diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-04 03:18:40 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-25 00:04:53 +0200 |
commit | 27794e1507ab5bd4b0f31278cf8049854790e4a7 (patch) | |
tree | 99dfc96ea31dfa4a5b3995edeac1e4aa9aa37f70 /modules/websites/default.nix | |
parent | 72300eb8116c960935a462564d96db6fac355bca (diff) | |
download | NUR-27794e1507ab5bd4b0f31278cf8049854790e4a7.tar.gz NUR-27794e1507ab5bd4b0f31278cf8049854790e4a7.tar.zst NUR-27794e1507ab5bd4b0f31278cf8049854790e4a7.zip |
Prepare upgrade to nixos 20.03
Diffstat (limited to 'modules/websites/default.nix')
-rw-r--r-- | modules/websites/default.nix | 58 |
1 files changed, 28 insertions, 30 deletions
diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 3f46e65d..d5a0f635 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix | |||
@@ -82,6 +82,14 @@ in | |||
82 | certName = mkOption { type = str; }; | 82 | certName = mkOption { type = str; }; |
83 | hosts = mkOption { type = listOf str; }; | 83 | hosts = mkOption { type = listOf str; }; |
84 | root = mkOption { type = nullOr path; }; | 84 | root = mkOption { type = nullOr path; }; |
85 | forceSSL = mkOption { | ||
86 | type = bool; | ||
87 | default = true; | ||
88 | description = '' | ||
89 | Automatically create a corresponding non-ssl vhost | ||
90 | that will only redirect to the ssl version | ||
91 | ''; | ||
92 | }; | ||
85 | extraConfig = mkOption { type = listOf lines; default = []; }; | 93 | extraConfig = mkOption { type = listOf lines; default = []; }; |
86 | }; | 94 | }; |
87 | }; | 95 | }; |
@@ -115,6 +123,14 @@ in | |||
115 | }; | 123 | }; |
116 | hosts = mkOption { type = listOf str; }; | 124 | hosts = mkOption { type = listOf str; }; |
117 | root = mkOption { type = nullOr path; }; | 125 | root = mkOption { type = nullOr path; }; |
126 | forceSSL = mkOption { | ||
127 | type = bool; | ||
128 | default = true; | ||
129 | description = '' | ||
130 | Automatically create a corresponding non-ssl vhost | ||
131 | that will only redirect to the ssl version | ||
132 | ''; | ||
133 | }; | ||
118 | extraConfig = mkOption { type = listOf lines; default = []; }; | 134 | extraConfig = mkOption { type = listOf lines; default = []; }; |
119 | }; | 135 | }; |
120 | }); | 136 | }); |
@@ -143,26 +159,9 @@ in | |||
143 | }; | 159 | }; |
144 | 160 | ||
145 | config.services.httpd = let | 161 | config.services.httpd = let |
146 | redirectVhost = ips: { # Should go last, catchall http -> https redirect | ||
147 | listen = map (ip: { inherit ip; port = 80; }) ips; | ||
148 | hostName = "redirectSSL"; | ||
149 | serverAliases = [ "*" ]; | ||
150 | enableSSL = false; | ||
151 | logFormat = "combinedVhost"; | ||
152 | documentRoot = "/var/lib/acme/acme-challenge"; | ||
153 | extraConfig = '' | ||
154 | RewriteEngine on | ||
155 | RewriteCond "%{REQUEST_URI}" "!^/\.well-known" | ||
156 | RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] | ||
157 | # To redirect in specific "VirtualHost *:80", do | ||
158 | # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 | ||
159 | # rather than rewrite | ||
160 | ''; | ||
161 | }; | ||
162 | nosslVhost = ips: cfg: { | 162 | nosslVhost = ips: cfg: { |
163 | listen = map (ip: { inherit ip; port = 80; }) ips; | 163 | listen = map (ip: { inherit ip; port = 80; }) ips; |
164 | hostName = cfg.host; | 164 | hostName = cfg.host; |
165 | enableSSL = false; | ||
166 | logFormat = "combinedVhost"; | 165 | logFormat = "combinedVhost"; |
167 | documentRoot = cfg.root; | 166 | documentRoot = cfg.root; |
168 | extraConfig = '' | 167 | extraConfig = '' |
@@ -177,19 +176,18 @@ in | |||
177 | ''; | 176 | ''; |
178 | }; | 177 | }; |
179 | toVhost = ips: vhostConf: { | 178 | toVhost = ips: vhostConf: { |
180 | enableSSL = true; | 179 | forceSSL = vhostConf.forceSSL or true; |
181 | sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem"; | 180 | useACMEHost = vhostConf.certName; |
182 | sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem"; | ||
183 | sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem"; | ||
184 | logFormat = "combinedVhost"; | 181 | logFormat = "combinedVhost"; |
185 | listen = map (ip: { inherit ip; port = 443; }) ips; | 182 | listen = if vhostConf.forceSSL |
183 | then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips) | ||
184 | else map (ip: { inherit ip; port = 443; ssl = true; }) ips; | ||
186 | hostName = builtins.head vhostConf.hosts; | 185 | hostName = builtins.head vhostConf.hosts; |
187 | serverAliases = builtins.tail vhostConf.hosts or []; | 186 | serverAliases = builtins.tail vhostConf.hosts or []; |
188 | documentRoot = vhostConf.root; | 187 | documentRoot = vhostConf.root; |
189 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; | 188 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; |
190 | }; | 189 | }; |
191 | toVhostNoSSL = ips: vhostConf: { | 190 | toVhostNoSSL = ips: vhostConf: { |
192 | enableSSL = false; | ||
193 | logFormat = "combinedVhost"; | 191 | logFormat = "combinedVhost"; |
194 | listen = map (ip: { inherit ip; port = 80; }) ips; | 192 | listen = map (ip: { inherit ip; port = 80; }) ips; |
195 | hostName = builtins.head vhostConf.hosts; | 193 | hostName = builtins.head vhostConf.hosts; |
@@ -200,8 +198,6 @@ in | |||
200 | in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 198 | in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
201 | icfg.httpdName (mkIf icfg.enable { | 199 | icfg.httpdName (mkIf icfg.enable { |
202 | enable = true; | 200 | enable = true; |
203 | listen = map (ip: { inherit ip; port = 443; }) icfg.ips; | ||
204 | stateDir = "/run/httpd_${name}"; | ||
205 | logPerVirtualHost = true; | 201 | logPerVirtualHost = true; |
206 | multiProcessingModule = "worker"; | 202 | multiProcessingModule = "worker"; |
207 | # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4 | 203 | # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4 |
@@ -216,11 +212,13 @@ in | |||
216 | logFormat = "combinedVhost"; | 212 | logFormat = "combinedVhost"; |
217 | extraModules = lists.unique icfg.modules; | 213 | extraModules = lists.unique icfg.modules; |
218 | extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; | 214 | extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; |
219 | virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ] | 215 | |
220 | ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ] | 216 | virtualHosts = with attrsets; { |
221 | ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs) | 217 | ___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost; |
222 | ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs) | 218 | } // (optionalAttrs icfg.nosslVhost.enable { |
223 | ++ [ (redirectVhost icfg.ips) ]; | 219 | nosslVhost = nosslVhost icfg.ips icfg.nosslVhost; |
220 | }) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs) | ||
221 | // (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs); | ||
224 | }) | 222 | }) |
225 | ) cfg.env; | 223 | ) cfg.env; |
226 | 224 | ||