-{ lib, config, ... }: with lib;
+{ lib, config, pkgs, ... }: with lib;
let
cfg = config.services.websites;
in
certs = mkOption {
description = "Default websites configuration for certificates as accepted by acme";
};
- webappDirs = mkOption {
- description = ''
- Defines a symlink between /run/current-system/webapps and a store
- app directory to be used in http configuration. Permits to avoid
- restarting httpd when only the folder name changes.
- '';
- type = types.attrsOf types.path;
- default = {};
- };
- webappDirsName = mkOption {
- type = str;
- default = "webapps";
- description = ''
- Name of the webapp dir to create in /run/current-system
- '';
- };
env = mkOption {
default = {};
description = "Each type of website to enable will target a distinct httpd server";
};
});
};
- # Readonly variables
- webappDirsPaths = mkOption {
- type = attrsOf path;
- readOnly = true;
- description = ''
- Full paths of the webapp dir
- '';
- default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
- name "/run/current-system/${cfg.webappDirsName}/${name}"
- ) cfg.webappDirs;
- };
};
config.services.httpd = let
logPerVirtualHost = true;
multiProcessingModule = "worker";
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+ # test with https://www.ssllabs.com/ssltest/analyze.html?d=www.immae.eu&s=176.9.151.154&latest
sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
sslCiphers = builtins.concatStringsSep ":" [
"ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
}
) groupedCerts;
- config.system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues cfg.webappDirs) > 0) ''
- mkdir -p $out/${cfg.webappDirsName}
- ${builtins.concatStringsSep "\n"
- (attrsets.mapAttrsToList
- (name: path: "ln -s ${path} $out/${cfg.webappDirsName}/${name}") cfg.webappDirs)
- }
- '';
+ config.systemd.services = let
+ package = httpdName: config.services.httpd.${httpdName}.package.out;
+ cfgFile = httpdName: config.services.httpd.${httpdName}.configFile;
+ serviceChange = attrsets.mapAttrs' (name: icfg:
+ attrsets.nameValuePair
+ "httpd${icfg.httpdName}" {
+ stopIfChanged = false;
+ serviceConfig.ExecStart =
+ lib.mkForce "@${package icfg.httpdName}/bin/httpd httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf";
+ serviceConfig.ExecStop =
+ lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful-stop";
+ serviceConfig.ExecReload =
+ lib.mkForce "${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -k graceful";
+ }
+ ) cfg.env;
+ serviceReload = attrsets.mapAttrs' (name: icfg:
+ attrsets.nameValuePair
+ "httpd${icfg.httpdName}-config-reload" {
+ wants = [ "httpd${icfg.httpdName}.service" ];
+ wantedBy = [ "multi-user.target" ];
+ restartTriggers = [ (cfgFile icfg.httpdName) ];
+ # commented, because can cause extra delays during activate for this config:
+ # services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
+ # stopIfChanged = false;
+ serviceConfig.Type = "oneshot";
+ serviceConfig.TimeoutSec = 60;
+ script = ''
+ if ${pkgs.systemd}/bin/systemctl -q is-active httpd${icfg.httpdName}.service ; then
+ ${package icfg.httpdName}/bin/httpd -f /etc/httpd/httpd_${icfg.httpdName}.conf -t && \
+ ${pkgs.systemd}/bin/systemctl reload httpd${icfg.httpdName}.service
+ fi
+ '';
+ serviceConfig.RemainAfterExit = true;
+ }
+ ) cfg.env;
+ in
+ serviceChange // serviceReload;
}
projects / perso / Immae / Config / Nix.git / blobdiff