diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/naemon/default.nix | 18 | ||||
-rw-r--r-- | modules/opendmarc.nix | 14 | ||||
-rw-r--r-- | modules/private/certificates.nix | 12 | ||||
-rw-r--r-- | modules/private/databases/mariadb.nix | 39 | ||||
-rw-r--r-- | modules/private/databases/openldap/default.nix | 1 | ||||
-rw-r--r-- | modules/private/databases/postgresql.nix | 15 | ||||
-rw-r--r-- | modules/private/ftp.nix | 17 | ||||
-rw-r--r-- | modules/private/monitoring/status.nix | 6 | ||||
-rw-r--r-- | modules/private/system.nix | 21 | ||||
-rw-r--r-- | modules/private/system/backup-2.nix | 6 | ||||
-rw-r--r-- | modules/private/system/dilion.nix | 4 | ||||
-rw-r--r-- | modules/private/tasks/default.nix | 1 | ||||
-rw-r--r-- | modules/webapps/diaspora.nix | 28 | ||||
-rw-r--r-- | modules/webapps/mastodon.nix | 26 | ||||
-rw-r--r-- | modules/webapps/mediagoblin.nix | 26 | ||||
-rw-r--r-- | modules/webapps/peertube.nix | 26 | ||||
-rw-r--r-- | modules/websites/httpd-service-builder.nix | 2 | ||||
-rw-r--r-- | modules/websites/location-options.nix | 54 | ||||
-rw-r--r-- | modules/websites/vhost-options.nix | 275 |
19 files changed, 129 insertions, 462 deletions
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix index 38e99a9..976de69 100644 --- a/modules/naemon/default.nix +++ b/modules/naemon/default.nix | |||
@@ -137,18 +137,18 @@ in | |||
137 | } | 137 | } |
138 | ]; | 138 | ]; |
139 | 139 | ||
140 | users.users = optionalAttrs (cfg.user == "naemon") (singleton | 140 | users.users = optionalAttrs (cfg.user == "naemon") { |
141 | { | 141 | naemon = { |
142 | name = "naemon"; | ||
143 | group = cfg.group; | 142 | group = cfg.group; |
144 | uid = config.ids.uids.nagios; | 143 | uid = config.ids.uids.nagios; |
145 | extraGroups = [ "keys" ]; | 144 | extraGroups = [ "keys" ]; |
146 | }); | 145 | }; |
147 | users.groups = optionalAttrs (cfg.user == "naemon") (singleton | 146 | }; |
148 | { | 147 | users.groups = optionalAttrs (cfg.user == "naemon") { |
149 | name = "naemon"; | 148 | naemon = { |
150 | gid = config.ids.gids.nagios; | 149 | gid = config.ids.gids.nagios; |
151 | }); | 150 | }; |
151 | }; | ||
152 | 152 | ||
153 | services.filesWatcher.naemon = { | 153 | services.filesWatcher.naemon = { |
154 | paths = [ config.secrets.fullPaths."naemon/resources.cfg" ]; | 154 | paths = [ config.secrets.fullPaths."naemon/resources.cfg" ]; |
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix index e18ec82..6137d10 100644 --- a/modules/opendmarc.nix +++ b/modules/opendmarc.nix | |||
@@ -59,16 +59,18 @@ in { | |||
59 | 59 | ||
60 | config = mkIf cfg.enable { | 60 | config = mkIf cfg.enable { |
61 | 61 | ||
62 | users.users = optionalAttrs (cfg.user == "opendmarc") (singleton | 62 | users.users = optionalAttrs (cfg.user == "opendmarc") { |
63 | { name = "opendmarc"; | 63 | opendmarc = { |
64 | group = cfg.group; | 64 | group = cfg.group; |
65 | uid = config.ids.uids.opendmarc; | 65 | uid = config.ids.uids.opendmarc; |
66 | }); | 66 | }; |
67 | }; | ||
67 | 68 | ||
68 | users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton | 69 | users.groups = optionalAttrs (cfg.group == "opendmarc") { |
69 | { name = "opendmarc"; | 70 | opendmarc = { |
70 | gid = config.ids.gids.opendmarc; | 71 | gid = config.ids.gids.opendmarc; |
71 | }); | 72 | }; |
73 | }; | ||
72 | 74 | ||
73 | environment.systemPackages = [ pkgs.opendmarc ]; | 75 | environment.systemPackages = [ pkgs.opendmarc ]; |
74 | 76 | ||
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2bf2730..82ff52f 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -12,7 +12,6 @@ | |||
12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") | 12 | (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service") |
13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") | 13 | (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service") |
14 | ]; | 14 | ]; |
15 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"]; | ||
16 | }; | 15 | }; |
17 | description = "Default configuration for certificates"; | 16 | description = "Default configuration for certificates"; |
18 | }; | 17 | }; |
@@ -30,6 +29,7 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 29 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 30 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 31 | ||
32 | security.acme.acceptTerms = true; | ||
33 | security.acme.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme.certs = { | 35 | security.acme.certs = { |
@@ -39,18 +39,16 @@ | |||
39 | }; | 39 | }; |
40 | 40 | ||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore '' |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | ||
44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem | 43 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem | 44 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem | 45 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
47 | '') + | 46 | |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | ||
49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem | 47 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem | 48 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem | 49 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
52 | '') | 50 | ''; |
53 | ; }) | 51 | } |
54 | ) config.security.acme.certs // | 52 | ) config.security.acme.certs // |
55 | lib.attrsets.mapAttrs' (k: data: | 53 | lib.attrsets.mapAttrs' (k: data: |
56 | lib.attrsets.nameValuePair "acme-${k}" { | 54 | lib.attrsets.nameValuePair "acme-${k}" { |
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 04e4bd6..36edaeb 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -94,26 +94,27 @@ in { | |||
94 | enable = true; | 94 | enable = true; |
95 | package = cfg.package; | 95 | package = cfg.package; |
96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
97 | extraOptions = '' | 97 | settings = { |
98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | mysqld = { |
99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem | 99 | ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem | 100 | ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem"; |
101 | ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem"; | ||
101 | 102 | ||
102 | # for replication | 103 | # for replication |
103 | log-bin=mariadb-bin | 104 | log-bin = "mariadb-bin"; |
104 | server-id=1 | 105 | server-id = "1"; |
105 | 106 | ||
106 | # this introduces a small delay before storing on disk, but | 107 | # this introduces a small delay before storing on disk, but |
107 | # makes it order of magnitudes quicker | 108 | # makes it order of magnitudes quicker |
108 | innodb_flush_log_at_trx_commit = 0 | 109 | innodb_flush_log_at_trx_commit = "0"; |
109 | ''; | 110 | }; |
111 | }; | ||
110 | }; | 112 | }; |
111 | 113 | ||
112 | users.users.mysql.extraGroups = [ "keys" ]; | 114 | users.users.mysql.extraGroups = [ "keys" ]; |
113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { | 115 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
114 | user = "mysql"; | 116 | user = "mysql"; |
115 | group = "mysql"; | 117 | group = "mysql"; |
116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
117 | domain = "db-1.immae.eu"; | 118 | domain = "db-1.immae.eu"; |
118 | postRun = '' | 119 | postRun = '' |
119 | systemctl restart mysql.service | 120 | systemctl restart mysql.service |
@@ -164,23 +165,21 @@ in { | |||
164 | 165 | ||
165 | security.pam.services = let | 166 | security.pam.services = let |
166 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 167 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
167 | in [ | 168 | in { |
168 | { | 169 | mysql = { |
169 | name = "mysql"; | ||
170 | text = '' | 170 | text = '' |
171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
174 | ''; | 174 | ''; |
175 | } | 175 | }; |
176 | { | 176 | mysql_replication = { |
177 | name = "mysql_replication"; | ||
178 | text = '' | 177 | text = '' |
179 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 178 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
180 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 179 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
181 | ''; | 180 | ''; |
182 | } | 181 | }; |
183 | ]; | 182 | }; |
184 | 183 | ||
185 | }; | 184 | }; |
186 | } | 185 | } |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index efe9379..302aa04 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
@@ -107,7 +107,6 @@ in | |||
107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
108 | user = "openldap"; | 108 | user = "openldap"; |
109 | group = "openldap"; | 109 | group = "openldap"; |
110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | ||
111 | domain = "ldap.immae.eu"; | 110 | domain = "ldap.immae.eu"; |
112 | postRun = '' | 111 | postRun = '' |
113 | systemctl restart openldap.service | 112 | systemctl restart openldap.service |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index d0b1a75..c442a63 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
@@ -100,7 +100,6 @@ in { | |||
100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
101 | user = "postgres"; | 101 | user = "postgres"; |
102 | group = "postgres"; | 102 | group = "postgres"; |
103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
104 | domain = "db-1.immae.eu"; | 103 | domain = "db-1.immae.eu"; |
105 | postRun = '' | 104 | postRun = '' |
106 | systemctl reload postgresql.service | 105 | systemctl reload postgresql.service |
@@ -212,22 +211,20 @@ in { | |||
212 | 211 | ||
213 | security.pam.services = let | 212 | security.pam.services = let |
214 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 213 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
215 | in [ | 214 | in { |
216 | { | 215 | postgresql = { |
217 | name = "postgresql"; | ||
218 | text = '' | 216 | text = '' |
219 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 217 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam |
220 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 218 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam |
221 | ''; | 219 | ''; |
222 | } | 220 | }; |
223 | { | 221 | postgresql_replication = { |
224 | name = "postgresql_replication"; | ||
225 | text = '' | 222 | text = '' |
226 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 223 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication |
227 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 224 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication |
228 | ''; | 225 | ''; |
229 | } | 226 | }; |
230 | ]; | 227 | }; |
231 | }; | 228 | }; |
232 | } | 229 | } |
233 | 230 | ||
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 417af87..8ae4e65 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix | |||
@@ -32,16 +32,13 @@ in | |||
32 | }; | 32 | }; |
33 | }; | 33 | }; |
34 | 34 | ||
35 | users.users = [ | 35 | users.users.ftp = { |
36 | { | 36 | uid = config.ids.uids.ftp; # 8 |
37 | name = "ftp"; | 37 | group = "ftp"; |
38 | uid = config.ids.uids.ftp; # 8 | 38 | description = "Anonymous FTP user"; |
39 | group = "ftp"; | 39 | home = "/homeless-shelter"; |
40 | description = "Anonymous FTP user"; | 40 | extraGroups = [ "keys" ]; |
41 | home = "/homeless-shelter"; | 41 | }; |
42 | extraGroups = [ "keys" ]; | ||
43 | } | ||
44 | ]; | ||
45 | 42 | ||
46 | users.groups.ftp.gid = config.ids.gids.ftp; | 43 | users.groups.ftp.gid = config.ids.gids.ftp; |
47 | 44 | ||
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index d25d934..7810a1f 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix | |||
@@ -34,7 +34,11 @@ | |||
34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | 34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; |
35 | }; | 35 | }; |
36 | }; | 36 | }; |
37 | security.acme.certs."${name}".extraDomains."status.immae.eu" = null; | 37 | security.acme.certs."${name}" = { |
38 | extraDomains."status.immae.eu" = null; | ||
39 | user = config.services.nginx.user; | ||
40 | group = config.services.nginx.group; | ||
41 | }; | ||
38 | 42 | ||
39 | myServices.certificates.enable = true; | 43 | myServices.certificates.enable = true; |
40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | 44 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
diff --git a/modules/private/system.nix b/modules/private/system.nix index 64fc2d9..70b74d0 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix | |||
@@ -65,21 +65,10 @@ | |||
65 | users.mutableUsers = false; | 65 | users.mutableUsers = false; |
66 | 66 | ||
67 | environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; | 67 | environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; |
68 | environment.systemPackages = | 68 | environment.systemPackages = [ |
69 | let | 69 | pkgs.git |
70 | home-manager = builtins.fetchGit { | 70 | pkgs.vim |
71 | url = "https://github.com/rycee/home-manager.git"; | 71 | ] ++ |
72 | rev = "ef64bc598f28818d56c86629dad98b468af9c071"; | 72 | (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); |
73 | ref = "release-19.03"; | ||
74 | }; | ||
75 | in | ||
76 | [ | ||
77 | pkgs.git | ||
78 | pkgs.vim | ||
79 | ] ++ | ||
80 | (lib.optional | ||
81 | (builtins.length (config.hostEnv.users pkgs) > 0) | ||
82 | ((pkgs.callPackage home-manager {}).home-manager) | ||
83 | ); | ||
84 | }; | 73 | }; |
85 | } | 74 | } |
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 4e24c12..6829f1b 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix | |||
@@ -1,5 +1,5 @@ | |||
1 | { privateFiles }: | 1 | { privateFiles }: |
2 | { config, pkgs, resources, ... }: | 2 | { config, pkgs, resources, name, ... }: |
3 | { | 3 | { |
4 | boot.kernelPackages = pkgs.linuxPackages_latest; | 4 | boot.kernelPackages = pkgs.linuxPackages_latest; |
5 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; | 5 | myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; |
@@ -35,6 +35,10 @@ | |||
35 | }; | 35 | }; |
36 | 36 | ||
37 | myServices.certificates.enable = true; | 37 | myServices.certificates.enable = true; |
38 | security.acme.certs."${name}" = { | ||
39 | user = config.services.nginx.user; | ||
40 | group = config.services.nginx.group; | ||
41 | }; | ||
38 | services.nginx = { | 42 | services.nginx = { |
39 | enable = true; | 43 | enable = true; |
40 | recommendedOptimisation = true; | 44 | recommendedOptimisation = true; |
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index 788c2dc..911c76d 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix | |||
@@ -101,8 +101,8 @@ | |||
101 | 101 | ||
102 | # This is equivalent to setting environment.sessionVariables.NIX_PATH | 102 | # This is equivalent to setting environment.sessionVariables.NIX_PATH |
103 | nix.nixPath = [ | 103 | nix.nixPath = [ |
104 | "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz" | 104 | "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz" |
105 | "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz" | 105 | "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz" |
106 | ]; | 106 | ]; |
107 | nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; | 107 | nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; |
108 | nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; | 108 | nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 42cc8d2..43d40d6 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
@@ -197,7 +197,6 @@ in { | |||
197 | 197 | ||
198 | security.acme.certs."task" = config.myServices.certificates.certConfig // { | 198 | security.acme.certs."task" = config.myServices.certificates.certConfig // { |
199 | inherit user group; | 199 | inherit user group; |
200 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | ||
201 | domain = fqdn; | 200 | domain = fqdn; |
202 | postRun = '' | 201 | postRun = '' |
203 | systemctl restart taskserver.service | 202 | systemctl restart taskserver.service |
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix index 65599b7..d9e9989 100644 --- a/modules/webapps/diaspora.nix +++ b/modules/webapps/diaspora.nix | |||
@@ -108,19 +108,21 @@ in | |||
108 | }; | 108 | }; |
109 | 109 | ||
110 | config = lib.mkIf cfg.enable { | 110 | config = lib.mkIf cfg.enable { |
111 | users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { | 111 | users.users = lib.optionalAttrs (cfg.user == name) { |
112 | inherit name; | 112 | "${name}" = { |
113 | inherit uid; | 113 | inherit uid; |
114 | group = cfg.group; | 114 | group = cfg.group; |
115 | description = "Diaspora user"; | 115 | description = "Diaspora user"; |
116 | home = cfg.dataDir; | 116 | home = cfg.dataDir; |
117 | packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ]; | 117 | packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ]; |
118 | useDefaultShell = true; | 118 | useDefaultShell = true; |
119 | }); | 119 | }; |
120 | users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { | 120 | }; |
121 | inherit name; | 121 | users.groups = lib.optionalAttrs (cfg.group == name) { |
122 | inherit gid; | 122 | "${name}" = { |
123 | }); | 123 | inherit gid; |
124 | }; | ||
125 | }; | ||
124 | 126 | ||
125 | systemd.services.diaspora = { | 127 | systemd.services.diaspora = { |
126 | description = "Diaspora"; | 128 | description = "Diaspora"; |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index 68531cf..cd550c0 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
@@ -96,18 +96,20 @@ in | |||
96 | }; | 96 | }; |
97 | 97 | ||
98 | config = lib.mkIf cfg.enable { | 98 | config = lib.mkIf cfg.enable { |
99 | users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { | 99 | users.users = lib.optionalAttrs (cfg.user == name) { |
100 | inherit name; | 100 | "${name}" = { |
101 | inherit uid; | 101 | inherit uid; |
102 | group = cfg.group; | 102 | group = cfg.group; |
103 | description = "Mastodon user"; | 103 | description = "Mastodon user"; |
104 | home = cfg.dataDir; | 104 | home = cfg.dataDir; |
105 | useDefaultShell = true; | 105 | useDefaultShell = true; |
106 | }); | 106 | }; |
107 | users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { | 107 | }; |
108 | inherit name; | 108 | users.groups = lib.optionalAttrs (cfg.group == name) { |
109 | inherit gid; | 109 | "${name}" = { |
110 | }); | 110 | inherit gid; |
111 | }; | ||
112 | }; | ||
111 | 113 | ||
112 | systemd.services.mastodon-streaming = { | 114 | systemd.services.mastodon-streaming = { |
113 | description = "Mastodon Streaming"; | 115 | description = "Mastodon Streaming"; |
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix index 78bbef6..dbc4c2b 100644 --- a/modules/webapps/mediagoblin.nix +++ b/modules/webapps/mediagoblin.nix | |||
@@ -151,18 +151,20 @@ in | |||
151 | }; | 151 | }; |
152 | 152 | ||
153 | config = lib.mkIf cfg.enable { | 153 | config = lib.mkIf cfg.enable { |
154 | users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { | 154 | users.users = lib.optionalAttrs (cfg.user == name) { |
155 | inherit name; | 155 | "${name}" = { |
156 | inherit uid; | 156 | inherit uid; |
157 | group = cfg.group; | 157 | group = cfg.group; |
158 | description = "Mediagoblin user"; | 158 | description = "Mediagoblin user"; |
159 | home = cfg.dataDir; | 159 | home = cfg.dataDir; |
160 | useDefaultShell = true; | 160 | useDefaultShell = true; |
161 | }); | 161 | }; |
162 | users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { | 162 | }; |
163 | inherit name; | 163 | users.groups = lib.optionalAttrs (cfg.group == name) { |
164 | inherit gid; | 164 | "${name}" = { |
165 | }); | 165 | inherit gid; |
166 | }; | ||
167 | }; | ||
166 | 168 | ||
167 | systemd.services.mediagoblin-web = { | 169 | systemd.services.mediagoblin-web = { |
168 | description = "Mediagoblin service"; | 170 | description = "Mediagoblin service"; |
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix index 89dcc67..281ff8b 100644 --- a/modules/webapps/peertube.nix +++ b/modules/webapps/peertube.nix | |||
@@ -53,18 +53,20 @@ in | |||
53 | }; | 53 | }; |
54 | 54 | ||
55 | config = lib.mkIf cfg.enable { | 55 | config = lib.mkIf cfg.enable { |
56 | users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { | 56 | users.users = lib.optionalAttrs (cfg.user == name) { |
57 | inherit name; | 57 | "${name}" = { |
58 | inherit uid; | 58 | inherit uid; |
59 | group = cfg.group; | 59 | group = cfg.group; |
60 | description = "Peertube user"; | 60 | description = "Peertube user"; |
61 | home = cfg.dataDir; | 61 | home = cfg.dataDir; |
62 | useDefaultShell = true; | 62 | useDefaultShell = true; |
63 | }); | 63 | }; |
64 | users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { | 64 | }; |
65 | inherit name; | 65 | users.groups = lib.optionalAttrs (cfg.group == name) { |
66 | inherit gid; | 66 | "${name}" = { |
67 | }); | 67 | inherit gid; |
68 | }; | ||
69 | }; | ||
68 | 70 | ||
69 | systemd.services.peertube = { | 71 | systemd.services.peertube = { |
70 | description = "Peertube"; | 72 | description = "Peertube"; |
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index ec79a90..c5f72f9 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix | |||
@@ -470,7 +470,7 @@ in | |||
470 | }; | 470 | }; |
471 | 471 | ||
472 | virtualHosts = mkOption { | 472 | virtualHosts = mkOption { |
473 | type = with types; attrsOf (submodule (import ./vhost-options.nix)); | 473 | type = with types; attrsOf (submodule (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix>)); |
474 | default = { | 474 | default = { |
475 | localhost = { | 475 | localhost = { |
476 | documentRoot = "${pkg}/htdocs"; | 476 | documentRoot = "${pkg}/htdocs"; |
diff --git a/modules/websites/location-options.nix b/modules/websites/location-options.nix deleted file mode 100644 index 8ea88f9..0000000 --- a/modules/websites/location-options.nix +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | { config, lib, name, ... }: | ||
2 | let | ||
3 | inherit (lib) mkOption types; | ||
4 | in | ||
5 | { | ||
6 | options = { | ||
7 | |||
8 | proxyPass = mkOption { | ||
9 | type = with types; nullOr str; | ||
10 | default = null; | ||
11 | example = "http://www.example.org/"; | ||
12 | description = '' | ||
13 | Sets up a simple reverse proxy as described by <link xlink:href="https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple" />. | ||
14 | ''; | ||
15 | }; | ||
16 | |||
17 | index = mkOption { | ||
18 | type = with types; nullOr str; | ||
19 | default = null; | ||
20 | example = "index.php index.html"; | ||
21 | description = '' | ||
22 | Adds DirectoryIndex directive. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex" />. | ||
23 | ''; | ||
24 | }; | ||
25 | |||
26 | alias = mkOption { | ||
27 | type = with types; nullOr path; | ||
28 | default = null; | ||
29 | example = "/your/alias/directory"; | ||
30 | description = '' | ||
31 | Alias directory for requests. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias" />. | ||
32 | ''; | ||
33 | }; | ||
34 | |||
35 | extraConfig = mkOption { | ||
36 | type = types.lines; | ||
37 | default = ""; | ||
38 | description = '' | ||
39 | These lines go to the end of the location verbatim. | ||
40 | ''; | ||
41 | }; | ||
42 | |||
43 | priority = mkOption { | ||
44 | type = types.int; | ||
45 | default = 1000; | ||
46 | description = '' | ||
47 | Order of this location block in relation to the others in the vhost. | ||
48 | The semantics are the same as with `lib.mkOrder`. Smaller values have | ||
49 | a greater priority. | ||
50 | ''; | ||
51 | }; | ||
52 | |||
53 | }; | ||
54 | } | ||
diff --git a/modules/websites/vhost-options.nix b/modules/websites/vhost-options.nix deleted file mode 100644 index 263980a..0000000 --- a/modules/websites/vhost-options.nix +++ /dev/null | |||
@@ -1,275 +0,0 @@ | |||
1 | { config, lib, name, ... }: | ||
2 | let | ||
3 | inherit (lib) literalExample mkOption nameValuePair types; | ||
4 | in | ||
5 | { | ||
6 | options = { | ||
7 | |||
8 | hostName = mkOption { | ||
9 | type = types.str; | ||
10 | default = name; | ||
11 | description = "Canonical hostname for the server."; | ||
12 | }; | ||
13 | |||
14 | serverAliases = mkOption { | ||
15 | type = types.listOf types.str; | ||
16 | default = []; | ||
17 | example = ["www.example.org" "www.example.org:8080" "example.org"]; | ||
18 | description = '' | ||
19 | Additional names of virtual hosts served by this virtual host configuration. | ||
20 | ''; | ||
21 | }; | ||
22 | |||
23 | listen = mkOption { | ||
24 | type = with types; listOf (submodule ({ | ||
25 | options = { | ||
26 | port = mkOption { | ||
27 | type = types.port; | ||
28 | description = "Port to listen on"; | ||
29 | }; | ||
30 | ip = mkOption { | ||
31 | type = types.str; | ||
32 | default = "*"; | ||
33 | description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all."; | ||
34 | }; | ||
35 | ssl = mkOption { | ||
36 | type = types.bool; | ||
37 | default = false; | ||
38 | description = "Whether to enable SSL (https) support."; | ||
39 | }; | ||
40 | }; | ||
41 | })); | ||
42 | default = []; | ||
43 | example = [ | ||
44 | { ip = "195.154.1.1"; port = 443; ssl = true;} | ||
45 | { ip = "192.154.1.1"; port = 80; } | ||
46 | { ip = "*"; port = 8080; } | ||
47 | ]; | ||
48 | description = '' | ||
49 | Listen addresses and ports for this virtual host. | ||
50 | <note><para> | ||
51 | This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. | ||
52 | </para></note> | ||
53 | ''; | ||
54 | }; | ||
55 | |||
56 | enableSSL = mkOption { | ||
57 | type = types.bool; | ||
58 | visible = false; | ||
59 | default = false; | ||
60 | }; | ||
61 | |||
62 | addSSL = mkOption { | ||
63 | type = types.bool; | ||
64 | default = false; | ||
65 | description = '' | ||
66 | Whether to enable HTTPS in addition to plain HTTP. This will set defaults for | ||
67 | <literal>listen</literal> to listen on all interfaces on the respective default | ||
68 | ports (80, 443). | ||
69 | ''; | ||
70 | }; | ||
71 | |||
72 | onlySSL = mkOption { | ||
73 | type = types.bool; | ||
74 | default = false; | ||
75 | description = '' | ||
76 | Whether to enable HTTPS and reject plain HTTP connections. This will set | ||
77 | defaults for <literal>listen</literal> to listen on all interfaces on port 443. | ||
78 | ''; | ||
79 | }; | ||
80 | |||
81 | forceSSL = mkOption { | ||
82 | type = types.bool; | ||
83 | default = false; | ||
84 | description = '' | ||
85 | Whether to add a separate nginx server block that permanently redirects (301) | ||
86 | all plain HTTP traffic to HTTPS. This will set defaults for | ||
87 | <literal>listen</literal> to listen on all interfaces on the respective default | ||
88 | ports (80, 443), where the non-SSL listens are used for the redirect vhosts. | ||
89 | ''; | ||
90 | }; | ||
91 | |||
92 | enableACME = mkOption { | ||
93 | type = types.bool; | ||
94 | default = false; | ||
95 | description = '' | ||
96 | Whether to ask Let's Encrypt to sign a certificate for this vhost. | ||
97 | Alternately, you can use an existing certificate through <option>useACMEHost</option>. | ||
98 | ''; | ||
99 | }; | ||
100 | |||
101 | useACMEHost = mkOption { | ||
102 | type = types.nullOr types.str; | ||
103 | default = null; | ||
104 | description = '' | ||
105 | A host of an existing Let's Encrypt certificate to use. | ||
106 | This is useful if you have many subdomains and want to avoid hitting the | ||
107 | <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>. | ||
108 | Alternately, you can generate a certificate through <option>enableACME</option>. | ||
109 | <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis> | ||
110 | ''; | ||
111 | }; | ||
112 | |||
113 | acmeRoot = mkOption { | ||
114 | type = types.str; | ||
115 | default = "/var/lib/acme/acme-challenges"; | ||
116 | description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here"; | ||
117 | }; | ||
118 | |||
119 | sslServerCert = mkOption { | ||
120 | type = types.path; | ||
121 | example = "/var/host.cert"; | ||
122 | description = "Path to server SSL certificate."; | ||
123 | }; | ||
124 | |||
125 | sslServerKey = mkOption { | ||
126 | type = types.path; | ||
127 | example = "/var/host.key"; | ||
128 | description = "Path to server SSL certificate key."; | ||
129 | }; | ||
130 | |||
131 | sslServerChain = mkOption { | ||
132 | type = types.nullOr types.path; | ||
133 | default = null; | ||
134 | example = "/var/ca.pem"; | ||
135 | description = "Path to server SSL chain file."; | ||
136 | }; | ||
137 | |||
138 | http2 = mkOption { | ||
139 | type = types.bool; | ||
140 | default = false; | ||
141 | description = '' | ||
142 | Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will | ||
143 | be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details. | ||
144 | ''; | ||
145 | }; | ||
146 | |||
147 | adminAddr = mkOption { | ||
148 | type = types.nullOr types.str; | ||
149 | default = null; | ||
150 | example = "admin@example.org"; | ||
151 | description = "E-mail address of the server administrator."; | ||
152 | }; | ||
153 | |||
154 | documentRoot = mkOption { | ||
155 | type = types.nullOr types.path; | ||
156 | default = null; | ||
157 | example = "/data/webserver/docs"; | ||
158 | description = '' | ||
159 | The path of Apache's document root directory. If left undefined, | ||
160 | an empty directory in the Nix store will be used as root. | ||
161 | ''; | ||
162 | }; | ||
163 | |||
164 | servedDirs = mkOption { | ||
165 | type = types.listOf types.attrs; | ||
166 | default = []; | ||
167 | example = [ | ||
168 | { urlPath = "/nix"; | ||
169 | dir = "/home/eelco/Dev/nix-homepage"; | ||
170 | } | ||
171 | ]; | ||
172 | description = '' | ||
173 | This option provides a simple way to serve static directories. | ||
174 | ''; | ||
175 | }; | ||
176 | |||
177 | servedFiles = mkOption { | ||
178 | type = types.listOf types.attrs; | ||
179 | default = []; | ||
180 | example = [ | ||
181 | { urlPath = "/foo/bar.png"; | ||
182 | file = "/home/eelco/some-file.png"; | ||
183 | } | ||
184 | ]; | ||
185 | description = '' | ||
186 | This option provides a simple way to serve individual, static files. | ||
187 | |||
188 | <note><para> | ||
189 | This option has been deprecated and will be removed in a future | ||
190 | version of NixOS. You can achieve the same result by making use of | ||
191 | the <literal>locations.<name>.alias</literal> option. | ||
192 | </para></note> | ||
193 | ''; | ||
194 | }; | ||
195 | |||
196 | extraConfig = mkOption { | ||
197 | type = types.lines; | ||
198 | default = ""; | ||
199 | example = '' | ||
200 | <Directory /home> | ||
201 | Options FollowSymlinks | ||
202 | AllowOverride All | ||
203 | </Directory> | ||
204 | ''; | ||
205 | description = '' | ||
206 | These lines go to httpd.conf verbatim. They will go after | ||
207 | directories and directory aliases defined by default. | ||
208 | ''; | ||
209 | }; | ||
210 | |||
211 | enableUserDir = mkOption { | ||
212 | type = types.bool; | ||
213 | default = false; | ||
214 | description = '' | ||
215 | Whether to enable serving <filename>~/public_html</filename> as | ||
216 | <literal>/~<replaceable>username</replaceable></literal>. | ||
217 | ''; | ||
218 | }; | ||
219 | |||
220 | globalRedirect = mkOption { | ||
221 | type = types.nullOr types.str; | ||
222 | default = null; | ||
223 | example = http://newserver.example.org/; | ||
224 | description = '' | ||
225 | If set, all requests for this host are redirected permanently to | ||
226 | the given URL. | ||
227 | ''; | ||
228 | }; | ||
229 | |||
230 | logFormat = mkOption { | ||
231 | type = types.str; | ||
232 | default = "common"; | ||
233 | example = "combined"; | ||
234 | description = '' | ||
235 | Log format for Apache's log files. Possible values are: combined, common, referer, agent. | ||
236 | ''; | ||
237 | }; | ||
238 | |||
239 | robotsEntries = mkOption { | ||
240 | type = types.lines; | ||
241 | default = ""; | ||
242 | example = "Disallow: /foo/"; | ||
243 | description = '' | ||
244 | Specification of pages to be ignored by web crawlers. See <link | ||
245 | xlink:href='http://www.robotstxt.org/'/> for details. | ||
246 | ''; | ||
247 | }; | ||
248 | |||
249 | locations = mkOption { | ||
250 | type = with types; attrsOf (submodule (import ./location-options.nix)); | ||
251 | default = {}; | ||
252 | example = literalExample '' | ||
253 | { | ||
254 | "/" = { | ||
255 | proxyPass = "http://localhost:3000"; | ||
256 | }; | ||
257 | "/foo/bar.png" = { | ||
258 | alias = "/home/eelco/some-file.png"; | ||
259 | }; | ||
260 | }; | ||
261 | ''; | ||
262 | description = '' | ||
263 | Declarative location config. See <link | ||
264 | xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details. | ||
265 | ''; | ||
266 | }; | ||
267 | |||
268 | }; | ||
269 | |||
270 | config = { | ||
271 | |||
272 | locations = builtins.listToAttrs (map (elem: nameValuePair elem.urlPath { alias = elem.file; }) config.servedFiles); | ||
273 | |||
274 | }; | ||
275 | } | ||