X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fwebsites%2Fdefault.nix;h=e69080e9dc2ae14c43f785796c8379468e5aeb9c;hb=0540384561541f94435ad0f6e268e6989fb1d37a;hp=e57f505a86fae43fc3b523c5f9210db6b82a7895;hpb=24fd1fe6c62b7a9fc347794fde043285da272f5c;p=perso%2FImmae%2FConfig%2FNix%2FNUR.git diff --git a/modules/websites/default.nix b/modules/websites/default.nix index e57f505a..e69080e9 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -3,96 +3,143 @@ let cfg = config.services.websites; in { - options.services.websitesCerts = mkOption { - description = "Default websites configuration for certificates as accepted by acme"; - }; - options.services.websites = with types; mkOption { - default = {}; - description = "Each type of website to enable will target a distinct httpd server"; - type = attrsOf (submodule { - options = { - enable = mkEnableOption "Enable websites of this type"; - adminAddr = mkOption { - type = str; - description = "Admin e-mail address of the instance"; - }; - httpdName = mkOption { - type = str; - description = "Name of the httpd instance to assign this type to"; - }; - ips = mkOption { - type = listOf string; - default = []; - description = "ips to listen to"; - }; - modules = mkOption { - type = listOf str; - default = []; - description = "Additional modules to load in Apache"; - }; - extraConfig = mkOption { - type = listOf lines; - default = []; - description = "Additional configuration to append to Apache"; - }; - nosslVhost = mkOption { - description = "A default nossl vhost for captive portals"; - default = {}; - type = submodule { - options = { - enable = mkEnableOption "Add default no-ssl vhost for this instance"; - host = mkOption { - type = string; - description = "The hostname to use for this vhost"; - }; - root = mkOption { - type = path; - default = ./nosslVhost; - description = "The root folder to serve"; - }; - indexFile = mkOption { - type = string; - default = "index.html"; - description = "The index file to show."; + options.services.websites = with types; { + certs = mkOption { + description = "Default websites configuration for certificates as accepted by acme"; + }; + webappDirs = mkOption { + description = '' + Defines a symlink between /run/current-system/webapps and a store + app directory to be used in http configuration. Permits to avoid + restarting httpd when only the folder name changes. + ''; + type = types.attrsOf types.path; + default = {}; + }; + webappDirsName = mkOption { + type = str; + default = "webapps"; + description = '' + Name of the webapp dir to create in /run/current-system + ''; + }; + env = mkOption { + default = {}; + description = "Each type of website to enable will target a distinct httpd server"; + type = attrsOf (submodule { + options = { + enable = mkEnableOption "Enable websites of this type"; + adminAddr = mkOption { + type = str; + description = "Admin e-mail address of the instance"; + }; + httpdName = mkOption { + type = str; + description = "Name of the httpd instance to assign this type to"; + }; + ips = mkOption { + type = listOf string; + default = []; + description = "ips to listen to"; + }; + modules = mkOption { + type = listOf str; + default = []; + description = "Additional modules to load in Apache"; + }; + extraConfig = mkOption { + type = listOf lines; + default = []; + description = "Additional configuration to append to Apache"; + }; + nosslVhost = mkOption { + description = "A default nossl vhost for captive portals"; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Add default no-ssl vhost for this instance"; + host = mkOption { + type = string; + description = "The hostname to use for this vhost"; + }; + root = mkOption { + type = path; + default = ./nosslVhost; + description = "The root folder to serve"; + }; + indexFile = mkOption { + type = string; + default = "index.html"; + description = "The index file to show."; + }; }; }; }; - }; - fallbackVhost = mkOption { - description = "The fallback vhost that will be defined as first vhost in Apache"; - type = submodule { - options = { - certName = mkOption { type = string; }; - hosts = mkOption { type = listOf string; }; - root = mkOption { type = nullOr path; }; - extraConfig = mkOption { type = listOf lines; default = []; }; + fallbackVhost = mkOption { + description = "The fallback vhost that will be defined as first vhost in Apache"; + type = submodule { + options = { + certName = mkOption { type = string; }; + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; + }; }; }; - }; - vhostConfs = mkOption { - default = {}; - description = "List of vhosts to define for Apache"; - type = attrsOf (submodule { - options = { - certName = mkOption { type = string; }; - addToCerts = mkOption { - type = bool; - default = false; - description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; + vhostNoSSLConfs = mkOption { + default = {}; + description = "List of no ssl vhosts to define for Apache"; + type = attrsOf (submodule { + options = { + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; }; - certMainHost = mkOption { - type = nullOr string; - description = "Use that host as 'main host' for acme certs"; - default = null; + }); + }; + vhostConfs = mkOption { + default = {}; + description = "List of vhosts to define for Apache"; + type = attrsOf (submodule { + options = { + certName = mkOption { type = string; }; + addToCerts = mkOption { + type = bool; + default = false; + description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; + }; + certMainHost = mkOption { + type = nullOr string; + description = "Use that host as 'main host' for acme certs"; + default = null; + }; + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; }; - hosts = mkOption { type = listOf string; }; - root = mkOption { type = nullOr path; }; - extraConfig = mkOption { type = listOf lines; default = []; }; - }; - }); + }); + }; + watchPaths = mkOption { + type = listOf string; + default = []; + description = '' + Paths to watch that should trigger a reload of httpd + ''; + }; }; - }; - }); + }); + }; + # Readonly variables + webappDirsPaths = mkOption { + type = attrsOf path; + readOnly = true; + description = '' + Full paths of the webapp dir + ''; + default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair + name "/run/current-system/${cfg.webappDirsName}/${name}" + ) cfg.webappDirs; + }; }; config.services.httpd = let @@ -102,7 +149,7 @@ in serverAliases = [ "*" ]; enableSSL = false; logFormat = "combinedVhost"; - documentRoot = "${config.security.acme.directory}/acme-challenge"; + documentRoot = "/var/lib/acme/acme-challenge"; extraConfig = '' RewriteEngine on RewriteCond "%{REQUEST_URI}" "!^/\.well-known" @@ -131,9 +178,9 @@ in }; toVhost = ips: vhostConf: { enableSSL = true; - sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem"; - sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem"; - sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem"; + sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; + sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; + sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; logFormat = "combinedVhost"; listen = map (ip: { inherit ip; port = 443; }) ips; hostName = builtins.head vhostConf.hosts; @@ -141,6 +188,15 @@ in documentRoot = vhostConf.root; extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; }; + toVhostNoSSL = ips: vhostConf: { + enableSSL = false; + logFormat = "combinedVhost"; + listen = map (ip: { inherit ip; port = 80; }) ips; + hostName = builtins.head vhostConf.hosts; + serverAliases = builtins.tail vhostConf.hosts or []; + documentRoot = vhostConf.root; + extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; + }; in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair icfg.httpdName (mkIf icfg.enable { enable = true; @@ -154,13 +210,21 @@ in extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ] ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ] + ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs) ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs) ++ [ (redirectVhost icfg.ips) ]; }) - ) cfg; + ) cfg.env; + + config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair + "httpd${icfg.httpdName}" { + paths = icfg.watchPaths; + waitTime = 5; + } + ) cfg.env; - config.security.acme.certs = let - typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; + config.security.acme2.certs = let + typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: attrValues v.vhostConfs ) typesToManage); @@ -186,7 +250,7 @@ in ); in attrsets.mapAttrs (k: g: if (!isNull (groupToDomain g)) - then config.services.websitesCerts // { + then cfg.certs // { domain = groupToDomain g; extraDomains = builtins.listToAttrs ( map (d: attrsets.nameValuePair d null) (extraDomains g)); @@ -196,4 +260,12 @@ in map (d: attrsets.nameValuePair d null) (extraDomains g)); } ) groupedCerts; + + config.system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues cfg.webappDirs) > 0) '' + mkdir -p $out/${cfg.webappDirsName} + ${builtins.concatStringsSep "\n" + (attrsets.mapAttrsToList + (name: path: "ln -s ${path} $out/${cfg.webappDirsName}/${name}") cfg.webappDirs) + } + ''; }