1 files changed, 148 insertions, 0 deletions
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
new file mode 100644
index 0000000..6a18c8a
--- /dev/null
+++ b/modules/websites/default.nix
@@ -0,0 +1,148 @@
+{ lib, config, ... }: with lib;
+let
+  cfg = config.services.websites;
+in
+{
+  options.services.websites = with types; mkOption {
+    default = {};
+    description = "Each type of website to enable will target a distinct httpd server";
+    type = attrsOf (submodule {
+      options = {
+        enable = mkEnableOption "Enable websites of this type";
+        adminAddr = mkOption {
+          type = str;
+          description = "Admin e-mail address of the instance";
+        };
+        httpdName = mkOption {
+          type = str;
+          description = "Name of the httpd instance to assign this type to";
+        };
+        ips = mkOption {
+          type = listOf string;
+          default = [];
+          description = "ips to listen to";
+        };
+        modules = mkOption {
+          type = listOf str;
+          default = [];
+          description = "Additional modules to load in Apache";
+        };
+        extraConfig = mkOption {
+          type = listOf lines;
+          default = [];
+          description = "Additional configuration to append to Apache";
+        };
+        nosslVhost = mkOption {
+          description = "A default nossl vhost for captive portals";
+          default = {};
+          type = submodule {
+            options = {
+              enable = mkEnableOption "Add default no-ssl vhost for this instance";
+              host = mkOption {
+                type = string;
+                description = "The hostname to use for this vhost";
+              };
+              root = mkOption {
+                type = path;
+                default = ./nosslVhost;
+                description = "The root folder to serve";
+              };
+              indexFile = mkOption {
+                type = string;
+                default = "index.html";
+                description = "The index file to show.";
+              };
+            };
+          };
+        };
+        fallbackVhost = mkOption {
+          description = "The fallback vhost that will be defined as first vhost in Apache";
+          type = submodule {
+            options = {
+              certName = mkOption { type = string; };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          };
+        };
+        vhostConfs = mkOption {
+          default = {};
+          description = "List of vhosts to define for Apache";
+          type = attrsOf (submodule {
+            options = {
+              certName = mkOption { type = string; };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          });
+        };
+      };
+    });
+  };
+  config.services.httpd = let
+    redirectVhost = ips: { # Should go last, catchall http -> https redirect
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = "redirectSSL";
+      serverAliases = [ "*" ];
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = "/var/lib/acme/acme-challenge";
+      extraConfig = ''
+        RewriteEngine on
+        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+        # To redirect in specific "VirtualHost *:80", do
+        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+        # rather than rewrite
+      '';
+    };
+    nosslVhost = ips: cfg: {
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = cfg.host;
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = cfg.root;
+      extraConfig = ''
+        <Directory ${cfg.root}>
+          DirectoryIndex ${cfg.indexFile}
+          AllowOverride None
+          Require all granted
+          RewriteEngine on
+          RewriteRule ^/(.+)   /   [L]
+        </Directory>
+        '';
+    };
+    toVhost = ips: vhostConf: {
+      enableSSL = true;
+      sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
+      sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
+      sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
+      logFormat = "combinedVhost";
+      listen = map (ip: { inherit ip; port = 443; }) ips;
+      hostName = builtins.head vhostConf.hosts;
+      serverAliases = builtins.tail vhostConf.hosts or [];
+      documentRoot = vhostConf.root;
+      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+    };
+  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    icfg.httpdName (mkIf icfg.enable {
+      enable = true;
+      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
+      stateDir = "/run/httpd_${name}";
+      logPerVirtualHost = true;
+      multiProcessingModule = "worker";
+      inherit (icfg) adminAddr;
+      logFormat = "combinedVhost";
+      extraModules = lists.unique icfg.modules;
+      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
+      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
+        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
+        ++ [ (redirectVhost icfg.ips) ];
+    })
+  ) cfg;
+}

diff --git a/modules/websites/default.nix b/modules/websites/default.nix new file mode 100644 index 0000000..6a18c8a --- /dev/null +++ b/modules/websites/default.nix
@@ -0,0 +1,148 @@
	1	{ lib, config, ... }: with lib;
	2	let
	3	cfg = config.services.websites;
	4	in
	5	{
	6	options.services.websites = with types; mkOption {
	7	default = {};
	8	description = "Each type of website to enable will target a distinct httpd server";
	9	type = attrsOf (submodule {
	10	options = {
	11	enable = mkEnableOption "Enable websites of this type";
	12	adminAddr = mkOption {
	13	type = str;
	14	description = "Admin e-mail address of the instance";
	15	};
	16	httpdName = mkOption {
	17	type = str;
	18	description = "Name of the httpd instance to assign this type to";
	19	};
	20	ips = mkOption {
	21	type = listOf string;
	22	default = [];
	23	description = "ips to listen to";
	24	};
	25	modules = mkOption {
	26	type = listOf str;
	27	default = [];
	28	description = "Additional modules to load in Apache";
	29	};
	30	extraConfig = mkOption {
	31	type = listOf lines;
	32	default = [];
	33	description = "Additional configuration to append to Apache";
	34	};
	35	nosslVhost = mkOption {
	36	description = "A default nossl vhost for captive portals";
	37	default = {};
	38	type = submodule {
	39	options = {
	40	enable = mkEnableOption "Add default no-ssl vhost for this instance";
	41	host = mkOption {
	42	type = string;
	43	description = "The hostname to use for this vhost";
	44	};
	45	root = mkOption {
	46	type = path;
	47	default = ./nosslVhost;
	48	description = "The root folder to serve";
	49	};
	50	indexFile = mkOption {
	51	type = string;
	52	default = "index.html";
	53	description = "The index file to show.";
	54	};
	55	};
	56	};
	57	};
	58	fallbackVhost = mkOption {
	59	description = "The fallback vhost that will be defined as first vhost in Apache";
	60	type = submodule {
	61	options = {
	62	certName = mkOption { type = string; };
	63	hosts = mkOption { type = listOf string; };
	64	root = mkOption { type = nullOr path; };
	65	extraConfig = mkOption { type = listOf lines; default = []; };
	66	};
	67	};
	68	};
	69	vhostConfs = mkOption {
	70	default = {};
	71	description = "List of vhosts to define for Apache";
	72	type = attrsOf (submodule {
	73	options = {
	74	certName = mkOption { type = string; };
	75	hosts = mkOption { type = listOf string; };
	76	root = mkOption { type = nullOr path; };
	77	extraConfig = mkOption { type = listOf lines; default = []; };
	78	};
	79	});
	80	};
	81	};
	82	});
	83	};
	84
	85	config.services.httpd = let
	86	redirectVhost = ips: { # Should go last, catchall http -> https redirect
	87	listen = map (ip: { inherit ip; port = 80; }) ips;
	88	hostName = "redirectSSL";
	89	serverAliases = [ "*" ];
	90	enableSSL = false;
	91	logFormat = "combinedVhost";
	92	documentRoot = "/var/lib/acme/acme-challenge";
	93	extraConfig = ''
	94	RewriteEngine on
	95	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
	96	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
	97	# To redirect in specific "VirtualHost *:80", do
	98	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
	99	# rather than rewrite
	100	'';
	101	};
	102	nosslVhost = ips: cfg: {
	103	listen = map (ip: { inherit ip; port = 80; }) ips;
	104	hostName = cfg.host;
	105	enableSSL = false;
	106	logFormat = "combinedVhost";
	107	documentRoot = cfg.root;
	108	extraConfig = ''
	109	<Directory ${cfg.root}>
	110	DirectoryIndex ${cfg.indexFile}
	111	AllowOverride None
	112	Require all granted
	113
	114	RewriteEngine on
	115	RewriteRule ^/(.+) / [L]
	116	</Directory>
	117	'';
	118	};
	119	toVhost = ips: vhostConf: {
	120	enableSSL = true;
	121	sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
	122	sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
	123	sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
	124	logFormat = "combinedVhost";
	125	listen = map (ip: { inherit ip; port = 443; }) ips;
	126	hostName = builtins.head vhostConf.hosts;
	127	serverAliases = builtins.tail vhostConf.hosts or [];
	128	documentRoot = vhostConf.root;
	129	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
	130	};
	131	in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
	132	icfg.httpdName (mkIf icfg.enable {
	133	enable = true;
	134	listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
	135	stateDir = "/run/httpd_${name}";
	136	logPerVirtualHost = true;
	137	multiProcessingModule = "worker";
	138	inherit (icfg) adminAddr;
	139	logFormat = "combinedVhost";
	140	extraModules = lists.unique icfg.modules;
	141	extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
	142	virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
	143	++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
	144	++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
	145	++ [ (redirectVhost icfg.ips) ];
	146	})
	147	) cfg;
	148	}