description = "Name of the httpd instance to assign this type to";
};
ips = mkOption {
- type = listOf string;
+ type = listOf str;
default = [];
description = "ips to listen to";
};
options = {
enable = mkEnableOption "Add default no-ssl vhost for this instance";
host = mkOption {
- type = string;
+ type = str;
description = "The hostname to use for this vhost";
};
root = mkOption {
description = "The root folder to serve";
};
indexFile = mkOption {
- type = string;
+ type = str;
default = "index.html";
description = "The index file to show.";
};
description = "The fallback vhost that will be defined as first vhost in Apache";
type = submodule {
options = {
- certName = mkOption { type = string; };
- hosts = mkOption { type = listOf string; };
+ certName = mkOption { type = str; };
+ hosts = mkOption { type = listOf str; };
root = mkOption { type = nullOr path; };
extraConfig = mkOption { type = listOf lines; default = []; };
};
};
};
+ vhostNoSSLConfs = mkOption {
+ default = {};
+ description = "List of no ssl vhosts to define for Apache";
+ type = attrsOf (submodule {
+ options = {
+ hosts = mkOption { type = listOf str; };
+ root = mkOption { type = nullOr path; };
+ extraConfig = mkOption { type = listOf lines; default = []; };
+ };
+ });
+ };
vhostConfs = mkOption {
default = {};
description = "List of vhosts to define for Apache";
type = attrsOf (submodule {
options = {
- certName = mkOption { type = string; };
+ certName = mkOption { type = str; };
addToCerts = mkOption {
type = bool;
default = false;
description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
};
certMainHost = mkOption {
- type = nullOr string;
+ type = nullOr str;
description = "Use that host as 'main host' for acme certs";
default = null;
};
- hosts = mkOption { type = listOf string; };
+ hosts = mkOption { type = listOf str; };
root = mkOption { type = nullOr path; };
extraConfig = mkOption { type = listOf lines; default = []; };
};
});
};
watchPaths = mkOption {
- type = listOf string;
+ type = listOf str;
default = [];
description = ''
Paths to watch that should trigger a reload of httpd
serverAliases = [ "*" ];
enableSSL = false;
logFormat = "combinedVhost";
- documentRoot = "${config.security.acme.directory}/acme-challenge";
+ documentRoot = "/var/lib/acme/acme-challenge";
extraConfig = ''
RewriteEngine on
RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
};
toVhost = ips: vhostConf: {
enableSSL = true;
- sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
- sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
- sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+ sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
+ sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
+ sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
logFormat = "combinedVhost";
listen = map (ip: { inherit ip; port = 443; }) ips;
hostName = builtins.head vhostConf.hosts;
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
+ toVhostNoSSL = ips: vhostConf: {
+ enableSSL = false;
+ logFormat = "combinedVhost";
+ listen = map (ip: { inherit ip; port = 80; }) ips;
+ hostName = builtins.head vhostConf.hosts;
+ serverAliases = builtins.tail vhostConf.hosts or [];
+ documentRoot = vhostConf.root;
+ extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+ };
in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
icfg.httpdName (mkIf icfg.enable {
enable = true;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
+ # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+ sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+ sslCiphers = builtins.concatStringsSep ":" [
+ "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+ "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+ ];
inherit (icfg) adminAddr;
logFormat = "combinedVhost";
extraModules = lists.unique icfg.modules;
extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+ ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)
++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
++ [ (redirectVhost icfg.ips) ];
})