Upgrade to nixos-unstable

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-05 15:57:20 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-06 00:25:00 +0200
commit: 258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree: 03ca447495573f6745b701096d8b31283ce30466 /modules
parent: e7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
download: Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip
19 files changed, 129 insertions, 462 deletions
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix
index 38e99a9..976de69 100644
--- a/modules/naemon/default.nix
+++ b/modules/naemon/default.nix
@@ -137,18 +137,18 @@ in
      }
    ];
-    users.users = optionalAttrs (cfg.user == "naemon") (singleton
+    users.users = optionalAttrs (cfg.user == "naemon") {
-      {
+      naemon = {
-        name = "naemon";
        group = cfg.group;
        uid   = config.ids.uids.nagios;
        extraGroups = [ "keys" ];
-      });
+      };
-    users.groups = optionalAttrs (cfg.user == "naemon") (singleton
+    };
-      {
+    users.groups = optionalAttrs (cfg.user == "naemon") {
-        name = "naemon";
+      naemon = {
-        gid   = config.ids.gids.nagios;
+        gid = config.ids.gids.nagios;
-      });
+      };
+    };
    services.filesWatcher.naemon = {
      paths = [ config.secrets.fullPaths."naemon/resources.cfg" ];
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
index e18ec82..6137d10 100644
--- a/modules/opendmarc.nix
+++ b/modules/opendmarc.nix
@@ -59,16 +59,18 @@ in {
  config = mkIf cfg.enable {
-    users.users = optionalAttrs (cfg.user == "opendmarc") (singleton
+    users.users = optionalAttrs (cfg.user == "opendmarc") {
-      { name = "opendmarc";
+      opendmarc = {
        group = cfg.group;
        uid = config.ids.uids.opendmarc;
-      });
+      };
+    };
-    users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton
+    users.groups = optionalAttrs (cfg.group == "opendmarc") {
-      { name = "opendmarc";
+      opendmarc = {
        gid = config.ids.gids.opendmarc;
-      });
+      };
+    };
    environment.systemPackages = [ pkgs.opendmarc ];
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2bf2730..82ff52f 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
      };
      description = "Default configuration for certificates";
    };
@@ -30,6 +29,7 @@
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;
+    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;
    security.acme.certs = {
@@ -39,18 +39,16 @@
    };
    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
-        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-        '') +
-        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-        '')
+        '';
-      ; })
+      }
    ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 04e4bd6..36edaeb 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
      enable = true;
      package = cfg.package;
      dataDir = cfg.dataDir;
-      extraOptions = ''
+      settings = {
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        mysqld = {
-        ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem
+          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem
+          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
-        # for replication
+          # for replication
-        log-bin=mariadb-bin
+          log-bin = "mariadb-bin";
-        server-id=1
+          server-id = "1";
-        # this introduces a small delay before storing on disk, but
+          # this introduces a small delay before storing on disk, but
-        # makes it order of magnitudes quicker
+          # makes it order of magnitudes quicker
-        innodb_flush_log_at_trx_commit = 0
+          innodb_flush_log_at_trx_commit = "0";
-        '';
+        };
+      };
    };
    users.users.mysql.extraGroups = [ "keys" ];
    security.acme.certs."mysql" = config.myServices.databasesCerts // {
      user = "mysql";
      group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      mysql = {
-        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          '';
-      }
+      };
-      {
+      mysql_replication = {
-        name = "mysql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index efe9379..302aa04 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -107,7 +107,6 @@ in
    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index d0b1a75..c442a63 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -100,7 +100,6 @@ in {
    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
@@ -212,22 +211,20 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      postgresql = {
-        name = "postgresql";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          '';
-      }
+      };
-      {
+      postgresql_replication = {
-        name = "postgresql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 417af87..8ae4e65 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -32,16 +32,13 @@ in
      };
    };
-    users.users = [
+    users.users.ftp = {
-      {
+      uid = config.ids.uids.ftp; # 8
-        name = "ftp";
+      group = "ftp";
-        uid = config.ids.uids.ftp; # 8
+      description = "Anonymous FTP user";
-        group = "ftp";
+      home = "/homeless-shelter";
-        description = "Anonymous FTP user";
+      extraGroups = [ "keys" ];
-        home = "/homeless-shelter";
+    };
-        extraGroups = [ "keys" ];
-      }
-    ];
    users.groups.ftp.gid = config.ids.gids.ftp;
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index d25d934..7810a1f 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -34,7 +34,11 @@
        locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
      };
    };
-    security.acme.certs."${name}".extraDomains."status.immae.eu" = null;
+    security.acme.certs."${name}" = {
+      extraDomains."status.immae.eu" = null;
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
    myServices.certificates.enable = true;
    networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 64fc2d9..70b74d0 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -65,21 +65,10 @@
    users.mutableUsers = false;
    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
-    environment.systemPackages =
+    environment.systemPackages = [
-      let
+      pkgs.git
-        home-manager = builtins.fetchGit {
+      pkgs.vim
-          url = "https://github.com/rycee/home-manager.git";
+    ] ++
-          rev = "ef64bc598f28818d56c86629dad98b468af9c071";
+    (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
-          ref = "release-19.03";
-        };
-      in
-      [
-        pkgs.git
-        pkgs.vim
-      ] ++
-      (lib.optional
-        (builtins.length (config.hostEnv.users pkgs) > 0)
-        ((pkgs.callPackage home-manager {}).home-manager)
-      );
  };
 }
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 4e24c12..6829f1b 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
 { privateFiles }:
-{ config, pkgs, resources, ... }:
+{ config, pkgs, resources, name, ... }:
 {
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -35,6 +35,10 @@
  };
  myServices.certificates.enable = true;
+  security.acme.certs."${name}" = {
+    user = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 788c2dc..911c76d 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -101,8 +101,8 @@
  # This is equivalent to setting environment.sessionVariables.NIX_PATH
  nix.nixPath = [
-    "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
+    "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz"
-    "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
+    "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
  ];
  nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
  nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 42cc8d2..43d40d6 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -197,7 +197,6 @@ in {
    security.acme.certs."task" = config.myServices.certificates.certConfig // {
      inherit user group;
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
index 65599b7..d9e9989 100644
--- a/modules/webapps/diaspora.nix
+++ b/modules/webapps/diaspora.nix
@@ -108,19 +108,21 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Diaspora user";
+        description = "Diaspora user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
+        packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.diaspora = {
      description = "Diaspora";
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 68531cf..cd550c0 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -96,18 +96,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Mastodon user";
+        description = "Mastodon user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.mastodon-streaming = {
      description = "Mastodon Streaming";
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
index 78bbef6..dbc4c2b 100644
--- a/modules/webapps/mediagoblin.nix
+++ b/modules/webapps/mediagoblin.nix
@@ -151,18 +151,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Mediagoblin user";
+        description = "Mediagoblin user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
index 89dcc67..281ff8b 100644
--- a/modules/webapps/peertube.nix
+++ b/modules/webapps/peertube.nix
@@ -53,18 +53,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Peertube user";
+        description = "Peertube user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.peertube = {
      description = "Peertube";
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
index ec79a90..c5f72f9 100644
--- a/modules/websites/httpd-service-builder.nix
+++ b/modules/websites/httpd-service-builder.nix
@@ -470,7 +470,7 @@ in
      };
      virtualHosts = mkOption {
-        type = with types; attrsOf (submodule (import ./vhost-options.nix));
+        type = with types; attrsOf (submodule (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix>));
        default = {
          localhost = {
            documentRoot = "${pkg}/htdocs";
diff --git a/modules/websites/location-options.nix b/modules/websites/location-options.nix
deleted file mode 100644
index 8ea88f9..0000000
--- a/modules/websites/location-options.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{ config, lib, name, ... }:
-let
-  inherit (lib) mkOption types;
-in
-{
-  options = {
-    proxyPass = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "http://www.example.org/";
-      description = ''
-        Sets up a simple reverse proxy as described by <link xlink:href="https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple" />.
-      '';
-    };
-    index = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "index.php index.html";
-      description = ''
-        Adds DirectoryIndex directive. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex" />.
-      '';
-    };
-    alias = mkOption {
-      type = with types; nullOr path;
-      default = null;
-      example = "/your/alias/directory";
-      description = ''
-        Alias directory for requests. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias" />.
-      '';
-    };
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      description = ''
-        These lines go to the end of the location verbatim.
-      '';
-    };
-    priority = mkOption {
-      type = types.int;
-      default = 1000;
-      description = ''
-        Order of this location block in relation to the others in the vhost.
-        The semantics are the same as with `lib.mkOrder`. Smaller values have
-        a greater priority.
-      '';
-    };
-  };
-}
diff --git a/modules/websites/vhost-options.nix b/modules/websites/vhost-options.nix
deleted file mode 100644
index 263980a..0000000
--- a/modules/websites/vhost-options.nix
+++ /dev/null
@@ -1,275 +0,0 @@
-{ config, lib, name, ... }:
-let
-  inherit (lib) literalExample mkOption nameValuePair types;
-in
-{
-  options = {
-    hostName = mkOption {
-      type = types.str;
-      default = name;
-      description = "Canonical hostname for the server.";
-    };
-    serverAliases = mkOption {
-      type = types.listOf types.str;
-      default = [];
-      example = ["www.example.org" "www.example.org:8080" "example.org"];
-      description = ''
-        Additional names of virtual hosts served by this virtual host configuration.
-      '';
-    };
-    listen = mkOption {
-      type = with types; listOf (submodule ({
-        options = {
-          port = mkOption {
-            type = types.port;
-            description = "Port to listen on";
-          };
-          ip = mkOption {
-            type = types.str;
-            default = "*";
-            description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all.";
-          };
-          ssl = mkOption {
-            type = types.bool;
-            default = false;
-            description = "Whether to enable SSL (https) support.";
-          };
-        };
-      }));
-      default = [];
-      example = [
-        { ip = "195.154.1.1"; port = 443; ssl = true;}
-        { ip = "192.154.1.1"; port = 80; }
-        { ip = "*"; port = 8080; }
-      ];
-      description = ''
-        Listen addresses and ports for this virtual host.
-        <note><para>
-          This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>.
-        </para></note>
-      '';
-    };
-    enableSSL = mkOption {
-      type = types.bool;
-      visible = false;
-      default = false;
-    };
-    addSSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
-        <literal>listen</literal> to listen on all interfaces on the respective default
-        ports (80, 443).
-      '';
-    };
-    onlySSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTPS and reject plain HTTP connections. This will set
-        defaults for <literal>listen</literal> to listen on all interfaces on port 443.
-      '';
-    };
-    forceSSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to add a separate nginx server block that permanently redirects (301)
-        all plain HTTP traffic to HTTPS. This will set defaults for
-        <literal>listen</literal> to listen on all interfaces on the respective default
-        ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
-      '';
-    };
-    enableACME = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to ask Let's Encrypt to sign a certificate for this vhost.
-        Alternately, you can use an existing certificate through <option>useACMEHost</option>.
-      '';
-    };
-    useACMEHost = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      description = ''
-        A host of an existing Let's Encrypt certificate to use.
-        This is useful if you have many subdomains and want to avoid hitting the
-        <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.
-        Alternately, you can generate a certificate through <option>enableACME</option>.
-        <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using  <xref linkend="opt-security.acme.certs"/>.</emphasis>
-      '';
-    };
-    acmeRoot = mkOption {
-      type = types.str;
-      default = "/var/lib/acme/acme-challenges";
-      description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
-    };
-    sslServerCert = mkOption {
-      type = types.path;
-      example = "/var/host.cert";
-      description = "Path to server SSL certificate.";
-    };
-    sslServerKey = mkOption {
-      type = types.path;
-      example = "/var/host.key";
-      description = "Path to server SSL certificate key.";
-    };
-    sslServerChain = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/var/ca.pem";
-      description = "Path to server SSL chain file.";
-    };
-    http2 = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
-        be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.
-      '';
-    };
-    adminAddr = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "admin@example.org";
-      description = "E-mail address of the server administrator.";
-    };
-    documentRoot = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/data/webserver/docs";
-      description = ''
-        The path of Apache's document root directory.  If left undefined,
-        an empty directory in the Nix store will be used as root.
-      '';
-    };
-    servedDirs = mkOption {
-      type = types.listOf types.attrs;
-      default = [];
-      example = [
-        { urlPath = "/nix";
-          dir = "/home/eelco/Dev/nix-homepage";
-        }
-      ];
-      description = ''
-        This option provides a simple way to serve static directories.
-      '';
-    };
-    servedFiles = mkOption {
-      type = types.listOf types.attrs;
-      default = [];
-      example = [
-        { urlPath = "/foo/bar.png";
-          file = "/home/eelco/some-file.png";
-        }
-      ];
-      description = ''
-        This option provides a simple way to serve individual, static files.
-        <note><para>
-          This option has been deprecated and will be removed in a future
-          version of NixOS. You can achieve the same result by making use of
-          the <literal>locations.&lt;name&gt;.alias</literal> option.
-        </para></note>
-      '';
-    };
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      example = ''
-        <Directory /home>
-          Options FollowSymlinks
-          AllowOverride All
-        </Directory>
-      '';
-      description = ''
-        These lines go to httpd.conf verbatim. They will go after
-        directories and directory aliases defined by default.
-      '';
-    };
-    enableUserDir = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable serving <filename>~/public_html</filename> as
-        <literal>/~<replaceable>username</replaceable></literal>.
-      '';
-    };
-    globalRedirect = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = http://newserver.example.org/;
-      description = ''
-        If set, all requests for this host are redirected permanently to
-        the given URL.
-      '';
-    };
-    logFormat = mkOption {
-      type = types.str;
-      default = "common";
-      example = "combined";
-      description = ''
-        Log format for Apache's log files. Possible values are: combined, common, referer, agent.
-      '';
-    };
-    robotsEntries = mkOption {
-      type = types.lines;
-      default = "";
-      example = "Disallow: /foo/";
-      description = ''
-        Specification of pages to be ignored by web crawlers. See <link
-        xlink:href='http://www.robotstxt.org/'/> for details.
-      '';
-    };
-    locations = mkOption {
-      type = with types; attrsOf (submodule (import ./location-options.nix));
-      default = {};
-      example = literalExample ''
-        {
-          "/" = {
-            proxyPass = "http://localhost:3000";
-          };
-          "/foo/bar.png" = {
-            alias = "/home/eelco/some-file.png";
-          };
-        };
-      '';
-      description = ''
-        Declarative location config. See <link
-        xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details.
-      '';
-    };
-  };
-  config = {
-    locations = builtins.listToAttrs (map (elem: nameValuePair elem.urlPath { alias = elem.file; }) config.servedFiles);
-  };
-}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-05 15:57:20 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-06 00:25:00 +0200
commit	258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree	03ca447495573f6745b701096d8b31283ce30466 /modules
parent	e7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
download	Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip