X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fwebsites%2Fdefault.nix;h=3f46e65dfb4890dabf2cc071b7c123ae764c03cd;hb=72300eb8116c960935a462564d96db6fac355bca;hp=ef79cb3cbf77b52f604746607e878f03890b604c;hpb=589aeb9297f6f2a99b98c07cb9a834bb5e25b9f0;p=perso%2FImmae%2FConfig%2FNix%2FNUR.git

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index ef79cb3c..3f46e65d 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -23,14 +23,6 @@ in
         Name of the webapp dir to create in /run/current-system
         '';
     };
-    webappDirsPath = mkOption {
-      type = str;
-      readOnly = true;
-      description = ''
-        Full path of the webapp dir
-        '';
-      default = "/run/current-system/${cfg.webappDirsName}";
-    };
     env = mkOption {
       default = {};
       description = "Each type of website to enable will target a distinct httpd server";
@@ -46,7 +38,7 @@ in
             description = "Name of the httpd instance to assign this type to";
           };
           ips = mkOption {
-            type = listOf string;
+            type = listOf str;
             default = [];
             description = "ips to listen to";
           };
@@ -67,7 +59,7 @@ in
               options = {
                 enable = mkEnableOption "Add default no-ssl vhost for this instance";
                 host = mkOption {
-                  type = string;
+                  type = str;
                   description = "The hostname to use for this vhost";
                 };
                 root = mkOption {
@@ -76,7 +68,7 @@ in
                   description = "The root folder to serve";
                 };
                 indexFile = mkOption {
-                  type = string;
+                  type = str;
                   default = "index.html";
                   description = "The index file to show.";
                 };
@@ -87,37 +79,48 @@ in
             description = "The fallback vhost that will be defined as first vhost in Apache";
             type = submodule {
               options = {
-                certName = mkOption { type = string; };
-                hosts    = mkOption { type = listOf string; };
+                certName = mkOption { type = str; };
+                hosts    = mkOption { type = listOf str; };
                 root     = mkOption { type = nullOr path; };
                 extraConfig = mkOption { type = listOf lines; default = []; };
               };
             };
           };
+          vhostNoSSLConfs = mkOption {
+            default = {};
+            description = "List of no ssl vhosts to define for Apache";
+            type = attrsOf (submodule {
+              options = {
+                hosts    = mkOption { type = listOf str; };
+                root     = mkOption { type = nullOr path; };
+                extraConfig = mkOption { type = listOf lines; default = []; };
+              };
+            });
+          };
           vhostConfs = mkOption {
             default = {};
             description = "List of vhosts to define for Apache";
             type = attrsOf (submodule {
               options = {
-                certName = mkOption { type = string; };
+                certName = mkOption { type = str; };
                 addToCerts = mkOption {
                   type = bool;
                   default = false;
                   description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
                 };
                 certMainHost = mkOption {
-                  type = nullOr string;
+                  type = nullOr str;
                   description = "Use that host as 'main host' for acme certs";
                   default = null;
                 };
-                hosts    = mkOption { type = listOf string; };
+                hosts    = mkOption { type = listOf str; };
                 root     = mkOption { type = nullOr path; };
                 extraConfig = mkOption { type = listOf lines; default = []; };
               };
             });
           };
           watchPaths = mkOption {
-            type = listOf string;
+            type = listOf str;
             default = [];
             description = ''
               Paths to watch that should trigger a reload of httpd
@@ -126,6 +129,17 @@ in
         };
       });
     };
+    # Readonly variables
+    webappDirsPaths = mkOption {
+      type = attrsOf path;
+      readOnly = true;
+      description = ''
+        Full paths of the webapp dir
+        '';
+      default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+        name "/run/current-system/${cfg.webappDirsName}/${name}"
+      ) cfg.webappDirs;
+    };
   };
 
   config.services.httpd = let
@@ -135,7 +149,7 @@ in
       serverAliases = [ "*" ];
       enableSSL = false;
       logFormat = "combinedVhost";
-      documentRoot = "${config.security.acme.directory}/acme-challenge";
+      documentRoot = "/var/lib/acme/acme-challenge";
       extraConfig = ''
         RewriteEngine on
         RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
@@ -164,9 +178,9 @@ in
     };
     toVhost = ips: vhostConf: {
       enableSSL = true;
-      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
-      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
-      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+      sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
+      sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
+      sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
       logFormat = "combinedVhost";
       listen = map (ip: { inherit ip; port = 443; }) ips;
       hostName = builtins.head vhostConf.hosts;
@@ -174,6 +188,15 @@ in
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
+    toVhostNoSSL = ips: vhostConf: {
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = builtins.head vhostConf.hosts;
+      serverAliases = builtins.tail vhostConf.hosts or [];
+      documentRoot = vhostConf.root;
+      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+    };
   in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
     icfg.httpdName (mkIf icfg.enable {
       enable = true;
@@ -181,12 +204,21 @@ in
       stateDir = "/run/httpd_${name}";
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
+      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+      sslCiphers = builtins.concatStringsSep ":" [
+        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+      ];
       inherit (icfg) adminAddr;
       logFormat = "combinedVhost";
       extraModules = lists.unique icfg.modules;
       extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
       virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
         ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+        ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)
         ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
         ++ [ (redirectVhost icfg.ips) ];
     })