canonical name must not include a trailing slash.
41 let defaultPort = (head (defaultListen cfg)).port; in
43 (if cfg.enableSSL then "https" else "http") + "://" +
45 (if port != defaultPort then ":${toString port}" else "")
46 ) (map (x: x.port) (getListen cfg));
48 # Admin address: inherit from the main server if not specified for
50 adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr;
53 serverConfig = mainCfg;
54 fullConfig = config; # machine config
58 allHosts = [mainCfg] ++ mainCfg.virtualHosts;
61 callSubservices = serverInfo: defs:
65 if svc ? function then svc.function
66 # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
67 else if svc ? serviceExpression then import (toString svc.serviceExpression)
68 else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
70 { modules = [ { options = res.options; config = svc.config or svc; } ];
88 res = defaults // svcFunction { inherit config lib pkgs serverInfo php; };
93 # !!! callSubservices is expensive
94 subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices;
96 mainSubservices = subservicesFor mainCfg;
98 allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts;
101 enableSSL = any (vhost: vhost.enableSSL) allHosts;
104 # Names of modules from ${httpd}/modules that we want to load.
106 [ # HTTP authentication mechanisms: basic and digest.
107 "auth_basic" "auth_digest"
109 # Authentication: is the user who he claims to be?
110 "authn_file" "authn_dbm" "authn_anon"
111 (if version24 then "authn_core" else "authn_alias")
113 # Authorization: is the user allowed access?
114 "authz_user" "authz_groupfile" "authz_host"
117 "ext_filter" "include" "log_config" "env" "mime_magic"
118 "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
119 "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
120 "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
121 "userdir" "alias" "rewrite" "proxy" "proxy_http"
123 ++ optionals version24 [
124 "mpm_${mainCfg.multiProcessingModule}"
130 # For compatibility with old configurations, the new module mod_access_compat is provided.
133 ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
134 ++ optional enableSSL "ssl"
135 ++ extraApacheModules;
138 allDenied = if version24 then ''
145 allGranted = if version24 then ''
153 loggingConf = (if mainCfg.logFormat != "none" then ''
154 ErrorLog ${mainCfg.logDir}/error_log
158 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
159 LogFormat "%h %l %u %t \"%r\" %>s %b" common
160 LogFormat "%{Referer}i -> %U" referer
161 LogFormat "%{User-agent}i" agent
163 CustomLog ${mainCfg.logDir}/access_log ${mainCfg.logFormat}
170 BrowserMatch "Mozilla/2" nokeepalive
171 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
172 BrowserMatch "RealPlayer 4\.0" force-response-1.0
173 BrowserMatch "Java/1\.0" force-response-1.0
174 BrowserMatch "JDK/1\.0" force-response-1.0
175 BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
176 BrowserMatch "^WebDrive" redirect-carefully
177 BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
178 BrowserMatch "^gnome-vfs" redirect-carefully
183 SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
185 ${if version24 then "Mutex" else "SSLMutex"} posixsem
187 SSLRandomSeed startup builtin
188 SSLRandomSeed connect builtin
190 SSLProtocol All -SSLv2 -SSLv3
191 SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
192 SSLHonorCipherOrder on
197 TypesConfig ${httpd}/conf/mime.types
199 AddType application/x-x509-ca-cert .crt
200 AddType application/x-pkcs7-crl .crl
201 AddType application/x-httpd-php .php .phtml
203 <IfModule mod_mime_magic.c>
204 MIMEMagicFile ${httpd}/conf/magic
209 perServerConf = isMainServer: cfg: let
211 serverInfo = makeServerInfo cfg;
213 subservices = callSubservices serverInfo cfg.extraSubservices;
215 maybeDocumentRoot = fold (svc: acc:
216 if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc
217 ) null ([ cfg ] ++ subservices);
219 documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
220 pkgs.runCommand "empty" {} "mkdir -p $out";
222 documentRootConf = ''
223 DocumentRoot "${documentRoot}"
225 <Directory "${documentRoot}">
226 Options Indexes FollowSymLinks
233 concatStringsSep "\n" (filter (x: x != "") (
234 # If this is a vhost, the include the entries for the main server as well.
235 (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
236 ++ [cfg.robotsEntries]
237 ++ (map (svc: svc.robotsEntries) subservices)));
240 ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)}
242 ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases}
244 ${if cfg.sslServerCert != null then ''
245 SSLCertificateFile ${cfg.sslServerCert}
246 SSLCertificateKeyFile ${cfg.sslServerKey}
247 ${if cfg.sslServerChain != null then ''
248 SSLCertificateChainFile ${cfg.sslServerChain}
252 ${if cfg.enableSSL then ''
254 '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */
259 ${if isMainServer || cfg.adminAddr != null then ''
260 ServerAdmin ${cfg.adminAddr}
263 ${if !isMainServer && mainCfg.logPerVirtualHost then ''
264 ErrorLog ${mainCfg.logDir}/error_log-${cfg.hostName}
265 CustomLog ${mainCfg.logDir}/access_log-${cfg.hostName} ${cfg.logFormat}
268 ${optionalString (robotsTxt != "") ''
269 Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
272 ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
274 ${if cfg.enableUserDir then ''
277 UserDir disabled root
279 <Directory "/home/*/public_html">
280 AllowOverride FileInfo AuthConfig Limit Indexes
281 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
282 <Limit GET POST OPTIONS>
285 <LimitExcept GET POST OPTIONS>
292 ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then ''
293 RedirectPermanent / ${cfg.globalRedirect}
297 let makeFileConf = elem: ''
298 Alias ${elem.urlPath} ${elem.file}
300 in concatMapStrings makeFileConf cfg.servedFiles
304 let makeDirConf = elem: ''
305 Alias ${elem.urlPath} ${elem.dir}/
306 <Directory ${elem.dir}>
312 in concatMapStrings makeDirConf cfg.servedDirs
315 ${concatMapStrings (svc: svc.extraConfig) subservices}
321 confFile = pkgs.writeText "httpd.conf" ''
325 ${optionalString version24 ''
326 DefaultRuntimeDir ${mainCfg.stateDir}/runtime
329 PidFile ${mainCfg.stateDir}/httpd.pid
331 ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
332 # mod_cgid requires this.
333 ScriptSock ${mainCfg.stateDir}/cgisock
337 MaxClients ${toString mainCfg.maxClients}
338 MaxRequestsPerChild ${toString mainCfg.maxRequestsPerChild}
342 listen = concatMap getListen allHosts;
343 toStr = listen: "Listen ${listenToString listen}\n";
344 uniqueListen = uniqList {inputList = map toStr listen;};
345 in concatStrings uniqueListen
349 Group ${mainCfg.group}
352 load = {name, path}: "LoadModule ${name}_module ${path}\n";
354 concatMap (svc: svc.extraModulesPre) allSubservices
355 ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
356 ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
357 ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
358 ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
359 ++ concatMap (svc: svc.extraModules) allSubservices
360 ++ extraForeignModules;
361 in concatMapStrings load allModules
364 AddHandler type-map var
374 Include ${httpd}/conf/extra/httpd-default.conf
375 Include ${httpd}/conf/extra/httpd-autoindex.conf
376 Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
377 Include ${httpd}/conf/extra/httpd-languages.conf
379 ${if enableSSL then sslConf else ""}
381 # Fascist default - deny access to everything.
383 Options FollowSymLinks
388 # But do allow access to files in the store so that we don't have
389 # to generate <Directory> clauses for every generated file that we
391 <Directory /nix/store>
395 # Generate directives for the main server.
396 ${perServerConf true mainCfg}
398 # Always enable virtual hosts; it doesn't seem to hurt.
400 listen = concatMap getListen allHosts;
401 uniqueListen = uniqList {inputList = listen;};
402 directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
403 in optionalString (!version24) directives
407 makeVirtualHost = vhost: ''
408 <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
409 ${perServerConf false vhost}
412 in concatMapStrings makeVirtualHost mainCfg.virtualHosts
417 enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
419 enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices;
422 # Generate the PHP configuration file. Should probably be factored
423 # out into a separate module.
424 phpIni = pkgs.runCommand "php.ini"
425 { options = concatStringsSep "\n"
426 ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
429 cat ${php}/etc/php.ini > $out
430 echo "$options" >> $out
442 services.httpdInte = {
447 description = "Whether to enable the Apache HTTP Server.";
451 type = types.package;
452 default = pkgs.apacheHttpd;
453 defaultText = "pkgs.apacheHttpd";
455 Overridable attribute of the Apache HTTP Server package to use.
459 configFile = mkOption {
462 defaultText = "confFile";
463 example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
465 Override the configuration file used by Apache. By default,
466 NixOS generates one automatically.
470 extraConfig = mkOption {
474 Cnfiguration lines appended to the generated Apache
475 configuration file. Note that this mechanism may not work
476 when <option>configFile</option> is overridden.
480 extraModules = mkOption {
481 type = types.listOf types.unspecified;
483 example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
485 Additional Apache modules to be used. These can be
486 specified as a string in the case of modules distributed
487 with Apache, or as an attribute set specifying the
488 <varname>name</varname> and <varname>path</varname> of the
493 logPerVirtualHost = mkOption {
497 If enabled, each virtual host gets its own
498 <filename>access_log</filename> and
499 <filename>error_log</filename>, namely suffixed by the
500 <option>hostName</option> of the virtual host.
508 User account under which httpd runs. The account is created
509 automatically if it doesn't exist.
517 Group under which httpd runs. The account is created
518 automatically if it doesn't exist.
524 default = "/var/log/httpd";
526 Directory for Apache's log files. It is created automatically.
530 stateDir = mkOption {
532 default = "/run/httpd";
534 Directory for Apache's transient runtime state (such as PID
535 files). It is created automatically. Note that the default,
536 <filename>/run/httpd</filename>, is deleted at boot time.
540 virtualHosts = mkOption {
541 type = types.listOf (types.submodule (
542 { options = import ./per-server-options.nix {
544 forMainServer = false;
550 documentRoot = "/data/webroot-foo";
553 documentRoot = "/data/webroot-bar";
557 Specification of the virtual hosts served by Apache. Each
558 element should be an attribute set specifying the
559 configuration of the virtual host. The available options
560 are the non-global options permissible for the main host.
564 enableMellon = mkOption {
567 description = "Whether to enable the mod_auth_mellon module.";
570 enablePHP = mkOption {
573 description = "Whether to enable the PHP module.";
576 phpPackage = mkOption {
577 type = types.package;
579 defaultText = "pkgs.php";
581 Overridable attribute of the PHP package to use.
585 enablePerl = mkOption {
588 description = "Whether to enable the Perl module (mod_perl).";
591 phpOptions = mkOption {
596 date.timezone = "CET"
599 "Options appended to the PHP configuration file <filename>php.ini</filename>.";
602 multiProcessingModule = mkOption {
608 Multi-processing module to be used by Apache. Available
609 modules are <literal>prefork</literal> (the default;
610 handles each request in a separate child process),
611 <literal>worker</literal> (hybrid approach that starts a
612 number of child processes each running a number of
613 threads) and <literal>event</literal> (a recent variant of
614 <literal>worker</literal> that handles persistent
615 connections more efficiently).
619 maxClients = mkOption {
623 description = "Maximum number of httpd processes (prefork)";
626 maxRequestsPerChild = mkOption {
631 "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
635 # Include the options shared between the main server and virtual hosts.
636 // (import ./per-server-options.nix {
638 forMainServer = true;
644 ###### implementation
646 config = mkIf config.services.httpdInte.enable {
648 assertions = [ { assertion = mainCfg.enableSSL == true
649 -> mainCfg.sslServerCert != null
650 && mainCfg.sslServerKey != null;
651 message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
654 warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
656 environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;
658 services.httpdInte.phpOptions =
660 ; Needed for PHP's mail() function.
661 sendmail_path = sendmail -t -i
662 '' + optionalString (!isNull config.time.timeZone) ''
664 ; Apparently PHP doesn't use $TZ.
665 date.timezone = "${config.time.timeZone}"
668 systemd.services.httpdInte =
669 { description = "Apache HTTPD";
671 wantedBy = [ "multi-user.target" ];
672 wants = [ "keys.target" ];
673 after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
676 [ httpd pkgs.coreutils pkgs.gnugrep ]
677 ++ # Needed for PHP's mail() function. !!! Probably the
678 # ssmtp module should export the path to sendmail in
680 optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
681 ++ concatMap (svc: svc.extraServerPath) allSubservices;
684 optionalAttrs enablePHP { PHPRC = phpIni; }
685 // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }
686 // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
690 mkdir -m 0750 -p ${mainCfg.stateDir}
691 [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
692 ${optionalString version24 ''
693 mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
694 [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
696 mkdir -m 0700 -p ${mainCfg.logDir}
698 # Get rid of old semaphores. These tend to accumulate across
699 # server restarts, eventually preventing it from restarting
701 for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do
702 ${pkgs.utillinux}/bin/ipcrm -s $i
705 # Run the startup hooks for the subservices.
706 for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do
707 echo Running Apache startup hook $i...
712 serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
713 serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
714 serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
715 serviceConfig.Type = "forking";
716 serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
717 serviceConfig.Restart = "always";
718 serviceConfig.RestartSec = "5s";