1 files changed, 28 insertions, 30 deletions
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 3f46e65d..d5a0f635 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -82,6 +82,14 @@ in
                certName = mkOption { type = str; };
                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
+                forceSSL = mkOption {
+                  type = bool;
+                  default = true;
+                  description = ''
+                    Automatically create a corresponding non-ssl vhost
+                    that will only redirect to the ssl version
+                  '';
+                };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            };
@@ -115,6 +123,14 @@ in
                };
                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
+                forceSSL = mkOption {
+                  type = bool;
+                  default = true;
+                  description = ''
+                    Automatically create a corresponding non-ssl vhost
+                    that will only redirect to the ssl version
+                  '';
+                };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            });
@@ -143,26 +159,9 @@ in
  };
  config.services.httpd = let
-    redirectVhost = ips: { # Should go last, catchall http -> https redirect
-      listen = map (ip: { inherit ip; port = 80; }) ips;
-      hostName = "redirectSSL";
-      serverAliases = [ "*" ];
-      enableSSL = false;
-      logFormat = "combinedVhost";
-      documentRoot = "/var/lib/acme/acme-challenge";
-      extraConfig = ''
-        RewriteEngine on
-        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
-        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
-        # To redirect in specific "VirtualHost *:80", do
-        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
-        # rather than rewrite
-      '';
-    };
    nosslVhost = ips: cfg: {
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = cfg.host;
-      enableSSL = false;
      logFormat = "combinedVhost";
      documentRoot = cfg.root;
      extraConfig = ''
@@ -177,19 +176,18 @@ in
        '';
    };
    toVhost = ips: vhostConf: {
-      enableSSL = true;
+      forceSSL = vhostConf.forceSSL or true;
-      sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
+      useACMEHost = vhostConf.certName;
-      sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
-      sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
      logFormat = "combinedVhost";
-      listen = map (ip: { inherit ip; port = 443; }) ips;
+      listen = if vhostConf.forceSSL
+        then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
+        else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
      hostName = builtins.head vhostConf.hosts;
      serverAliases = builtins.tail vhostConf.hosts or [];
      documentRoot = vhostConf.root;
      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
    };
    toVhostNoSSL = ips: vhostConf: {
-      enableSSL = false;
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 80; }) ips;
      hostName = builtins.head vhostConf.hosts;
@@ -200,8 +198,6 @@ in
  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
    icfg.httpdName (mkIf icfg.enable {
      enable = true;
-      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
-      stateDir = "/run/httpd_${name}";
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
@@ -216,11 +212,13 @@ in
      logFormat = "combinedVhost";
      extraModules = lists.unique icfg.modules;
      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
-      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
-        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+      virtualHosts = with attrsets; {
-        ++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)
+        ___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
-        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
+      } // (optionalAttrs icfg.nosslVhost.enable {
-        ++ [ (redirectVhost icfg.ips) ];
+        nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
+      }) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
+      // (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
    })
  ) cfg.env;

diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 3f46e65d..d5a0f635 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -82,6 +82,14 @@ in
82	certName = mkOption { type = str; };	82	certName = mkOption { type = str; };
83	hosts = mkOption { type = listOf str; };	83	hosts = mkOption { type = listOf str; };
84	root = mkOption { type = nullOr path; };	84	root = mkOption { type = nullOr path; };
		85	forceSSL = mkOption {
		86	type = bool;
		87	default = true;
		88	description = ''
		89	Automatically create a corresponding non-ssl vhost
		90	that will only redirect to the ssl version
		91	'';
		92	};
85	extraConfig = mkOption { type = listOf lines; default = []; };	93	extraConfig = mkOption { type = listOf lines; default = []; };
86	};	94	};
87	};	95	};
@@ -115,6 +123,14 @@ in
115	};	123	};
116	hosts = mkOption { type = listOf str; };	124	hosts = mkOption { type = listOf str; };
117	root = mkOption { type = nullOr path; };	125	root = mkOption { type = nullOr path; };
		126	forceSSL = mkOption {
		127	type = bool;
		128	default = true;
		129	description = ''
		130	Automatically create a corresponding non-ssl vhost
		131	that will only redirect to the ssl version
		132	'';
		133	};
118	extraConfig = mkOption { type = listOf lines; default = []; };	134	extraConfig = mkOption { type = listOf lines; default = []; };
119	};	135	};
120	});	136	});
@@ -143,26 +159,9 @@ in
143	};	159	};
144		160
145	config.services.httpd = let	161	config.services.httpd = let
146	redirectVhost = ips: { # Should go last, catchall http -> https redirect
147	listen = map (ip: { inherit ip; port = 80; }) ips;
148	hostName = "redirectSSL";
149	serverAliases = [ "*" ];
150	enableSSL = false;
151	logFormat = "combinedVhost";
152	documentRoot = "/var/lib/acme/acme-challenge";
153	extraConfig = ''
154	RewriteEngine on
155	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
156	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
157	# To redirect in specific "VirtualHost *:80", do
158	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
159	# rather than rewrite
160	'';
161	};
162	nosslVhost = ips: cfg: {	162	nosslVhost = ips: cfg: {
163	listen = map (ip: { inherit ip; port = 80; }) ips;	163	listen = map (ip: { inherit ip; port = 80; }) ips;
164	hostName = cfg.host;	164	hostName = cfg.host;
165	enableSSL = false;
166	logFormat = "combinedVhost";	165	logFormat = "combinedVhost";
167	documentRoot = cfg.root;	166	documentRoot = cfg.root;
168	extraConfig = ''	167	extraConfig = ''
@@ -177,19 +176,18 @@ in
177	'';	176	'';
178	};	177	};
179	toVhost = ips: vhostConf: {	178	toVhost = ips: vhostConf: {
180	enableSSL = true;	179	forceSSL = vhostConf.forceSSL or true;
181	sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";	180	useACMEHost = vhostConf.certName;
182	sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
183	sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
184	logFormat = "combinedVhost";	181	logFormat = "combinedVhost";
185	listen = map (ip: { inherit ip; port = 443; }) ips;	182	listen = if vhostConf.forceSSL
		183	then lists.flatten (map (ip: [{ inherit ip; port = 443; ssl = true; } { inherit ip; port = 80; }]) ips)
		184	else map (ip: { inherit ip; port = 443; ssl = true; }) ips;
186	hostName = builtins.head vhostConf.hosts;	185	hostName = builtins.head vhostConf.hosts;
187	serverAliases = builtins.tail vhostConf.hosts or [];	186	serverAliases = builtins.tail vhostConf.hosts or [];
188	documentRoot = vhostConf.root;	187	documentRoot = vhostConf.root;
189	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;	188	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
190	};	189	};
191	toVhostNoSSL = ips: vhostConf: {	190	toVhostNoSSL = ips: vhostConf: {
192	enableSSL = false;
193	logFormat = "combinedVhost";	191	logFormat = "combinedVhost";
194	listen = map (ip: { inherit ip; port = 80; }) ips;	192	listen = map (ip: { inherit ip; port = 80; }) ips;
195	hostName = builtins.head vhostConf.hosts;	193	hostName = builtins.head vhostConf.hosts;
@@ -200,8 +198,6 @@ in
200	in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair	198	in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
201	icfg.httpdName (mkIf icfg.enable {	199	icfg.httpdName (mkIf icfg.enable {
202	enable = true;	200	enable = true;
203	listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
204	stateDir = "/run/httpd_${name}";
205	logPerVirtualHost = true;	201	logPerVirtualHost = true;
206	multiProcessingModule = "worker";	202	multiProcessingModule = "worker";
207	# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4	203	# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
@@ -216,11 +212,13 @@ in
216	logFormat = "combinedVhost";	212	logFormat = "combinedVhost";
217	extraModules = lists.unique icfg.modules;	213	extraModules = lists.unique icfg.modules;
218	extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;	214	extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
219	virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]	215
220	++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]	216	virtualHosts = with attrsets; {
221	++ (attrsets.mapAttrsToList (n: v: toVhostNoSSL icfg.ips v) icfg.vhostNoSSLConfs)	217	___fallbackVhost = toVhost icfg.ips icfg.fallbackVhost;
222	++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)	218	} // (optionalAttrs icfg.nosslVhost.enable {
223	++ [ (redirectVhost icfg.ips) ];	219	nosslVhost = nosslVhost icfg.ips icfg.nosslVhost;
		220	}) // (mapAttrs' (n: v: nameValuePair ("nossl_" + n) (toVhostNoSSL icfg.ips v)) icfg.vhostNoSSLConfs)
		221	// (mapAttrs' (n: v: nameValuePair ("ssl_" + n) (toVhost icfg.ips v)) icfg.vhostConfs);
224	})	222	})
225	) cfg.env;	223	) cfg.env;
226		224