X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fwebsites%2Fdefault.nix;h=0a78c134ae56211dd4bf82c20f7dd91e7a6c0b4f;hb=ce95026934c4ea8c647365f68eb195459fcdff08;hp=3f46e65dfb4890dabf2cc071b7c123ae764c03cd;hpb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 3f46e65..0a78c13 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }: with lib;
+{ lib, config, pkgs, ... }: with lib;
 let
   cfg = config.services.websites;
 in
@@ -82,6 +82,14 @@ in
                 certName = mkOption { type = str; };
                 hosts    = mkOption { type = listOf str; };
                 root     = mkOption { type = nullOr path; };
+                forceSSL = mkOption {
+                  type = bool;
+                  default = true;
+                  description = ''
+                    Automatically create a corresponding non-ssl vhost
+                    that will only redirect to the ssl version
+                  '';
+                };
                 extraConfig = mkOption { type = listOf lines; default = []; };
               };
             };
@@ -115,6 +123,14 @@ in
                 };
                 hosts    = mkOption { type = listOf str; };
                 root     = mkOption { type = nullOr path; };
+                forceSSL = mkOption {
+                  type = bool;
+                  default = true;
+                  description = ''
+                    Automatically create a corresponding non-ssl vhost
+                    that will only redirect to the ssl version
+                  '';
+                };
                 extraConfig = mkOption { type = listOf lines; default = []; };
               };
             });
@@ -143,26 +159,9 @@ in
   };
 
   config.services.httpd = let
-    redirectVhost = ips: { # Should go last, catchall http -> https redirect
-      listen = map (ip: { inherit ip; port = 80; }) ips;
-      hostName = "redirectSSL";
-      serverAliases = [ "*" ];
-      enableSSL = false;
-      logFormat = "combinedVhost";
-      documentRoot = "/var/lib/acme/acme-challenge";
-      extraConfig = ''
-        RewriteEngine on
-        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
-        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
-        # To redirect in specific "VirtualHost *:80", do
-        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
-        # rather than rewrite
-      '';
-    };
     nosslVhost = ips: cfg: {
       listen = map (ip: { inherit ip; port = 80; }) ips;
       hostName = cfg.host;
-      enableSSL = false;
       logFormat = "combinedVhost";
       documentRoot = cfg.root;
       extraConfig = ''
@@ -177,19 +176,18 @@ in
         '';
     };
     toVhost = ips: vhostConf: {
-      enableSSL = true;
-      sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
-      sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
-      sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
+      forceSSL = vhostConf.forceSSL or true;
+      useACMEHost = vhostConf.certName;
       logFormat = "combinedVhost";
-      listen = map (ip: { inherit ip; port = 443; }) ips;
+      listen = if vhostConf.forceSSL
+        then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
+        else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
       hostName = builtins.head vhostConf.hosts;
       serverAliases = builtins.tail vhostConf.hosts or [];
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
     toVhostNoSSL = ips: vhostConf: {
-      enableSSL = false;
       logFormat = "combinedVhost";
       listen = map (ip: { inherit ip; port = 80; }) ips;
       hostName = builtins.head vhostConf.hosts;
@@ -200,11 +198,10 @@ in
   in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
     icfg.httpdName (mkIf icfg.enable {
       enable = true;
-      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
-      stateDir = "/run/httpd_${name}";
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
       # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      # test with https://www.ssllabs.com/ssltest/analyze.html?d=www.immae.eu&s=176.9.151.154&latest
       sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
       sslCiphers = builtins.concatStringsSep ":" [
         "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
@@ -216,11 +213,13 @@ in
       logFormat = "combinedVhost";
       extraModules = lists.unique icfg.modules;
       extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
-      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
-        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
-        ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)
-        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
-        ++ [ (redirectVhost icfg.ips) ];
+
+      virtualHosts = with attrsets; {
+        ___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
+      } // (optionalAttrs icfg.nosslVhost.enable {
+        nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
+      }) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
+      // (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
     })
   ) cfg.env;
 
@@ -276,4 +275,42 @@ in
         (name: path: "ln -s ${path} $out/${cfg.webappDirsName}/${name}") cfg.webappDirs)
     }
   '';
+
+  config.systemd.services = let
+    package = httpdName: config.services.httpd.${httpdName}.package.out;
+    cfgFile = httpdName: config.services.httpd.${httpdName}.configFile;
+    serviceChange = attrsets.mapAttrs' (name: icfg:
+      attrsets.nameValuePair
+      "httpd${icfg.httpdName}" {
+        stopIfChanged = false;
+        serviceConfig.ExecStart =
+          lib.mkForce "@${package icfg.httpdName}/bin/httpd httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf";
+        serviceConfig.ExecStop =
+          lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful-stop";
+        serviceConfig.ExecReload =
+          lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful";
+      }
+      ) cfg.env;
+    serviceReload = attrsets.mapAttrs' (name: icfg:
+      attrsets.nameValuePair
+      "httpd${icfg.httpdName}-config-reload" {
+        wants = [ "httpd${icfg.httpdName}.service" ];
+        wantedBy = [ "multi-user.target" ];
+        restartTriggers = [ (cfgFile icfg.httpdName) ];
+        # commented, because can cause extra delays during activate for this config:
+        #      services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
+        # stopIfChanged = false;
+        serviceConfig.Type = "oneshot";
+        serviceConfig.TimeoutSec = 60;
+        script = ''
+          if ${pkgs.systemd}/bin/systemctl -q is-active httpd${icfg.httpdName}.service ; then
+            ${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -t && \
+              ${pkgs.systemd}/bin/systemctl reload httpd${icfg.httpdName}.service
+          fi
+        '';
+        serviceConfig.RemainAfterExit = true;
+      }
+      ) cfg.env;
+  in
+    serviceChange // serviceReload;
 }