[perso/Immae/Config/Nix.git] / modules / websites / default.nix

{ lib, config, pkgs, ... }: with lib;
let
  cfg = config.services.websites;
in
{
  options.services.websites = with types; {
    certs = mkOption {
      description = "Default websites configuration for certificates as accepted by acme";
    };
    env = mkOption {
      default = {};
      description = "Each type of website to enable will target a distinct httpd server";
      type = attrsOf (submodule {
        options = {
          enable = mkEnableOption "Enable websites of this type";
          adminAddr = mkOption {
            type = str;
            description = "Admin e-mail address of the instance";
          };
          httpdName = mkOption {
            type = str;
            description = "Name of the httpd instance to assign this type to";
          };
          ips = mkOption {
            type = listOf str;
            default = [];
            description = "ips to listen to";
          };
          modules = mkOption {
            type = listOf str;
            default = [];
            description = "Additional modules to load in Apache";
          };
          extraConfig = mkOption {
            type = listOf lines;
            default = [];
            description = "Additional configuration to append to Apache";
          };
          nosslVhost = mkOption {
            description = "A default nossl vhost for captive portals";
            default = {};
            type = submodule {
              options = {
                enable = mkEnableOption "Add default no-ssl vhost for this instance";
                host = mkOption {
                  type = str;
                  description = "The hostname to use for this vhost";
                };
                root = mkOption {
                  type = path;
                  default = ./nosslVhost;
                  description = "The root folder to serve";
                };
                indexFile = mkOption {
                  type = str;
                  default = "index.html";
                  description = "The index file to show.";
                };
              };
            };
          };
          fallbackVhost = mkOption {
            description = "The fallback vhost that will be defined as first vhost in Apache";
            type = submodule {
              options = {
                certName = mkOption { type = str; };
                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                forceSSL = mkOption {
                  type = bool;
                  default = true;
                  description = ''
                    Automatically create a corresponding non-ssl vhost
                    that will only redirect to the ssl version
                  '';
                };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            };
          };
          vhostNoSSLConfs = mkOption {
            default = {};
            description = "List of no ssl vhosts to define for Apache";
            type = attrsOf (submodule {
              options = {
                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            });
          };
          vhostConfs = mkOption {
            default = {};
            description = "List of vhosts to define for Apache";
            type = attrsOf (submodule {
              options = {
                certName = mkOption { type = str; };
                addToCerts = mkOption {
                  type = bool;
                  default = false;
                  description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
                };
                certMainHost = mkOption {
                  type = nullOr str;
                  description = "Use that host as 'main host' for acme certs";
                  default = null;
                };
                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                forceSSL = mkOption {
                  type = bool;
                  default = true;
                  description = ''
                    Automatically create a corresponding non-ssl vhost
                    that will only redirect to the ssl version
                  '';
                };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            });
          };
          watchPaths = mkOption {
            type = listOf str;
            default = [];
            description = ''
              Paths to watch that should trigger a reload of httpd
              '';
          };
        };
      });
    };
  };

  config.services.httpd = let
    nosslVhost = ips: cfg: {
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = cfg.host;
      logFormat = "combinedVhost";
      documentRoot = cfg.root;
      extraConfig = ''
        <Directory ${cfg.root}>
          DirectoryIndex ${cfg.indexFile}
          AllowOverride None
          Require all granted

          RewriteEngine on
          RewriteRule ^/(.+)   /   [L]
        </Directory>
        '';
    };
    toVhost = ips: vhostConf: {
      forceSSL = vhostConf.forceSSL or true;
      useACMEHost = vhostConf.certName;
      logFormat = "combinedVhost";
      listen = if vhostConf.forceSSL
        then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
        else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
      hostName = builtins.head vhostConf.hosts;
      serverAliases = builtins.tail vhostConf.hosts or [];
      documentRoot = vhostConf.root;
      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
    };
    toVhostNoSSL = ips: vhostConf: {
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = builtins.head vhostConf.hosts;
      serverAliases = builtins.tail vhostConf.hosts or [];
      documentRoot = vhostConf.root;
      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
    };
  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
    icfg.httpdName (mkIf icfg.enable {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
      # test with https://www.ssllabs.com/ssltest/analyze.html?d=www.immae.eu&s=176.9.151.154&latest
      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
      sslCiphers = builtins.concatStringsSep ":" [
        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
      ];
      inherit (icfg) adminAddr;
      logFormat = "combinedVhost";
      extraModules = lists.unique icfg.modules;
      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;

      virtualHosts = with attrsets; {
        ___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
      } // (optionalAttrs icfg.nosslVhost.enable {
        nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
      }) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
      // (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
    })
  ) cfg.env;

  config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
    "httpd${icfg.httpdName}" {
      paths = icfg.watchPaths;
      waitTime = 5;
    }
  ) cfg.env;

  config.security.acme.certs = let
    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
      attrValues v.vhostConfs
    ) typesToManage);
    groupedCerts = attrsets.filterAttrs
      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
      (lists.groupBy (v: v.certName) flatVhosts);
    groupToDomain = group:
      let
        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
        domains = lists.unique (map (v: v.certMainHost) nonNull);
      in
        if builtins.length domains == 0
          then null
          else assert (builtins.length domains == 1); (elemAt domains 0);
    extraDomains = group:
      let
        mainDomain = groupToDomain group;
      in
        lists.remove mainDomain (
          lists.unique (
            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
          )
        );
  in attrsets.mapAttrs (k: g:
    if (!isNull (groupToDomain g))
    then cfg.certs // {
      domain = groupToDomain g;
      extraDomains = builtins.listToAttrs (
        map (d: attrsets.nameValuePair d null) (extraDomains g));
    }
    else {
      extraDomains = builtins.listToAttrs (
        map (d: attrsets.nameValuePair d null) (extraDomains g));
    }
  ) groupedCerts;

  config.systemd.services = let
    package = httpdName: config.services.httpd.${httpdName}.package.out;
    cfgFile = httpdName: config.services.httpd.${httpdName}.configFile;
    serviceChange = attrsets.mapAttrs' (name: icfg:
      attrsets.nameValuePair
      "httpd${icfg.httpdName}" {
        stopIfChanged = false;
        serviceConfig.ExecStart =
          lib.mkForce "@${package icfg.httpdName}/bin/httpd httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf";
        serviceConfig.ExecStop =
          lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful-stop";
        serviceConfig.ExecReload =
          lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful";
      }
      ) cfg.env;
    serviceReload = attrsets.mapAttrs' (name: icfg:
      attrsets.nameValuePair
      "httpd${icfg.httpdName}-config-reload" {
        wants = [ "httpd${icfg.httpdName}.service" ];
        wantedBy = [ "multi-user.target" ];
        restartTriggers = [ (cfgFile icfg.httpdName) ];
        # commented, because can cause extra delays during activate for this config:
        #      services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
        # stopIfChanged = false;
        serviceConfig.Type = "oneshot";
        serviceConfig.TimeoutSec = 60;
        script = ''
          if ${pkgs.systemd}/bin/systemctl -q is-active httpd${icfg.httpdName}.service ; then
            ${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -t && \
              ${pkgs.systemd}/bin/systemctl reload httpd${icfg.httpdName}.service
          fi
        '';
        serviceConfig.RemainAfterExit = true;
      }
      ) cfg.env;
  in
    serviceChange // serviceReload;
}
Commit	Line	Data
32021034	1	{ lib, config, pkgs, ... }: with lib;
daf64e3f	2	let
29f8cb85	3	cfg = config.services.websites;
daf64e3f IB	4	in
daf64e3f IB	5	{
29f8cb85 IB	6	options.services.websites = with types; {
	7	certs = mkOption {
	8	description = "Default websites configuration for certificates as accepted by acme";
	9	};
29f8cb85 IB	10	env = mkOption {
	11	default = {};
	12	description = "Each type of website to enable will target a distinct httpd server";
	13	type = attrsOf (submodule {
	14	options = {
	15	enable = mkEnableOption "Enable websites of this type";
	16	adminAddr = mkOption {
	17	type = str;
	18	description = "Admin e-mail address of the instance";
	19	};
	20	httpdName = mkOption {
	21	type = str;
	22	description = "Name of the httpd instance to assign this type to";
	23	};
	24	ips = mkOption {
5400b9b6	25	type = listOf str;
29f8cb85 IB	26	default = [];
	27	description = "ips to listen to";
	28	};
	29	modules = mkOption {
	30	type = listOf str;
	31	default = [];
	32	description = "Additional modules to load in Apache";
	33	};
	34	extraConfig = mkOption {
	35	type = listOf lines;
	36	default = [];
	37	description = "Additional configuration to append to Apache";
	38	};
	39	nosslVhost = mkOption {
	40	description = "A default nossl vhost for captive portals";
	41	default = {};
	42	type = submodule {
	43	options = {
	44	enable = mkEnableOption "Add default no-ssl vhost for this instance";
	45	host = mkOption {
5400b9b6	46	type = str;
29f8cb85 IB	47	description = "The hostname to use for this vhost";
	48	};
	49	root = mkOption {
	50	type = path;
	51	default = ./nosslVhost;
	52	description = "The root folder to serve";
	53	};
	54	indexFile = mkOption {
5400b9b6	55	type = str;
29f8cb85 IB	56	default = "index.html";
	57	description = "The index file to show.";
	58	};
daf64e3f IB	59	};
	60	};
	61	};
29f8cb85 IB	62	fallbackVhost = mkOption {
	63	description = "The fallback vhost that will be defined as first vhost in Apache";
	64	type = submodule {
	65	options = {
5400b9b6 IB	66	certName = mkOption { type = str; };
5400b9b6 IB	67	hosts = mkOption { type = listOf str; };
29f8cb85	68	root = mkOption { type = nullOr path; };
e7b890d0 IB	69	forceSSL = mkOption {
	70	type = bool;
	71	default = true;
	72	description = ''
	73	Automatically create a corresponding non-ssl vhost
	74	that will only redirect to the ssl version
	75	'';
	76	};
29f8cb85 IB	77	extraConfig = mkOption { type = listOf lines; default = []; };
29f8cb85 IB	78	};
daf64e3f IB	79	};
daf64e3f IB	80	};
9a414bd6 IB	81	vhostNoSSLConfs = mkOption {
	82	default = {};
	83	description = "List of no ssl vhosts to define for Apache";
	84	type = attrsOf (submodule {
	85	options = {
5400b9b6	86	hosts = mkOption { type = listOf str; };
9a414bd6 IB	87	root = mkOption { type = nullOr path; };
	88	extraConfig = mkOption { type = listOf lines; default = []; };
	89	};
	90	});
	91	};
29f8cb85 IB	92	vhostConfs = mkOption {
	93	default = {};
	94	description = "List of vhosts to define for Apache";
	95	type = attrsOf (submodule {
	96	options = {
5400b9b6	97	certName = mkOption { type = str; };
29f8cb85 IB	98	addToCerts = mkOption {
	99	type = bool;
	100	default = false;
	101	description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
	102	};
	103	certMainHost = mkOption {
5400b9b6	104	type = nullOr str;
29f8cb85 IB	105	description = "Use that host as 'main host' for acme certs";
	106	default = null;
	107	};
5400b9b6	108	hosts = mkOption { type = listOf str; };
29f8cb85	109	root = mkOption { type = nullOr path; };
e7b890d0 IB	110	forceSSL = mkOption {
	111	type = bool;
	112	default = true;
	113	description = ''
	114	Automatically create a corresponding non-ssl vhost
	115	that will only redirect to the ssl version
	116	'';
	117	};
29f8cb85	118	extraConfig = mkOption { type = listOf lines; default = []; };
7df420c2	119	};
29f8cb85 IB	120	});
	121	};
	122	watchPaths = mkOption {
5400b9b6	123	type = listOf str;
29f8cb85 IB	124	default = [];
	125	description = ''
	126	Paths to watch that should trigger a reload of httpd
	127	'';
	128	};
17f6eae9	129	};
29f8cb85 IB	130	});
29f8cb85 IB	131	};
daf64e3f IB	132	};
	133
	134	config.services.httpd = let
daf64e3f IB	135	nosslVhost = ips: cfg: {
	136	listen = map (ip: { inherit ip; port = 80; }) ips;
	137	hostName = cfg.host;
daf64e3f IB	138	logFormat = "combinedVhost";
	139	documentRoot = cfg.root;
	140	extraConfig = ''
	141	<Directory ${cfg.root}>
	142	DirectoryIndex ${cfg.indexFile}
	143	AllowOverride None
	144	Require all granted
	145
	146	RewriteEngine on
	147	RewriteRule ^/(.+) / [L]
	148	</Directory>
	149	'';
	150	};
	151	toVhost = ips: vhostConf: {
e7b890d0 IB	152	forceSSL = vhostConf.forceSSL or true;
e7b890d0 IB	153	useACMEHost = vhostConf.certName;
daf64e3f	154	logFormat = "combinedVhost";
e7b890d0 IB	155	listen = if vhostConf.forceSSL
	156	then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
	157	else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
daf64e3f IB	158	hostName = builtins.head vhostConf.hosts;
	159	serverAliases = builtins.tail vhostConf.hosts or [];
	160	documentRoot = vhostConf.root;
	161	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
	162	};
9a414bd6	163	toVhostNoSSL = ips: vhostConf: {
9a414bd6 IB	164	logFormat = "combinedVhost";
	165	listen = map (ip: { inherit ip; port = 80; }) ips;
	166	hostName = builtins.head vhostConf.hosts;
	167	serverAliases = builtins.tail vhostConf.hosts or [];
	168	documentRoot = vhostConf.root;
	169	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
	170	};
daf64e3f IB	171	in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
	172	icfg.httpdName (mkIf icfg.enable {
	173	enable = true;
daf64e3f IB	174	logPerVirtualHost = true;
daf64e3f IB	175	multiProcessingModule = "worker";
29252c23	176	# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
41521c75	177	# test with https://www.ssllabs.com/ssltest/analyze.html?d=www.immae.eu&s=176.9.151.154&latest
29252c23 IB	178	sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
	179	sslCiphers = builtins.concatStringsSep ":" [
	180	"ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
	181	"ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
	182	"ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
	183	"DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
	184	];
daf64e3f IB	185	inherit (icfg) adminAddr;
	186	logFormat = "combinedVhost";
	187	extraModules = lists.unique icfg.modules;
	188	extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
e7b890d0 IB	189
	190	virtualHosts = with attrsets; {
	191	___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
	192	} // (optionalAttrs icfg.nosslVhost.enable {
	193	nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
	194	}) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
	195	// (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
daf64e3f	196	})
f4da0504	197	) cfg.env;
7df420c2	198
17f6eae9 IB	199	config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
	200	"httpd${icfg.httpdName}" {
	201	paths = icfg.watchPaths;
	202	waitTime = 5;
	203	}
f4da0504	204	) cfg.env;
17f6eae9	205
5400b9b6	206	config.security.acme.certs = let
f4da0504	207	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
7df420c2 IB	208	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
	209	attrValues v.vhostConfs
	210	) typesToManage);
	211	groupedCerts = attrsets.filterAttrs
	212	(_: group: builtins.any (v: v.addToCerts \|\| !isNull v.certMainHost) group)
	213	(lists.groupBy (v: v.certName) flatVhosts);
	214	groupToDomain = group:
	215	let
	216	nonNull = builtins.filter (v: !isNull v.certMainHost) group;
	217	domains = lists.unique (map (v: v.certMainHost) nonNull);
	218	in
	219	if builtins.length domains == 0
	220	then null
	221	else assert (builtins.length domains == 1); (elemAt domains 0);
	222	extraDomains = group:
	223	let
	224	mainDomain = groupToDomain group;
	225	in
	226	lists.remove mainDomain (
	227	lists.unique (
	228	lists.flatten (map (c: optionals (c.addToCerts \|\| !isNull c.certMainHost) c.hosts) group)
	229	)
	230	);
	231	in attrsets.mapAttrs (k: g:
	232	if (!isNull (groupToDomain g))
f4da0504	233	then cfg.certs // {
7df420c2 IB	234	domain = groupToDomain g;
	235	extraDomains = builtins.listToAttrs (
	236	map (d: attrsets.nameValuePair d null) (extraDomains g));
	237	}
	238	else {
	239	extraDomains = builtins.listToAttrs (
	240	map (d: attrsets.nameValuePair d null) (extraDomains g));
	241	}
	242	) groupedCerts;
f4da0504	243
32021034 IB	244	config.systemd.services = let
	245	package = httpdName: config.services.httpd.${httpdName}.package.out;
	246	cfgFile = httpdName: config.services.httpd.${httpdName}.configFile;
	247	serviceChange = attrsets.mapAttrs' (name: icfg:
	248	attrsets.nameValuePair
	249	"httpd${icfg.httpdName}" {
	250	stopIfChanged = false;
	251	serviceConfig.ExecStart =
	252	lib.mkForce "@${package icfg.httpdName}/bin/httpd httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf";
	253	serviceConfig.ExecStop =
	254	lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful-stop";
	255	serviceConfig.ExecReload =
	256	lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful";
	257	}
	258	) cfg.env;
	259	serviceReload = attrsets.mapAttrs' (name: icfg:
	260	attrsets.nameValuePair
	261	"httpd${icfg.httpdName}-config-reload" {
	262	wants = [ "httpd${icfg.httpdName}.service" ];
	263	wantedBy = [ "multi-user.target" ];
	264	restartTriggers = [ (cfgFile icfg.httpdName) ];
	265	# commented, because can cause extra delays during activate for this config:
	266	# services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
	267	# stopIfChanged = false;
	268	serviceConfig.Type = "oneshot";
	269	serviceConfig.TimeoutSec = 60;
	270	script = ''
	271	if ${pkgs.systemd}/bin/systemctl -q is-active httpd${icfg.httpdName}.service ; then
	272	${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -t && \
	273	${pkgs.systemd}/bin/systemctl reload httpd${icfg.httpdName}.service
	274	fi
	275	'';
	276	serviceConfig.RemainAfterExit = true;
	277	}
	278	) cfg.env;
	279	in
	280	serviceChange // serviceReload;
daf64e3f	281	}