aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-05 15:57:20 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-04-06 00:25:00 +0200
commit258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree03ca447495573f6745b701096d8b31283ce30466 /modules
parente7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
downloadNix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip
Upgrade to nixos-unstable
Diffstat (limited to 'modules')
-rw-r--r--modules/naemon/default.nix18
-rw-r--r--modules/opendmarc.nix14
-rw-r--r--modules/private/certificates.nix12
-rw-r--r--modules/private/databases/mariadb.nix39
-rw-r--r--modules/private/databases/openldap/default.nix1
-rw-r--r--modules/private/databases/postgresql.nix15
-rw-r--r--modules/private/ftp.nix17
-rw-r--r--modules/private/monitoring/status.nix6
-rw-r--r--modules/private/system.nix21
-rw-r--r--modules/private/system/backup-2.nix6
-rw-r--r--modules/private/system/dilion.nix4
-rw-r--r--modules/private/tasks/default.nix1
-rw-r--r--modules/webapps/diaspora.nix28
-rw-r--r--modules/webapps/mastodon.nix26
-rw-r--r--modules/webapps/mediagoblin.nix26
-rw-r--r--modules/webapps/peertube.nix26
-rw-r--r--modules/websites/httpd-service-builder.nix2
-rw-r--r--modules/websites/location-options.nix54
-rw-r--r--modules/websites/vhost-options.nix275
19 files changed, 129 insertions, 462 deletions
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix
index 38e99a9..976de69 100644
--- a/modules/naemon/default.nix
+++ b/modules/naemon/default.nix
@@ -137,18 +137,18 @@ in
137 } 137 }
138 ]; 138 ];
139 139
140 users.users = optionalAttrs (cfg.user == "naemon") (singleton 140 users.users = optionalAttrs (cfg.user == "naemon") {
141 { 141 naemon = {
142 name = "naemon";
143 group = cfg.group; 142 group = cfg.group;
144 uid = config.ids.uids.nagios; 143 uid = config.ids.uids.nagios;
145 extraGroups = [ "keys" ]; 144 extraGroups = [ "keys" ];
146 }); 145 };
147 users.groups = optionalAttrs (cfg.user == "naemon") (singleton 146 };
148 { 147 users.groups = optionalAttrs (cfg.user == "naemon") {
149 name = "naemon"; 148 naemon = {
150 gid = config.ids.gids.nagios; 149 gid = config.ids.gids.nagios;
151 }); 150 };
151 };
152 152
153 services.filesWatcher.naemon = { 153 services.filesWatcher.naemon = {
154 paths = [ config.secrets.fullPaths."naemon/resources.cfg" ]; 154 paths = [ config.secrets.fullPaths."naemon/resources.cfg" ];
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
index e18ec82..6137d10 100644
--- a/modules/opendmarc.nix
+++ b/modules/opendmarc.nix
@@ -59,16 +59,18 @@ in {
59 59
60 config = mkIf cfg.enable { 60 config = mkIf cfg.enable {
61 61
62 users.users = optionalAttrs (cfg.user == "opendmarc") (singleton 62 users.users = optionalAttrs (cfg.user == "opendmarc") {
63 { name = "opendmarc"; 63 opendmarc = {
64 group = cfg.group; 64 group = cfg.group;
65 uid = config.ids.uids.opendmarc; 65 uid = config.ids.uids.opendmarc;
66 }); 66 };
67 };
67 68
68 users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton 69 users.groups = optionalAttrs (cfg.group == "opendmarc") {
69 { name = "opendmarc"; 70 opendmarc = {
70 gid = config.ids.gids.opendmarc; 71 gid = config.ids.gids.opendmarc;
71 }); 72 };
73 };
72 74
73 environment.systemPackages = [ pkgs.opendmarc ]; 75 environment.systemPackages = [ pkgs.opendmarc ];
74 76
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2bf2730..82ff52f 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") 12 (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") 13 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
14 ]; 14 ];
15 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
16 }; 15 };
17 description = "Default configuration for certificates"; 16 description = "Default configuration for certificates";
18 }; 17 };
@@ -30,6 +29,7 @@
30 myServices.databasesCerts = config.myServices.certificates.certConfig; 29 myServices.databasesCerts = config.myServices.certificates.certConfig;
31 myServices.ircCerts = config.myServices.certificates.certConfig; 30 myServices.ircCerts = config.myServices.certificates.certConfig;
32 31
32 security.acme.acceptTerms = true;
33 security.acme.preliminarySelfsigned = true; 33 security.acme.preliminarySelfsigned = true;
34 34
35 security.acme.certs = { 35 security.acme.certs = {
@@ -39,18 +39,16 @@
39 }; 39 };
40 40
41 systemd.services = lib.attrsets.mapAttrs' (k: v: 41 systemd.services = lib.attrsets.mapAttrs' (k: v:
42 lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = 42 lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
43 (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
44 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem 43 cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
45 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem 44 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
46 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem 45 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
47 '') + 46
48 (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
49 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem 47 cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
50 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem 48 chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
51 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem 49 chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
52 '') 50 '';
53 ; }) 51 }
54 ) config.security.acme.certs // 52 ) config.security.acme.certs //
55 lib.attrsets.mapAttrs' (k: data: 53 lib.attrsets.mapAttrs' (k: data:
56 lib.attrsets.nameValuePair "acme-${k}" { 54 lib.attrsets.nameValuePair "acme-${k}" {
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 04e4bd6..36edaeb 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
94 enable = true; 94 enable = true;
95 package = cfg.package; 95 package = cfg.package;
96 dataDir = cfg.dataDir; 96 dataDir = cfg.dataDir;
97 extraOptions = '' 97 settings = {
98 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt 98 mysqld = {
99 ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem 99 ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
100 ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem 100 ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
101 ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
101 102
102 # for replication 103 # for replication
103 log-bin=mariadb-bin 104 log-bin = "mariadb-bin";
104 server-id=1 105 server-id = "1";
105 106
106 # this introduces a small delay before storing on disk, but 107 # this introduces a small delay before storing on disk, but
107 # makes it order of magnitudes quicker 108 # makes it order of magnitudes quicker
108 innodb_flush_log_at_trx_commit = 0 109 innodb_flush_log_at_trx_commit = "0";
109 ''; 110 };
111 };
110 }; 112 };
111 113
112 users.users.mysql.extraGroups = [ "keys" ]; 114 users.users.mysql.extraGroups = [ "keys" ];
113 security.acme.certs."mysql" = config.myServices.databasesCerts // { 115 security.acme.certs."mysql" = config.myServices.databasesCerts // {
114 user = "mysql"; 116 user = "mysql";
115 group = "mysql"; 117 group = "mysql";
116 plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
117 domain = "db-1.immae.eu"; 118 domain = "db-1.immae.eu";
118 postRun = '' 119 postRun = ''
119 systemctl restart mysql.service 120 systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
164 165
165 security.pam.services = let 166 security.pam.services = let
166 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 167 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
167 in [ 168 in {
168 { 169 mysql = {
169 name = "mysql";
170 text = '' 170 text = ''
171 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ 171 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
172 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam 172 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
173 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam 173 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
174 ''; 174 '';
175 } 175 };
176 { 176 mysql_replication = {
177 name = "mysql_replication";
178 text = '' 177 text = ''
179 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication 178 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
180 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication 179 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
181 ''; 180 '';
182 } 181 };
183 ]; 182 };
184 183
185 }; 184 };
186} 185}
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index efe9379..302aa04 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -107,7 +107,6 @@ in
107 security.acme.certs."ldap" = config.myServices.databasesCerts // { 107 security.acme.certs."ldap" = config.myServices.databasesCerts // {
108 user = "openldap"; 108 user = "openldap";
109 group = "openldap"; 109 group = "openldap";
110 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
111 domain = "ldap.immae.eu"; 110 domain = "ldap.immae.eu";
112 postRun = '' 111 postRun = ''
113 systemctl restart openldap.service 112 systemctl restart openldap.service
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index d0b1a75..c442a63 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -100,7 +100,6 @@ in {
100 security.acme.certs."postgresql" = config.myServices.databasesCerts // { 100 security.acme.certs."postgresql" = config.myServices.databasesCerts // {
101 user = "postgres"; 101 user = "postgres";
102 group = "postgres"; 102 group = "postgres";
103 plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
104 domain = "db-1.immae.eu"; 103 domain = "db-1.immae.eu";
105 postRun = '' 104 postRun = ''
106 systemctl reload postgresql.service 105 systemctl reload postgresql.service
@@ -212,22 +211,20 @@ in {
212 211
213 security.pam.services = let 212 security.pam.services = let
214 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 213 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
215 in [ 214 in {
216 { 215 postgresql = {
217 name = "postgresql";
218 text = '' 216 text = ''
219 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam 217 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
220 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam 218 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
221 ''; 219 '';
222 } 220 };
223 { 221 postgresql_replication = {
224 name = "postgresql_replication";
225 text = '' 222 text = ''
226 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication 223 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
227 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication 224 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
228 ''; 225 '';
229 } 226 };
230 ]; 227 };
231 }; 228 };
232} 229}
233 230
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 417af87..8ae4e65 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -32,16 +32,13 @@ in
32 }; 32 };
33 }; 33 };
34 34
35 users.users = [ 35 users.users.ftp = {
36 { 36 uid = config.ids.uids.ftp; # 8
37 name = "ftp"; 37 group = "ftp";
38 uid = config.ids.uids.ftp; # 8 38 description = "Anonymous FTP user";
39 group = "ftp"; 39 home = "/homeless-shelter";
40 description = "Anonymous FTP user"; 40 extraGroups = [ "keys" ];
41 home = "/homeless-shelter"; 41 };
42 extraGroups = [ "keys" ];
43 }
44 ];
45 42
46 users.groups.ftp.gid = config.ids.gids.ftp; 43 users.groups.ftp.gid = config.ids.gids.ftp;
47 44
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index d25d934..7810a1f 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -34,7 +34,11 @@
34 locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; 34 locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
35 }; 35 };
36 }; 36 };
37 security.acme.certs."${name}".extraDomains."status.immae.eu" = null; 37 security.acme.certs."${name}" = {
38 extraDomains."status.immae.eu" = null;
39 user = config.services.nginx.user;
40 group = config.services.nginx.group;
41 };
38 42
39 myServices.certificates.enable = true; 43 myServices.certificates.enable = true;
40 networking.firewall.allowedTCPPorts = [ 80 443 ]; 44 networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 64fc2d9..70b74d0 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -65,21 +65,10 @@
65 users.mutableUsers = false; 65 users.mutableUsers = false;
66 66
67 environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; 67 environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
68 environment.systemPackages = 68 environment.systemPackages = [
69 let 69 pkgs.git
70 home-manager = builtins.fetchGit { 70 pkgs.vim
71 url = "https://github.com/rycee/home-manager.git"; 71 ] ++
72 rev = "ef64bc598f28818d56c86629dad98b468af9c071"; 72 (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
73 ref = "release-19.03";
74 };
75 in
76 [
77 pkgs.git
78 pkgs.vim
79 ] ++
80 (lib.optional
81 (builtins.length (config.hostEnv.users pkgs) > 0)
82 ((pkgs.callPackage home-manager {}).home-manager)
83 );
84 }; 73 };
85} 74}
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 4e24c12..6829f1b 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
1{ privateFiles }: 1{ privateFiles }:
2{ config, pkgs, resources, ... }: 2{ config, pkgs, resources, name, ... }:
3{ 3{
4 boot.kernelPackages = pkgs.linuxPackages_latest; 4 boot.kernelPackages = pkgs.linuxPackages_latest;
5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; 5 myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -35,6 +35,10 @@
35 }; 35 };
36 36
37 myServices.certificates.enable = true; 37 myServices.certificates.enable = true;
38 security.acme.certs."${name}" = {
39 user = config.services.nginx.user;
40 group = config.services.nginx.group;
41 };
38 services.nginx = { 42 services.nginx = {
39 enable = true; 43 enable = true;
40 recommendedOptimisation = true; 44 recommendedOptimisation = true;
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 788c2dc..911c76d 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -101,8 +101,8 @@
101 101
102 # This is equivalent to setting environment.sessionVariables.NIX_PATH 102 # This is equivalent to setting environment.sessionVariables.NIX_PATH
103 nix.nixPath = [ 103 nix.nixPath = [
104 "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz" 104 "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz"
105 "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz" 105 "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
106 ]; 106 ];
107 nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; 107 nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
108 nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; 108 nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 42cc8d2..43d40d6 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -197,7 +197,6 @@ in {
197 197
198 security.acme.certs."task" = config.myServices.certificates.certConfig // { 198 security.acme.certs."task" = config.myServices.certificates.certConfig // {
199 inherit user group; 199 inherit user group;
200 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
201 domain = fqdn; 200 domain = fqdn;
202 postRun = '' 201 postRun = ''
203 systemctl restart taskserver.service 202 systemctl restart taskserver.service
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
index 65599b7..d9e9989 100644
--- a/modules/webapps/diaspora.nix
+++ b/modules/webapps/diaspora.nix
@@ -108,19 +108,21 @@ in
108 }; 108 };
109 109
110 config = lib.mkIf cfg.enable { 110 config = lib.mkIf cfg.enable {
111 users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { 111 users.users = lib.optionalAttrs (cfg.user == name) {
112 inherit name; 112 "${name}" = {
113 inherit uid; 113 inherit uid;
114 group = cfg.group; 114 group = cfg.group;
115 description = "Diaspora user"; 115 description = "Diaspora user";
116 home = cfg.dataDir; 116 home = cfg.dataDir;
117 packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ]; 117 packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
118 useDefaultShell = true; 118 useDefaultShell = true;
119 }); 119 };
120 users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { 120 };
121 inherit name; 121 users.groups = lib.optionalAttrs (cfg.group == name) {
122 inherit gid; 122 "${name}" = {
123 }); 123 inherit gid;
124 };
125 };
124 126
125 systemd.services.diaspora = { 127 systemd.services.diaspora = {
126 description = "Diaspora"; 128 description = "Diaspora";
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 68531cf..cd550c0 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -96,18 +96,20 @@ in
96 }; 96 };
97 97
98 config = lib.mkIf cfg.enable { 98 config = lib.mkIf cfg.enable {
99 users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { 99 users.users = lib.optionalAttrs (cfg.user == name) {
100 inherit name; 100 "${name}" = {
101 inherit uid; 101 inherit uid;
102 group = cfg.group; 102 group = cfg.group;
103 description = "Mastodon user"; 103 description = "Mastodon user";
104 home = cfg.dataDir; 104 home = cfg.dataDir;
105 useDefaultShell = true; 105 useDefaultShell = true;
106 }); 106 };
107 users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { 107 };
108 inherit name; 108 users.groups = lib.optionalAttrs (cfg.group == name) {
109 inherit gid; 109 "${name}" = {
110 }); 110 inherit gid;
111 };
112 };
111 113
112 systemd.services.mastodon-streaming = { 114 systemd.services.mastodon-streaming = {
113 description = "Mastodon Streaming"; 115 description = "Mastodon Streaming";
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
index 78bbef6..dbc4c2b 100644
--- a/modules/webapps/mediagoblin.nix
+++ b/modules/webapps/mediagoblin.nix
@@ -151,18 +151,20 @@ in
151 }; 151 };
152 152
153 config = lib.mkIf cfg.enable { 153 config = lib.mkIf cfg.enable {
154 users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { 154 users.users = lib.optionalAttrs (cfg.user == name) {
155 inherit name; 155 "${name}" = {
156 inherit uid; 156 inherit uid;
157 group = cfg.group; 157 group = cfg.group;
158 description = "Mediagoblin user"; 158 description = "Mediagoblin user";
159 home = cfg.dataDir; 159 home = cfg.dataDir;
160 useDefaultShell = true; 160 useDefaultShell = true;
161 }); 161 };
162 users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { 162 };
163 inherit name; 163 users.groups = lib.optionalAttrs (cfg.group == name) {
164 inherit gid; 164 "${name}" = {
165 }); 165 inherit gid;
166 };
167 };
166 168
167 systemd.services.mediagoblin-web = { 169 systemd.services.mediagoblin-web = {
168 description = "Mediagoblin service"; 170 description = "Mediagoblin service";
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
index 89dcc67..281ff8b 100644
--- a/modules/webapps/peertube.nix
+++ b/modules/webapps/peertube.nix
@@ -53,18 +53,20 @@ in
53 }; 53 };
54 54
55 config = lib.mkIf cfg.enable { 55 config = lib.mkIf cfg.enable {
56 users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { 56 users.users = lib.optionalAttrs (cfg.user == name) {
57 inherit name; 57 "${name}" = {
58 inherit uid; 58 inherit uid;
59 group = cfg.group; 59 group = cfg.group;
60 description = "Peertube user"; 60 description = "Peertube user";
61 home = cfg.dataDir; 61 home = cfg.dataDir;
62 useDefaultShell = true; 62 useDefaultShell = true;
63 }); 63 };
64 users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { 64 };
65 inherit name; 65 users.groups = lib.optionalAttrs (cfg.group == name) {
66 inherit gid; 66 "${name}" = {
67 }); 67 inherit gid;
68 };
69 };
68 70
69 systemd.services.peertube = { 71 systemd.services.peertube = {
70 description = "Peertube"; 72 description = "Peertube";
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
index ec79a90..c5f72f9 100644
--- a/modules/websites/httpd-service-builder.nix
+++ b/modules/websites/httpd-service-builder.nix
@@ -470,7 +470,7 @@ in
470 }; 470 };
471 471
472 virtualHosts = mkOption { 472 virtualHosts = mkOption {
473 type = with types; attrsOf (submodule (import ./vhost-options.nix)); 473 type = with types; attrsOf (submodule (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix>));
474 default = { 474 default = {
475 localhost = { 475 localhost = {
476 documentRoot = "${pkg}/htdocs"; 476 documentRoot = "${pkg}/htdocs";
diff --git a/modules/websites/location-options.nix b/modules/websites/location-options.nix
deleted file mode 100644
index 8ea88f9..0000000
--- a/modules/websites/location-options.nix
+++ /dev/null
@@ -1,54 +0,0 @@
1{ config, lib, name, ... }:
2let
3 inherit (lib) mkOption types;
4in
5{
6 options = {
7
8 proxyPass = mkOption {
9 type = with types; nullOr str;
10 default = null;
11 example = "http://www.example.org/";
12 description = ''
13 Sets up a simple reverse proxy as described by <link xlink:href="https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple" />.
14 '';
15 };
16
17 index = mkOption {
18 type = with types; nullOr str;
19 default = null;
20 example = "index.php index.html";
21 description = ''
22 Adds DirectoryIndex directive. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex" />.
23 '';
24 };
25
26 alias = mkOption {
27 type = with types; nullOr path;
28 default = null;
29 example = "/your/alias/directory";
30 description = ''
31 Alias directory for requests. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias" />.
32 '';
33 };
34
35 extraConfig = mkOption {
36 type = types.lines;
37 default = "";
38 description = ''
39 These lines go to the end of the location verbatim.
40 '';
41 };
42
43 priority = mkOption {
44 type = types.int;
45 default = 1000;
46 description = ''
47 Order of this location block in relation to the others in the vhost.
48 The semantics are the same as with `lib.mkOrder`. Smaller values have
49 a greater priority.
50 '';
51 };
52
53 };
54}
diff --git a/modules/websites/vhost-options.nix b/modules/websites/vhost-options.nix
deleted file mode 100644
index 263980a..0000000
--- a/modules/websites/vhost-options.nix
+++ /dev/null
@@ -1,275 +0,0 @@
1{ config, lib, name, ... }:
2let
3 inherit (lib) literalExample mkOption nameValuePair types;
4in
5{
6 options = {
7
8 hostName = mkOption {
9 type = types.str;
10 default = name;
11 description = "Canonical hostname for the server.";
12 };
13
14 serverAliases = mkOption {
15 type = types.listOf types.str;
16 default = [];
17 example = ["www.example.org" "www.example.org:8080" "example.org"];
18 description = ''
19 Additional names of virtual hosts served by this virtual host configuration.
20 '';
21 };
22
23 listen = mkOption {
24 type = with types; listOf (submodule ({
25 options = {
26 port = mkOption {
27 type = types.port;
28 description = "Port to listen on";
29 };
30 ip = mkOption {
31 type = types.str;
32 default = "*";
33 description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all.";
34 };
35 ssl = mkOption {
36 type = types.bool;
37 default = false;
38 description = "Whether to enable SSL (https) support.";
39 };
40 };
41 }));
42 default = [];
43 example = [
44 { ip = "195.154.1.1"; port = 443; ssl = true;}
45 { ip = "192.154.1.1"; port = 80; }
46 { ip = "*"; port = 8080; }
47 ];
48 description = ''
49 Listen addresses and ports for this virtual host.
50 <note><para>
51 This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>.
52 </para></note>
53 '';
54 };
55
56 enableSSL = mkOption {
57 type = types.bool;
58 visible = false;
59 default = false;
60 };
61
62 addSSL = mkOption {
63 type = types.bool;
64 default = false;
65 description = ''
66 Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
67 <literal>listen</literal> to listen on all interfaces on the respective default
68 ports (80, 443).
69 '';
70 };
71
72 onlySSL = mkOption {
73 type = types.bool;
74 default = false;
75 description = ''
76 Whether to enable HTTPS and reject plain HTTP connections. This will set
77 defaults for <literal>listen</literal> to listen on all interfaces on port 443.
78 '';
79 };
80
81 forceSSL = mkOption {
82 type = types.bool;
83 default = false;
84 description = ''
85 Whether to add a separate nginx server block that permanently redirects (301)
86 all plain HTTP traffic to HTTPS. This will set defaults for
87 <literal>listen</literal> to listen on all interfaces on the respective default
88 ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
89 '';
90 };
91
92 enableACME = mkOption {
93 type = types.bool;
94 default = false;
95 description = ''
96 Whether to ask Let's Encrypt to sign a certificate for this vhost.
97 Alternately, you can use an existing certificate through <option>useACMEHost</option>.
98 '';
99 };
100
101 useACMEHost = mkOption {
102 type = types.nullOr types.str;
103 default = null;
104 description = ''
105 A host of an existing Let's Encrypt certificate to use.
106 This is useful if you have many subdomains and want to avoid hitting the
107 <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.
108 Alternately, you can generate a certificate through <option>enableACME</option>.
109 <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis>
110 '';
111 };
112
113 acmeRoot = mkOption {
114 type = types.str;
115 default = "/var/lib/acme/acme-challenges";
116 description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
117 };
118
119 sslServerCert = mkOption {
120 type = types.path;
121 example = "/var/host.cert";
122 description = "Path to server SSL certificate.";
123 };
124
125 sslServerKey = mkOption {
126 type = types.path;
127 example = "/var/host.key";
128 description = "Path to server SSL certificate key.";
129 };
130
131 sslServerChain = mkOption {
132 type = types.nullOr types.path;
133 default = null;
134 example = "/var/ca.pem";
135 description = "Path to server SSL chain file.";
136 };
137
138 http2 = mkOption {
139 type = types.bool;
140 default = false;
141 description = ''
142 Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
143 be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.
144 '';
145 };
146
147 adminAddr = mkOption {
148 type = types.nullOr types.str;
149 default = null;
150 example = "admin@example.org";
151 description = "E-mail address of the server administrator.";
152 };
153
154 documentRoot = mkOption {
155 type = types.nullOr types.path;
156 default = null;
157 example = "/data/webserver/docs";
158 description = ''
159 The path of Apache's document root directory. If left undefined,
160 an empty directory in the Nix store will be used as root.
161 '';
162 };
163
164 servedDirs = mkOption {
165 type = types.listOf types.attrs;
166 default = [];
167 example = [
168 { urlPath = "/nix";
169 dir = "/home/eelco/Dev/nix-homepage";
170 }
171 ];
172 description = ''
173 This option provides a simple way to serve static directories.
174 '';
175 };
176
177 servedFiles = mkOption {
178 type = types.listOf types.attrs;
179 default = [];
180 example = [
181 { urlPath = "/foo/bar.png";
182 file = "/home/eelco/some-file.png";
183 }
184 ];
185 description = ''
186 This option provides a simple way to serve individual, static files.
187
188 <note><para>
189 This option has been deprecated and will be removed in a future
190 version of NixOS. You can achieve the same result by making use of
191 the <literal>locations.&lt;name&gt;.alias</literal> option.
192 </para></note>
193 '';
194 };
195
196 extraConfig = mkOption {
197 type = types.lines;
198 default = "";
199 example = ''
200 <Directory /home>
201 Options FollowSymlinks
202 AllowOverride All
203 </Directory>
204 '';
205 description = ''
206 These lines go to httpd.conf verbatim. They will go after
207 directories and directory aliases defined by default.
208 '';
209 };
210
211 enableUserDir = mkOption {
212 type = types.bool;
213 default = false;
214 description = ''
215 Whether to enable serving <filename>~/public_html</filename> as
216 <literal>/~<replaceable>username</replaceable></literal>.
217 '';
218 };
219
220 globalRedirect = mkOption {
221 type = types.nullOr types.str;
222 default = null;
223 example = http://newserver.example.org/;
224 description = ''
225 If set, all requests for this host are redirected permanently to
226 the given URL.
227 '';
228 };
229
230 logFormat = mkOption {
231 type = types.str;
232 default = "common";
233 example = "combined";
234 description = ''
235 Log format for Apache's log files. Possible values are: combined, common, referer, agent.
236 '';
237 };
238
239 robotsEntries = mkOption {
240 type = types.lines;
241 default = "";
242 example = "Disallow: /foo/";
243 description = ''
244 Specification of pages to be ignored by web crawlers. See <link
245 xlink:href='http://www.robotstxt.org/'/> for details.
246 '';
247 };
248
249 locations = mkOption {
250 type = with types; attrsOf (submodule (import ./location-options.nix));
251 default = {};
252 example = literalExample ''
253 {
254 "/" = {
255 proxyPass = "http://localhost:3000";
256 };
257 "/foo/bar.png" = {
258 alias = "/home/eelco/some-file.png";
259 };
260 };
261 '';
262 description = ''
263 Declarative location config. See <link
264 xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details.
265 '';
266 };
267
268 };
269
270 config = {
271
272 locations = builtins.listToAttrs (map (elem: nameValuePair elem.urlPath { alias = elem.file; }) config.servedFiles);
273
274 };
275}