[perso/Immae/Config/Nix.git] / modules / websites / default.nix

{ lib, config, ... }: with lib;
let
  cfg = config.services.websites;
in
{
  options.services.websitesCerts = mkOption {
    description = "Default websites configuration for certificates as accepted by acme";
  };
  options.services.websites = with types; mkOption {
    default = {};
    description = "Each type of website to enable will target a distinct httpd server";
    type = attrsOf (submodule {
      options = {
        enable = mkEnableOption "Enable websites of this type";
        adminAddr = mkOption {
          type = str;
          description = "Admin e-mail address of the instance";
        };
        httpdName = mkOption {
          type = str;
          description = "Name of the httpd instance to assign this type to";
        };
        ips = mkOption {
          type = listOf string;
          default = [];
          description = "ips to listen to";
        };
        modules = mkOption {
          type = listOf str;
          default = [];
          description = "Additional modules to load in Apache";
        };
        extraConfig = mkOption {
          type = listOf lines;
          default = [];
          description = "Additional configuration to append to Apache";
        };
        nosslVhost = mkOption {
          description = "A default nossl vhost for captive portals";
          default = {};
          type = submodule {
            options = {
              enable = mkEnableOption "Add default no-ssl vhost for this instance";
              host = mkOption {
                type = string;
                description = "The hostname to use for this vhost";
              };
              root = mkOption {
                type = path;
                default = ./nosslVhost;
                description = "The root folder to serve";
              };
              indexFile = mkOption {
                type = string;
                default = "index.html";
                description = "The index file to show.";
              };
            };
          };
        };
        fallbackVhost = mkOption {
          description = "The fallback vhost that will be defined as first vhost in Apache";
          type = submodule {
            options = {
              certName = mkOption { type = string; };
              hosts    = mkOption { type = listOf string; };
              root     = mkOption { type = nullOr path; };
              extraConfig = mkOption { type = listOf lines; default = []; };
            };
          };
        };
        vhostConfs = mkOption {
          default = {};
          description = "List of vhosts to define for Apache";
          type = attrsOf (submodule {
            options = {
              certName = mkOption { type = string; };
              addToCerts = mkOption {
                type = bool;
                default = false;
                description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
              };
              certMainHost = mkOption {
                type = nullOr string;
                description = "Use that host as 'main host' for acme certs";
                default = null;
              };
              hosts    = mkOption { type = listOf string; };
              root     = mkOption { type = nullOr path; };
              extraConfig = mkOption { type = listOf lines; default = []; };
            };
          });
        };
        watchPaths = mkOption {
          type = listOf string;
          default = [];
          description = ''
            Paths to watch that should trigger a reload of httpd
            '';
        };
      };
    });
  };

  config.services.httpd = let
    redirectVhost = ips: { # Should go last, catchall http -> https redirect
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = "redirectSSL";
      serverAliases = [ "*" ];
      enableSSL = false;
      logFormat = "combinedVhost";
      documentRoot = "${config.security.acme.directory}/acme-challenge";
      extraConfig = ''
        RewriteEngine on
        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
        # To redirect in specific "VirtualHost *:80", do
        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
        # rather than rewrite
      '';
    };
    nosslVhost = ips: cfg: {
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = cfg.host;
      enableSSL = false;
      logFormat = "combinedVhost";
      documentRoot = cfg.root;
      extraConfig = ''
        <Directory ${cfg.root}>
          DirectoryIndex ${cfg.indexFile}
          AllowOverride None
          Require all granted

          RewriteEngine on
          RewriteRule ^/(.+)   /   [L]
        </Directory>
        '';
    };
    toVhost = ips: vhostConf: {
      enableSSL = true;
      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 443; }) ips;
      hostName = builtins.head vhostConf.hosts;
      serverAliases = builtins.tail vhostConf.hosts or [];
      documentRoot = vhostConf.root;
      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
    };
  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
    icfg.httpdName (mkIf icfg.enable {
      enable = true;
      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
      stateDir = "/run/httpd_${name}";
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      inherit (icfg) adminAddr;
      logFormat = "combinedVhost";
      extraModules = lists.unique icfg.modules;
      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
        ++ [ (redirectVhost icfg.ips) ];
    })
  ) cfg;

  config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
    "httpd${icfg.httpdName}" {
      paths = icfg.watchPaths;
      waitTime = 5;
    }
  ) cfg;

  config.security.acme.certs = let
    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
      attrValues v.vhostConfs
    ) typesToManage);
    groupedCerts = attrsets.filterAttrs
      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
      (lists.groupBy (v: v.certName) flatVhosts);
    groupToDomain = group:
      let
        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
        domains = lists.unique (map (v: v.certMainHost) nonNull);
      in
        if builtins.length domains == 0
          then null
          else assert (builtins.length domains == 1); (elemAt domains 0);
    extraDomains = group:
      let
        mainDomain = groupToDomain group;
      in
        lists.remove mainDomain (
          lists.unique (
            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
          )
        );
  in attrsets.mapAttrs (k: g:
    if (!isNull (groupToDomain g))
    then config.services.websitesCerts // {
      domain = groupToDomain g;
      extraDomains = builtins.listToAttrs (
        map (d: attrsets.nameValuePair d null) (extraDomains g));
    }
    else {
      extraDomains = builtins.listToAttrs (
        map (d: attrsets.nameValuePair d null) (extraDomains g));
    }
  ) groupedCerts;
}
Commit	Line	Data
daf64e3f IB	1	{ lib, config, ... }: with lib;
	2	let
	3	cfg = config.services.websites;
	4	in
	5	{
7df420c2 IB	6	options.services.websitesCerts = mkOption {
	7	description = "Default websites configuration for certificates as accepted by acme";
	8	};
daf64e3f IB	9	options.services.websites = with types; mkOption {
	10	default = {};
	11	description = "Each type of website to enable will target a distinct httpd server";
	12	type = attrsOf (submodule {
	13	options = {
	14	enable = mkEnableOption "Enable websites of this type";
	15	adminAddr = mkOption {
	16	type = str;
	17	description = "Admin e-mail address of the instance";
	18	};
	19	httpdName = mkOption {
	20	type = str;
	21	description = "Name of the httpd instance to assign this type to";
	22	};
	23	ips = mkOption {
	24	type = listOf string;
	25	default = [];
	26	description = "ips to listen to";
	27	};
	28	modules = mkOption {
	29	type = listOf str;
	30	default = [];
	31	description = "Additional modules to load in Apache";
	32	};
	33	extraConfig = mkOption {
	34	type = listOf lines;
	35	default = [];
	36	description = "Additional configuration to append to Apache";
	37	};
	38	nosslVhost = mkOption {
	39	description = "A default nossl vhost for captive portals";
	40	default = {};
	41	type = submodule {
	42	options = {
	43	enable = mkEnableOption "Add default no-ssl vhost for this instance";
	44	host = mkOption {
	45	type = string;
	46	description = "The hostname to use for this vhost";
	47	};
	48	root = mkOption {
	49	type = path;
	50	default = ./nosslVhost;
	51	description = "The root folder to serve";
	52	};
	53	indexFile = mkOption {
	54	type = string;
	55	default = "index.html";
	56	description = "The index file to show.";
	57	};
	58	};
	59	};
	60	};
	61	fallbackVhost = mkOption {
	62	description = "The fallback vhost that will be defined as first vhost in Apache";
	63	type = submodule {
	64	options = {
	65	certName = mkOption { type = string; };
	66	hosts = mkOption { type = listOf string; };
	67	root = mkOption { type = nullOr path; };
	68	extraConfig = mkOption { type = listOf lines; default = []; };
	69	};
	70	};
	71	};
	72	vhostConfs = mkOption {
73	default = {};
74	description = "List of vhosts to define for Apache";
75	type = attrsOf (submodule {
76	options = {
77	certName = mkOption { type = string; };
7df420c2 IB	78	addToCerts = mkOption {
	79	type = bool;
	80	default = false;
	81	description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
	82	};
	83	certMainHost = mkOption {
	84	type = nullOr string;
	85	description = "Use that host as 'main host' for acme certs";
	86	default = null;
	87	};
daf64e3f IB	88	hosts = mkOption { type = listOf string; };
	89	root = mkOption { type = nullOr path; };
	90	extraConfig = mkOption { type = listOf lines; default = []; };
	91	};
	92	});
	93	};
17f6eae9 IB	94	watchPaths = mkOption {
	95	type = listOf string;
	96	default = [];
	97	description = ''
	98	Paths to watch that should trigger a reload of httpd
	99	'';
	100	};
daf64e3f IB	101	};
	102	});
	103	};
	104
	105	config.services.httpd = let
	106	redirectVhost = ips: { # Should go last, catchall http -> https redirect
	107	listen = map (ip: { inherit ip; port = 80; }) ips;
	108	hostName = "redirectSSL";
	109	serverAliases = [ "*" ];
	110	enableSSL = false;
	111	logFormat = "combinedVhost";
9ade8f6e	112	documentRoot = "${config.security.acme.directory}/acme-challenge";
daf64e3f IB	113	extraConfig = ''
	114	RewriteEngine on
	115	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
	116	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
	117	# To redirect in specific "VirtualHost *:80", do
	118	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
	119	# rather than rewrite
	120	'';
	121	};
	122	nosslVhost = ips: cfg: {
	123	listen = map (ip: { inherit ip; port = 80; }) ips;
	124	hostName = cfg.host;
	125	enableSSL = false;
	126	logFormat = "combinedVhost";
	127	documentRoot = cfg.root;
	128	extraConfig = ''
	129	<Directory ${cfg.root}>
	130	DirectoryIndex ${cfg.indexFile}
	131	AllowOverride None
	132	Require all granted
	133
	134	RewriteEngine on
	135	RewriteRule ^/(.+) / [L]
	136	</Directory>
	137	'';
	138	};
	139	toVhost = ips: vhostConf: {
	140	enableSSL = true;
9ade8f6e IB	141	sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
	142	sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
	143	sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
daf64e3f IB	144	logFormat = "combinedVhost";
	145	listen = map (ip: { inherit ip; port = 443; }) ips;
	146	hostName = builtins.head vhostConf.hosts;
	147	serverAliases = builtins.tail vhostConf.hosts or [];
	148	documentRoot = vhostConf.root;
	149	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
	150	};
	151	in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
	152	icfg.httpdName (mkIf icfg.enable {
	153	enable = true;
	154	listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
	155	stateDir = "/run/httpd_${name}";
	156	logPerVirtualHost = true;
	157	multiProcessingModule = "worker";
	158	inherit (icfg) adminAddr;
	159	logFormat = "combinedVhost";
	160	extraModules = lists.unique icfg.modules;
	161	extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
	162	virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
	163	++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
	164	++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
	165	++ [ (redirectVhost icfg.ips) ];
	166	})
	167	) cfg;
7df420c2	168
17f6eae9 IB	169	config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
	170	"httpd${icfg.httpdName}" {
	171	paths = icfg.watchPaths;
	172	waitTime = 5;
	173	}
	174	) cfg;
	175
7df420c2 IB	176	config.security.acme.certs = let
	177	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
	178	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
	179	attrValues v.vhostConfs
	180	) typesToManage);
	181	groupedCerts = attrsets.filterAttrs
	182	(_: group: builtins.any (v: v.addToCerts \|\| !isNull v.certMainHost) group)
	183	(lists.groupBy (v: v.certName) flatVhosts);
	184	groupToDomain = group:
	185	let
	186	nonNull = builtins.filter (v: !isNull v.certMainHost) group;
	187	domains = lists.unique (map (v: v.certMainHost) nonNull);
	188	in
	189	if builtins.length domains == 0
	190	then null
	191	else assert (builtins.length domains == 1); (elemAt domains 0);
	192	extraDomains = group:
	193	let
	194	mainDomain = groupToDomain group;
	195	in
	196	lists.remove mainDomain (
	197	lists.unique (
	198	lists.flatten (map (c: optionals (c.addToCerts \|\| !isNull c.certMainHost) c.hosts) group)
	199	)
	200	);
	201	in attrsets.mapAttrs (k: g:
	202	if (!isNull (groupToDomain g))
	203	then config.services.websitesCerts // {
	204	domain = groupToDomain g;
	205	extraDomains = builtins.listToAttrs (
	206	map (d: attrsets.nameValuePair d null) (extraDomains g));
	207	}
	208	else {
	209	extraDomains = builtins.listToAttrs (
	210	map (d: attrsets.nameValuePair d null) (extraDomains g));
	211	}
	212	) groupedCerts;
daf64e3f	213	}