From 24fd1fe6c62b7a9fc347794fde043285da272f5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 13 Dec 2018 21:25:24 +0100 Subject: Initial commit published for NUR --- modules/default.nix | 13 + modules/myids.nix | 22 + modules/secrets.nix | 61 +++ modules/webapps/diaspora.nix | 171 +++++++ modules/webapps/etherpad-lite.nix | 158 ++++++ modules/webapps/mastodon.nix | 223 +++++++++ modules/webapps/mediagoblin.nix | 237 +++++++++ modules/webapps/peertube.nix | 105 ++++ modules/webapps/webstats/default.nix | 81 ++++ modules/webapps/webstats/goaccess.conf | 99 ++++ modules/websites/default.nix | 199 ++++++++ modules/websites/httpd-service-builder.nix | 746 +++++++++++++++++++++++++++++ modules/websites/nosslVhost/index.html | 11 + 13 files changed, 2126 insertions(+) create mode 100644 modules/default.nix create mode 100644 modules/myids.nix create mode 100644 modules/secrets.nix create mode 100644 modules/webapps/diaspora.nix create mode 100644 modules/webapps/etherpad-lite.nix create mode 100644 modules/webapps/mastodon.nix create mode 100644 modules/webapps/mediagoblin.nix create mode 100644 modules/webapps/peertube.nix create mode 100644 modules/webapps/webstats/default.nix create mode 100644 modules/webapps/webstats/goaccess.conf create mode 100644 modules/websites/default.nix create mode 100644 modules/websites/httpd-service-builder.nix create mode 100644 modules/websites/nosslVhost/index.html (limited to 'modules') diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 00000000..acb0bb51 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,13 @@ +{ + myids = ./myids.nix; + secrets = ./secrets.nix; + + webstats = ./webapps/webstats; + diaspora = ./webapps/diaspora.nix; + etherpad-lite = ./webapps/etherpad-lite.nix; + mastodon = ./webapps/mastodon.nix; + mediagoblin = ./webapps/mediagoblin.nix; + peertube = ./webapps/peertube.nix; + + websites = ./websites; +} // (if builtins.pathExists ./private then import ./private else {}) diff --git a/modules/myids.nix b/modules/myids.nix new file mode 100644 index 00000000..4fb26269 --- /dev/null +++ b/modules/myids.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + # Check that there is no clash with nixos/modules/misc/ids.nix + config = { + ids.uids = { + peertube = 394; + redis = 395; + nullmailer = 396; + mediagoblin = 397; + diaspora = 398; + mastodon = 399; + }; + ids.gids = { + peertube = 394; + redis = 395; + nullmailer = 396; + mediagoblin = 397; + diaspora = 398; + mastodon = 399; + }; + }; +} diff --git a/modules/secrets.nix b/modules/secrets.nix new file mode 100644 index 00000000..b282e56e --- /dev/null +++ b/modules/secrets.nix @@ -0,0 +1,61 @@ +{ lib, pkgs, config, ... }: +{ + options.secrets = { + keys = lib.mkOption { + type = lib.types.listOf lib.types.unspecified; + default = []; + description = "Keys to upload to server"; + }; + location = lib.mkOption { + type = lib.types.path; + default = "/var/secrets"; + description = "Location where to put the keys"; + }; + }; + config = let + location = config.secrets.location; + keys = config.secrets.keys; + empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; + dumpKey = v: '' + mkdir -p secrets/$(dirname ${v.dest}) + echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} + cat >> mods < 0) { + system.activationScripts.secrets = { + deps = [ "users" "wrappers" ]; + text = '' + install -m0750 -o root -g keys -d ${location} + if [ -f /run/keys/secrets.tar ]; then + if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then + echo "rebuilding secrets" + rm -rf ${location} + install -m0750 -o root -g keys -d ${location} + ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar + sha512sum /run/keys/secrets.tar > ${location}/currentSecrets + find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; + fi + fi + ''; + }; + deployment.keys."secrets.tar" = { + permissions = "0400"; + # keyFile below is not evaluated at build time by nixops, so the + # `secrets` path doesn’t necessarily exist when uploading the + # keys, and nixops is unhappy. + user = "root${builtins.substring 10000 1 secrets}"; + group = "root"; + keyFile = "${secrets}"; + }; + }; +} diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix new file mode 100644 index 00000000..65599b73 --- /dev/null +++ b/modules/webapps/diaspora.nix @@ -0,0 +1,171 @@ +{ lib, pkgs, config, ... }: +let + name = "diaspora"; + cfg = config.services.diaspora; + + uid = config.ids.uids.diaspora; + gid = config.ids.gids.diaspora; +in +{ + options.services.diaspora = { + enable = lib.mkEnableOption "Enable Diaspora’s service"; + user = lib.mkOption { + type = lib.types.str; + default = name; + description = "User account under which Diaspora runs"; + }; + group = lib.mkOption { + type = lib.types.str; + default = name; + description = "Group under which Diaspora runs"; + }; + adminEmail = lib.mkOption { + type = lib.types.str; + example = "admin@example.com"; + description = "Admin e-mail for Diaspora"; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Diaspora stores its data. + ''; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/${name}"; + description = '' + The directory where Diaspora puts runtime files and sockets. + ''; + }; + configDir = lib.mkOption { + type = lib.types.path; + description = '' + The configuration path for Diaspora. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.webapps.diaspora; + description = '' + Diaspora package to use. + ''; + }; + # Output variables + systemdStateDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if varDir is outside of /var/lib + default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; + lib.strings.removePrefix "/var/lib/" cfg.dataDir; + description = '' + Adjusted Diaspora data directory for systemd + ''; + readOnly = true; + }; + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted Diaspora sockets directory for systemd + ''; + readOnly = true; + }; + workdir = lib.mkOption { + type = lib.types.package; + default = cfg.package.override { + varDir = cfg.dataDir; + podmin_email = cfg.adminEmail; + config_dir = cfg.configDir; + }; + description = '' + Adjusted diaspora package with overriden values + ''; + readOnly = true; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + rails = "${cfg.socketsDir}/diaspora.sock"; + eye = "${cfg.socketsDir}/eye.sock"; + }; + readOnly = true; + description = '' + Diaspora sockets + ''; + }; + pids = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + eye = "${cfg.socketsDir}/eye.pid"; + }; + readOnly = true; + description = '' + Diaspora pids + ''; + }; + }; + + config = lib.mkIf cfg.enable { + users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { + inherit name; + inherit uid; + group = cfg.group; + description = "Diaspora user"; + home = cfg.dataDir; + packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ]; + useDefaultShell = true; + }); + users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { + inherit name; + inherit gid; + }); + + systemd.services.diaspora = { + description = "Diaspora"; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" "redis.service" "postgresql.service" + ]; + wants = [ + "redis.service" "postgresql.service" + ]; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; + environment.EYE_SOCK = cfg.sockets.eye; + environment.EYE_PID = cfg.pids.eye; + + path = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby pkgs.curl pkgs.which pkgs.gawk ]; + + preStart = '' + install -m 0755 -d ${cfg.dataDir}/uploads ${cfg.dataDir}/tmp ${cfg.dataDir}/log + install -m 0700 -d ${cfg.dataDir}/tmp/pids + if [ ! -f ${cfg.dataDir}/schedule.yml ]; then + echo "{}" > ${cfg.dataDir}/schedule.yml + fi + ./bin/bundle exec rails db:migrate + ''; + + script = '' + exec ${cfg.workdir}/script/server + ''; + + serviceConfig = { + User = cfg.user; + PrivateTmp = true; + Restart = "always"; + Type = "simple"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + StandardInput = "null"; + KillMode = "control-group"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + }; +} diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix new file mode 100644 index 00000000..7f0e2ed4 --- /dev/null +++ b/modules/webapps/etherpad-lite.nix @@ -0,0 +1,158 @@ +{ lib, pkgs, config, ... }: +let + name = "etherpad-lite"; + cfg = config.services.etherpad-lite; + + uid = config.ids.uids.etherpad-lite; + gid = config.ids.gids.etherpad-lite; +in +{ + options.services.etherpad-lite = { + enable = lib.mkEnableOption "Enable Etherpad lite’s service"; + user = lib.mkOption { + type = lib.types.str; + default = name; + description = "User account under which Etherpad lite runs"; + }; + group = lib.mkOption { + type = lib.types.str; + default = name; + description = "Group under which Etherpad lite runs"; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Etherpad lite stores its data. + ''; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/${name}"; + description = '' + The directory where Etherpad lite stores its sockets. + ''; + }; + configFile = lib.mkOption { + type = lib.types.path; + description = '' + The config file path for Etherpad lite. + ''; + }; + sessionKeyFile = lib.mkOption { + type = lib.types.path; + description = '' + The Session key file path for Etherpad lite. + ''; + }; + apiKeyFile = lib.mkOption { + type = lib.types.path; + description = '' + The API key file path for Etherpad lite. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.webapps.etherpad-lite; + description = '' + Etherpad lite package to use. + ''; + }; + modules = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = []; + description = '' + Etherpad lite modules to use. + ''; + }; + # Output variables + workdir = lib.mkOption { + type = lib.types.package; + default = cfg.package.withModules cfg.modules; + description = '' + Adjusted Etherpad lite package with plugins + ''; + readOnly = true; + }; + systemdStateDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if varDir is outside of /var/lib + default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; + lib.strings.removePrefix "/var/lib/" cfg.dataDir; + description = '' + Adjusted Etherpad lite data directory for systemd + ''; + readOnly = true; + }; + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted Etherpad lite sockets directory for systemd + ''; + readOnly = true; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + node = "${cfg.socketsDir}/etherpad-lite.sock"; + }; + readOnly = true; + description = '' + Etherpad lite sockets + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.etherpad-lite = { + description = "Etherpad-lite"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + + environment.NODE_ENV = "production"; + environment.HOME = cfg.workdir; + + path = [ pkgs.nodejs ]; + + script = '' + exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \ + --sessionkey ${cfg.sessionKeyFile} \ + --apikey ${cfg.apiKeyFile} \ + --settings ${cfg.configFile} + ''; + + postStart = '' + while [ ! -S ${cfg.sockets.node} ]; do + sleep 0.5 + done + chmod a+w ${cfg.sockets.node} + ''; + serviceConfig = { + DynamicUser = true; + User = cfg.user; + Group = cfg.group; + WorkingDirectory = cfg.workdir; + PrivateTmp = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + Restart = "always"; + Type = "simple"; + TimeoutSec = 60; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + StateDirectory= cfg.systemdStateDirectory; + ExecStartPre = [ + "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized" + "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}" + ]; + }; + }; + + }; +} diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix new file mode 100644 index 00000000..6255de91 --- /dev/null +++ b/modules/webapps/mastodon.nix @@ -0,0 +1,223 @@ +{ lib, pkgs, config, ... }: +let + name = "mastodon"; + cfg = config.services.mastodon; + + uid = config.ids.uids.mastodon; + gid = config.ids.gids.mastodon; +in +{ + options.services.mastodon = { + enable = lib.mkEnableOption "Enable Mastodon’s service"; + user = lib.mkOption { + type = lib.types.str; + default = name; + description = "User account under which Mastodon runs"; + }; + group = lib.mkOption { + type = lib.types.str; + default = name; + description = "Group under which Mastodon runs"; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Mastodon stores its data. + ''; + }; + socketsPrefix = lib.mkOption { + type = lib.types.string; + default = "live"; + description = '' + The prefix to use for Mastodon sockets. + ''; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/${name}"; + description = '' + The directory where Mastodon puts runtime files and sockets. + ''; + }; + configFile = lib.mkOption { + type = lib.types.path; + description = '' + The configuration file path for Mastodon. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.webapps.mastodon; + description = '' + Mastodon package to use. + ''; + }; + # Output variables + workdir = lib.mkOption { + type = lib.types.package; + default = cfg.package.override { varDir = cfg.dataDir; }; + description = '' + Adjusted mastodon package with overriden varDir + ''; + readOnly = true; + }; + systemdStateDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if varDir is outside of /var/lib + default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; + lib.strings.removePrefix "/var/lib/" cfg.dataDir; + description = '' + Adjusted Mastodon data directory for systemd + ''; + readOnly = true; + }; + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted Mastodon sockets directory for systemd + ''; + readOnly = true; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + node = "${cfg.socketsDir}/${cfg.socketsPrefix}_node.sock"; + rails = "${cfg.socketsDir}/${cfg.socketsPrefix}_puma.sock"; + }; + readOnly = true; + description = '' + Mastodon sockets + ''; + }; + }; + + config = lib.mkIf cfg.enable { + users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { + inherit name; + inherit uid; + group = cfg.group; + description = "Mastodon user"; + home = cfg.dataDir; + useDefaultShell = true; + }); + users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { + inherit name; + inherit gid; + }); + + systemd.services.mastodon-streaming = { + description = "Mastodon Streaming"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mastodon-web.service" ]; + + environment.NODE_ENV = "production"; + environment.SOCKET = cfg.sockets.node; + + path = [ pkgs.nodejs pkgs.bashInteractive ]; + + script = '' + exec npm run start + ''; + + postStart = '' + while [ ! -S $SOCKET ]; do + sleep 0.5 + done + chmod a+w $SOCKET + ''; + + postStop = '' + rm $SOCKET + ''; + + serviceConfig = { + User = cfg.user; + EnvironmentFile = cfg.configFile; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + RuntimeDirectoryPreserve = "yes"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + + systemd.services.mastodon-web = { + description = "Mastodon Web app"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; + environment.SOCKET = cfg.sockets.rails; + + path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ]; + + preStart = '' + install -m 0755 -d ${cfg.dataDir}/tmp/cache + ./bin/bundle exec rails db:migrate + ''; + + script = '' + exec ./bin/bundle exec puma -C config/puma.rb + ''; + + serviceConfig = { + User = cfg.user; + EnvironmentFile = cfg.configFile; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 60; + Type = "simple"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + RuntimeDirectoryPreserve = "yes"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + + systemd.services.mastodon-sidekiq = { + description = "Mastodon Sidekiq"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mastodon-web.service" ]; + + environment.RAILS_ENV="production"; + environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile"; + environment.DB_POOL="5"; + + path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ]; + + script = '' + exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push + ''; + + serviceConfig = { + User = cfg.user; + EnvironmentFile = cfg.configFile; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = cfg.workdir; + StateDirectory = cfg.systemdStateDirectory; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + RuntimeDirectoryPreserve = "yes"; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + + }; +} diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix new file mode 100644 index 00000000..78bbef6f --- /dev/null +++ b/modules/webapps/mediagoblin.nix @@ -0,0 +1,237 @@ +{ lib, pkgs, config, ... }: +let + name = "mediagoblin"; + cfg = config.services.mediagoblin; + + uid = config.ids.uids.mediagoblin; + gid = config.ids.gids.mediagoblin; + + paste_local = pkgs.writeText "paste_local.ini" '' + [DEFAULT] + debug = false + + [pipeline:main] + pipeline = mediagoblin + + [app:mediagoblin] + use = egg:mediagoblin#app + config = ${cfg.configFile} ${cfg.workdir}/mediagoblin.ini + /mgoblin_static = ${cfg.workdir}/mediagoblin/static + + [loggers] + keys = root + + [handlers] + keys = console + + [formatters] + keys = generic + + [logger_root] + level = INFO + handlers = console + + [handler_console] + class = StreamHandler + args = (sys.stderr,) + level = NOTSET + formatter = generic + + [formatter_generic] + format = %(levelname)-7.7s [%(name)s] %(message)s + + [filter:errors] + use = egg:mediagoblin#errors + debug = false + + [server:main] + use = egg:waitress#main + unix_socket = ${cfg.sockets.paster} + unix_socket_perms = 777 + url_scheme = https + ''; +in +{ + options.services.mediagoblin = { + enable = lib.mkEnableOption "Enable Mediagoblin’s service"; + user = lib.mkOption { + type = lib.types.str; + default = name; + description = "User account under which Mediagoblin runs"; + }; + group = lib.mkOption { + type = lib.types.str; + default = name; + description = "Group under which Mediagoblin runs"; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Mediagoblin stores its data. + ''; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/${name}"; + description = '' + The directory where Mediagoblin puts runtime files and sockets. + ''; + }; + configFile = lib.mkOption { + type = lib.types.path; + description = '' + The configuration file path for Mediagoblin. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.webapps.mediagoblin; + description = '' + Mediagoblin package to use. + ''; + }; + plugins = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = []; + description = '' + Mediagoblin plugins to use. + ''; + }; + # Output variables + workdir = lib.mkOption { + type = lib.types.package; + default = cfg.package.withPlugins cfg.plugins; + description = '' + Adjusted Mediagoblin package with plugins + ''; + readOnly = true; + }; + systemdStateDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if varDir is outside of /var/lib + default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; + lib.strings.removePrefix "/var/lib/" cfg.dataDir; + description = '' + Adjusted Mediagoblin data directory for systemd + ''; + readOnly = true; + }; + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted Mediagoblin sockets directory for systemd + ''; + readOnly = true; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + paster = "${cfg.socketsDir}/mediagoblin.sock"; + }; + readOnly = true; + description = '' + Mediagoblin sockets + ''; + }; + pids = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + paster = "${cfg.socketsDir}/mediagoblin.pid"; + celery = "${cfg.socketsDir}/mediagoblin-celeryd.pid"; + }; + readOnly = true; + description = '' + Mediagoblin pid files + ''; + }; + }; + + config = lib.mkIf cfg.enable { + users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { + inherit name; + inherit uid; + group = cfg.group; + description = "Mediagoblin user"; + home = cfg.dataDir; + useDefaultShell = true; + }); + users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { + inherit name; + inherit gid; + }); + + systemd.services.mediagoblin-web = { + description = "Mediagoblin service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "postgresql.service" "redis.service" ]; + + environment.SCRIPT_NAME = "/mediagoblin/"; + + script = '' + exec ./bin/paster serve \ + ${paste_local} \ + --pid-file=${cfg.pids.paster} + ''; + preStop = '' + exec ./bin/paster serve \ + --pid-file=${cfg.pids.paster} \ + ${paste_local} stop + ''; + preStart = '' + if [ -d ${cfg.dataDir}/plugin_static/ ]; then + rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth + ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth + fi + ./bin/gmg -cf ${cfg.configFile} dbupdate + ''; + + serviceConfig = { + User = cfg.user; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = cfg.workdir; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + StateDirectory= cfg.systemdStateDirectory; + PIDFile = cfg.pids.paster; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + + systemd.services.mediagoblin-celeryd = { + description = "Mediagoblin service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mediagoblin-web.service" ]; + + environment.MEDIAGOBLIN_CONFIG = cfg.configFile; + environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery"; + + script = '' + exec ./bin/celery worker \ + --logfile=${cfg.dataDir}/celery.log \ + --loglevel=INFO + ''; + + serviceConfig = { + User = cfg.user; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 60; + Type = "simple"; + WorkingDirectory = cfg.workdir; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + StateDirectory= cfg.systemdStateDirectory; + PIDFile = cfg.pids.celery; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + }; +} diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix new file mode 100644 index 00000000..89dcc67a --- /dev/null +++ b/modules/webapps/peertube.nix @@ -0,0 +1,105 @@ +{ lib, pkgs, config, ... }: +let + name = "peertube"; + cfg = config.services.peertube; + + uid = config.ids.uids.peertube; + gid = config.ids.gids.peertube; +in +{ + options.services.peertube = { + enable = lib.mkEnableOption "Enable Peertube’s service"; + user = lib.mkOption { + type = lib.types.str; + default = name; + description = "User account under which Peertube runs"; + }; + group = lib.mkOption { + type = lib.types.str; + default = name; + description = "Group under which Peertube runs"; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Peertube stores its data. + ''; + }; + configFile = lib.mkOption { + type = lib.types.path; + description = '' + The configuration file path for Peertube. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.webapps.peertube; + description = '' + Peertube package to use. + ''; + }; + # Output variables + systemdStateDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if varDir is outside of /var/lib + default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; + lib.strings.removePrefix "/var/lib/" cfg.dataDir; + description = '' + Adjusted Peertube data directory for systemd + ''; + readOnly = true; + }; + }; + + config = lib.mkIf cfg.enable { + users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton { + inherit name; + inherit uid; + group = cfg.group; + description = "Peertube user"; + home = cfg.dataDir; + useDefaultShell = true; + }); + users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton { + inherit name; + inherit gid; + }); + + systemd.services.peertube = { + description = "Peertube"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + + environment.NODE_CONFIG_DIR = "${cfg.dataDir}/config"; + environment.NODE_ENV = "production"; + environment.HOME = cfg.package; + + path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ]; + + script = '' + install -m 0750 -d ${cfg.dataDir}/config + ln -sf ${cfg.configFile} ${cfg.dataDir}/config/production.yaml + exec npm run start + ''; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + WorkingDirectory = cfg.package; + StateDirectory = cfg.systemdStateDirectory; + StateDirectoryMode = 0750; + PrivateTmp = true; + ProtectHome = true; + ProtectControlGroups = true; + Restart = "always"; + Type = "simple"; + TimeoutSec = 60; + }; + + unitConfig.RequiresMountsFor = cfg.dataDir; + }; + }; +} + diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix new file mode 100644 index 00000000..924d72de --- /dev/null +++ b/modules/webapps/webstats/default.nix @@ -0,0 +1,81 @@ +{ lib, pkgs, config, ... }: +let + name = "goaccess"; + cfg = config.services.webstats; +in { + options.services.webstats = { + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/${name}"; + description = '' + The directory where Goaccess stores its data. + ''; + }; + sites = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + options = { + conf = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + use custom goaccess configuration file instead of the + default one. + ''; + }; + name = lib.mkOption { + type = lib.types.string; + description = '' + Domain name. Corresponds to the Apache file name and the + folder name in which the state will be saved. + ''; + }; + }; + }); + default = []; + description = "Sites to generate stats"; + }; + }; + + config = lib.mkIf (builtins.length cfg.sites > 0) { + users.users.root.packages = [ + pkgs.goaccess + ]; + + services.cron = { + enable = true; + systemCronJobs = let + stats = domain: conf: let + config = if builtins.isNull conf + then pkgs.runCommand "goaccess.conf" { + dbPath = "${cfg.dataDir}/${domain}"; + } "substituteAll ${./goaccess.conf} $out" + else conf; + d = pkgs.writeScriptBin "stats-${domain}" '' + #!${pkgs.stdenv.shell} + set -e + shopt -s nullglob + date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y') + TMPFILE=$(mktemp) + trap "rm -f $TMPFILE" EXIT + + mkdir -p ${cfg.dataDir}/${domain} + cat /var/log/httpd/access-${domain}.log | sed -n "/\\[$date_regex/ p" > $TMPFILE + for i in /var/log/httpd/access-${domain}*.gz; do + zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE + done + ${pkgs.goaccess}/bin/goaccess $TMPFILE --no-progress -o ${cfg.dataDir}/${domain}/index.html -p ${config} + ''; + in "${d}/bin/stats-${domain}"; + allStats = sites: pkgs.writeScript "stats" '' + #!${pkgs.stdenv.shell} + + mkdir -p ${cfg.dataDir} + ${builtins.concatStringsSep "\n" (map (v: stats v.name v.conf) sites)} + ''; + in + [ + "5 0 * * * root ${allStats cfg.sites}" + ]; + }; + }; +} diff --git a/modules/webapps/webstats/goaccess.conf b/modules/webapps/webstats/goaccess.conf new file mode 100644 index 00000000..49189883 --- /dev/null +++ b/modules/webapps/webstats/goaccess.conf @@ -0,0 +1,99 @@ +time-format %H:%M:%S +date-format %d/%b/%Y + +#sur immae.eu +#log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u" $^ + +log-format VCOMBINED +#= %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" + +html-prefs {"theme":"bright","layout":"vertical"} + +exclude-ip 188.165.209.148 +exclude-ip 178.33.252.96 +exclude-ip 2001:41d0:2:9c94::1 +exclude-ip 2001:41d0:2:9c94:: +exclude-ip 176.9.151.89 +exclude-ip 2a01:4f8:160:3445:: +exclude-ip 82.255.56.72 + +no-query-string true + +keep-db-files true +load-from-disk true +db-path @dbPath@ + +ignore-panel REFERRERS +ignore-panel KEYPHRASES + +static-file .css +static-file .js +static-file .jpg +static-file .png +static-file .gif +static-file .ico +static-file .jpeg +static-file .pdf +static-file .csv +static-file .mpeg +static-file .mpg +static-file .swf +static-file .woff +static-file .woff2 +static-file .xls +static-file .xlsx +static-file .doc +static-file .docx +static-file .ppt +static-file .pptx +static-file .txt +static-file .zip +static-file .ogg +static-file .mp3 +static-file .mp4 +static-file .exe +static-file .iso +static-file .gz +static-file .rar +static-file .svg +static-file .bmp +static-file .tar +static-file .tgz +static-file .tiff +static-file .tif +static-file .ttf +static-file .flv +#static-file .less +#static-file .ac3 +#static-file .avi +#static-file .bz2 +#static-file .class +#static-file .cue +#static-file .dae +#static-file .dat +#static-file .dts +#static-file .ejs +#static-file .eot +#static-file .eps +#static-file .img +#static-file .jar +#static-file .map +#static-file .mid +#static-file .midi +#static-file .ogv +#static-file .webm +#static-file .mkv +#static-file .odp +#static-file .ods +#static-file .odt +#static-file .otf +#static-file .pict +#static-file .pls +#static-file .ps +#static-file .qt +#static-file .rm +#static-file .svgz +#static-file .wav +#static-file .webp + + diff --git a/modules/websites/default.nix b/modules/websites/default.nix new file mode 100644 index 00000000..e57f505a --- /dev/null +++ b/modules/websites/default.nix @@ -0,0 +1,199 @@ +{ lib, config, ... }: with lib; +let + cfg = config.services.websites; +in +{ + options.services.websitesCerts = mkOption { + description = "Default websites configuration for certificates as accepted by acme"; + }; + options.services.websites = with types; mkOption { + default = {}; + description = "Each type of website to enable will target a distinct httpd server"; + type = attrsOf (submodule { + options = { + enable = mkEnableOption "Enable websites of this type"; + adminAddr = mkOption { + type = str; + description = "Admin e-mail address of the instance"; + }; + httpdName = mkOption { + type = str; + description = "Name of the httpd instance to assign this type to"; + }; + ips = mkOption { + type = listOf string; + default = []; + description = "ips to listen to"; + }; + modules = mkOption { + type = listOf str; + default = []; + description = "Additional modules to load in Apache"; + }; + extraConfig = mkOption { + type = listOf lines; + default = []; + description = "Additional configuration to append to Apache"; + }; + nosslVhost = mkOption { + description = "A default nossl vhost for captive portals"; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Add default no-ssl vhost for this instance"; + host = mkOption { + type = string; + description = "The hostname to use for this vhost"; + }; + root = mkOption { + type = path; + default = ./nosslVhost; + description = "The root folder to serve"; + }; + indexFile = mkOption { + type = string; + default = "index.html"; + description = "The index file to show."; + }; + }; + }; + }; + fallbackVhost = mkOption { + description = "The fallback vhost that will be defined as first vhost in Apache"; + type = submodule { + options = { + certName = mkOption { type = string; }; + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; + }; + }; + }; + vhostConfs = mkOption { + default = {}; + description = "List of vhosts to define for Apache"; + type = attrsOf (submodule { + options = { + certName = mkOption { type = string; }; + addToCerts = mkOption { + type = bool; + default = false; + description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; + }; + certMainHost = mkOption { + type = nullOr string; + description = "Use that host as 'main host' for acme certs"; + default = null; + }; + hosts = mkOption { type = listOf string; }; + root = mkOption { type = nullOr path; }; + extraConfig = mkOption { type = listOf lines; default = []; }; + }; + }); + }; + }; + }); + }; + + config.services.httpd = let + redirectVhost = ips: { # Should go last, catchall http -> https redirect + listen = map (ip: { inherit ip; port = 80; }) ips; + hostName = "redirectSSL"; + serverAliases = [ "*" ]; + enableSSL = false; + logFormat = "combinedVhost"; + documentRoot = "${config.security.acme.directory}/acme-challenge"; + extraConfig = '' + RewriteEngine on + RewriteCond "%{REQUEST_URI}" "!^/\.well-known" + RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] + # To redirect in specific "VirtualHost *:80", do + # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 + # rather than rewrite + ''; + }; + nosslVhost = ips: cfg: { + listen = map (ip: { inherit ip; port = 80; }) ips; + hostName = cfg.host; + enableSSL = false; + logFormat = "combinedVhost"; + documentRoot = cfg.root; + extraConfig = '' + + DirectoryIndex ${cfg.indexFile} + AllowOverride None + Require all granted + + RewriteEngine on + RewriteRule ^/(.+) / [L] + + ''; + }; + toVhost = ips: vhostConf: { + enableSSL = true; + sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem"; + sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem"; + sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem"; + logFormat = "combinedVhost"; + listen = map (ip: { inherit ip; port = 443; }) ips; + hostName = builtins.head vhostConf.hosts; + serverAliases = builtins.tail vhostConf.hosts or []; + documentRoot = vhostConf.root; + extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; + }; + in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair + icfg.httpdName (mkIf icfg.enable { + enable = true; + listen = map (ip: { inherit ip; port = 443; }) icfg.ips; + stateDir = "/run/httpd_${name}"; + logPerVirtualHost = true; + multiProcessingModule = "worker"; + inherit (icfg) adminAddr; + logFormat = "combinedVhost"; + extraModules = lists.unique icfg.modules; + extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig; + virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ] + ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ] + ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs) + ++ [ (redirectVhost icfg.ips) ]; + }) + ) cfg; + + config.security.acme.certs = let + typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg; + flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: + attrValues v.vhostConfs + ) typesToManage); + groupedCerts = attrsets.filterAttrs + (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group) + (lists.groupBy (v: v.certName) flatVhosts); + groupToDomain = group: + let + nonNull = builtins.filter (v: !isNull v.certMainHost) group; + domains = lists.unique (map (v: v.certMainHost) nonNull); + in + if builtins.length domains == 0 + then null + else assert (builtins.length domains == 1); (elemAt domains 0); + extraDomains = group: + let + mainDomain = groupToDomain group; + in + lists.remove mainDomain ( + lists.unique ( + lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group) + ) + ); + in attrsets.mapAttrs (k: g: + if (!isNull (groupToDomain g)) + then config.services.websitesCerts // { + domain = groupToDomain g; + extraDomains = builtins.listToAttrs ( + map (d: attrsets.nameValuePair d null) (extraDomains g)); + } + else { + extraDomains = builtins.listToAttrs ( + map (d: attrsets.nameValuePair d null) (extraDomains g)); + } + ) groupedCerts; +} diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix new file mode 100644 index 00000000..d049202c --- /dev/null +++ b/modules/websites/httpd-service-builder.nix @@ -0,0 +1,746 @@ +# to help backporting this builder should stay as close as possible to +# nixos/modules/services/web-servers/apache-httpd/default.nix +{ httpdName, withUsers ? true }: +{ config, lib, pkgs, ... }: + +with lib; + +let + + mainCfg = config.services.httpd."${httpdName}"; + + httpd = mainCfg.package.out; + + version24 = !versionOlder httpd.version "2.4"; + + httpdConf = mainCfg.configFile; + + php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; + + phpMajorVersion = head (splitString "." php.version); + + mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; }; + + defaultListen = cfg: if cfg.enableSSL + then [{ip = "*"; port = 443;}] + else [{ip = "*"; port = 80;}]; + + getListen = cfg: + let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen; + in if list == [] + then defaultListen cfg + else list; + + listenToString = l: "${l.ip}:${toString l.port}"; + + extraModules = attrByPath ["extraModules"] [] mainCfg; + extraForeignModules = filter isAttrs extraModules; + extraApacheModules = filter isString extraModules; + + + makeServerInfo = cfg: { + # Canonical name must not include a trailing slash. + canonicalNames = + let defaultPort = (head (defaultListen cfg)).port; in + map (port: + (if cfg.enableSSL then "https" else "http") + "://" + + cfg.hostName + + (if port != defaultPort then ":${toString port}" else "") + ) (map (x: x.port) (getListen cfg)); + + # Admin address: inherit from the main server if not specified for + # a virtual host. + adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr; + + vhostConfig = cfg; + serverConfig = mainCfg; + fullConfig = config; # machine config + }; + + + allHosts = [mainCfg] ++ mainCfg.virtualHosts; + + + callSubservices = serverInfo: defs: + let f = svc: + let + svcFunction = + if svc ? function then svc.function + # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix; + else if svc ? serviceExpression then import (toString svc.serviceExpression) + else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix"); + config = (evalModules + { modules = [ { options = res.options; config = svc.config or svc; } ]; + check = false; + }).config; + defaults = { + extraConfig = ""; + extraModules = []; + extraModulesPre = []; + extraPath = []; + extraServerPath = []; + globalEnvVars = []; + robotsEntries = ""; + startupScript = ""; + enablePHP = false; + enablePerl = false; + phpOptions = ""; + options = {}; + documentRoot = null; + }; + res = defaults // svcFunction { inherit config lib pkgs serverInfo php; }; + in res; + in map f defs; + + + # !!! callSubservices is expensive + subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices; + + mainSubservices = subservicesFor mainCfg; + + allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts; + + + enableSSL = any (vhost: vhost.enableSSL) allHosts; + + + # Names of modules from ${httpd}/modules that we want to load. + apacheModules = + [ # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" + (if version24 then "authn_core" else "authn_alias") + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "log_config" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif" + "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" + "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" + "userdir" "alias" "rewrite" "proxy" "proxy_http" + ] + ++ optionals version24 [ + "mpm_${mainCfg.multiProcessingModule}" + "authz_core" + "unixd" + "cache" "cache_disk" + "slotmem_shm" + "socache_shmcb" + # For compatibility with old configurations, the new module mod_access_compat is provided. + "access_compat" + ] + ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) + ++ optional enableSSL "ssl" + ++ extraApacheModules; + + + allDenied = if version24 then '' + Require all denied + '' else '' + Order deny,allow + Deny from all + ''; + + allGranted = if version24 then '' + Require all granted + '' else '' + Order allow,deny + Allow from all + ''; + + + loggingConf = (if mainCfg.logFormat != "none" then '' + ErrorLog ${mainCfg.logDir}/error.log + + LogLevel notice + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + + CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat} + '' else '' + ErrorLog /dev/null + ''); + + + browserHacks = '' + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + ''; + + + sslConf = '' + SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000) + + ${if version24 then "Mutex" else "SSLMutex"} posixsem + + SSLRandomSeed startup builtin + SSLRandomSeed connect builtin + + SSLProtocol ${mainCfg.sslProtocols} + SSLCipherSuite ${mainCfg.sslCiphers} + SSLHonorCipherOrder on + ''; + + + mimeConf = '' + TypesConfig ${httpd}/conf/mime.types + + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + AddType application/x-httpd-php .php .phtml + + + MIMEMagicFile ${httpd}/conf/magic + + ''; + + + perServerConf = isMainServer: cfg: let + + serverInfo = makeServerInfo cfg; + + subservices = callSubservices serverInfo cfg.extraSubservices; + + maybeDocumentRoot = fold (svc: acc: + if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc + ) null ([ cfg ] ++ subservices); + + documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else + pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out"; + + documentRootConf = '' + DocumentRoot "${documentRoot}" + + + Options Indexes FollowSymLinks + AllowOverride None + ${allGranted} + + ''; + + robotsTxt = + concatStringsSep "\n" (filter (x: x != "") ( + # If this is a vhost, the include the entries for the main server as well. + (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices) + ++ [cfg.robotsEntries] + ++ (map (svc: svc.robotsEntries) subservices))); + + in '' + ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)} + + ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases} + + ${if cfg.sslServerCert != null then '' + SSLCertificateFile ${cfg.sslServerCert} + SSLCertificateKeyFile ${cfg.sslServerKey} + ${if cfg.sslServerChain != null then '' + SSLCertificateChainFile ${cfg.sslServerChain} + '' else ""} + '' else ""} + + ${if cfg.enableSSL then '' + SSLEngine on + '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */ + '' + SSLEngine off + '' else ""} + + ${if isMainServer || cfg.adminAddr != null then '' + ServerAdmin ${cfg.adminAddr} + '' else ""} + + ${if !isMainServer && mainCfg.logPerVirtualHost then '' + ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log + CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat} + '' else ""} + + ${optionalString (robotsTxt != "") '' + Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt} + ''} + + ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""} + + ${if cfg.enableUserDir then '' + + UserDir public_html + UserDir disabled root + + + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + + ${allGranted} + + + ${allDenied} + + + + '' else ""} + + ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then '' + RedirectPermanent / ${cfg.globalRedirect} + '' else ""} + + ${ + let makeFileConf = elem: '' + Alias ${elem.urlPath} ${elem.file} + ''; + in concatMapStrings makeFileConf cfg.servedFiles + } + + ${ + let makeDirConf = elem: '' + Alias ${elem.urlPath} ${elem.dir}/ + + Options +Indexes + ${allGranted} + AllowOverride All + + ''; + in concatMapStrings makeDirConf cfg.servedDirs + } + + ${concatMapStrings (svc: svc.extraConfig) subservices} + + ${cfg.extraConfig} + ''; + + + confFile = pkgs.writeText "httpd.conf" '' + + ServerRoot ${httpd} + + ${optionalString version24 '' + DefaultRuntimeDir ${mainCfg.stateDir}/runtime + ''} + + PidFile ${mainCfg.stateDir}/httpd.pid + + ${optionalString (mainCfg.multiProcessingModule != "prefork") '' + # mod_cgid requires this. + ScriptSock ${mainCfg.stateDir}/cgisock + ''} + + + MaxClients ${toString mainCfg.maxClients} + MaxRequestsPerChild ${toString mainCfg.maxRequestsPerChild} + + + ${let + listen = concatMap getListen allHosts; + toStr = listen: "Listen ${listenToString listen}\n"; + uniqueListen = uniqList {inputList = map toStr listen;}; + in concatStrings uniqueListen + } + + User ${mainCfg.user} + Group ${mainCfg.group} + + ${let + load = {name, path}: "LoadModule ${name}_module ${path}\n"; + allModules = + concatMap (svc: svc.extraModulesPre) allSubservices + ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules + ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } + ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; } + ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } + ++ concatMap (svc: svc.extraModules) allSubservices + ++ extraForeignModules; + in concatMapStrings load allModules + } + + AddHandler type-map var + + + ${allDenied} + + + ${mimeConf} + ${loggingConf} + ${browserHacks} + + Include ${httpd}/conf/extra/httpd-default.conf + Include ${httpd}/conf/extra/httpd-autoindex.conf + Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf + Include ${httpd}/conf/extra/httpd-languages.conf + + TraceEnable off + + ${if enableSSL then sslConf else ""} + + # Fascist default - deny access to everything. + + Options FollowSymLinks + AllowOverride None + ${allDenied} + + + # Generate directives for the main server. + ${perServerConf true mainCfg} + + # Always enable virtual hosts; it doesn't seem to hurt. + ${let + listen = concatMap getListen allHosts; + uniqueListen = uniqList {inputList = listen;}; + directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen; + in optionalString (!version24) directives + } + + ${let + makeVirtualHost = vhost: '' + + ${perServerConf false vhost} + + ''; + in concatMapStrings makeVirtualHost mainCfg.virtualHosts + } + ''; + + + enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices; + + enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices; + + + # Generate the PHP configuration file. Should probably be factored + # out into a separate module. + phpIni = pkgs.runCommand "php.ini" + { options = concatStringsSep "\n" + ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices)); + preferLocalBuild = true; + } + '' + cat ${php}/etc/php.ini > $out + echo "$options" >> $out + ''; + +in + + +{ + + ###### interface + + options = { + + services.httpd."${httpdName}" = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the Apache HTTP Server."; + }; + + package = mkOption { + type = types.package; + default = pkgs.apacheHttpd; + defaultText = "pkgs.apacheHttpd"; + description = '' + Overridable attribute of the Apache HTTP Server package to use. + ''; + }; + + configFile = mkOption { + type = types.path; + default = confFile; + defaultText = "confFile"; + example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."''; + description = '' + Override the configuration file used by Apache. By default, + NixOS generates one automatically. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Cnfiguration lines appended to the generated Apache + configuration file. Note that this mechanism may not work + when is overridden. + ''; + }; + + extraModules = mkOption { + type = types.listOf types.unspecified; + default = []; + example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]''; + description = '' + Additional Apache modules to be used. These can be + specified as a string in the case of modules distributed + with Apache, or as an attribute set specifying the + name and path of the + module. + ''; + }; + + logPerVirtualHost = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, each virtual host gets its own + access.log and + error.log, namely suffixed by the + of the virtual host. + ''; + }; + + user = mkOption { + type = types.str; + default = "wwwrun"; + description = '' + User account under which httpd runs. The account is created + automatically if it doesn't exist. + ''; + }; + + group = mkOption { + type = types.str; + default = "wwwrun"; + description = '' + Group under which httpd runs. The account is created + automatically if it doesn't exist. + ''; + }; + + logDir = mkOption { + type = types.path; + default = "/var/log/httpd"; + description = '' + Directory for Apache's log files. It is created automatically. + ''; + }; + + stateDir = mkOption { + type = types.path; + default = "/run/httpd"; + description = '' + Directory for Apache's transient runtime state (such as PID + files). It is created automatically. Note that the default, + /run/httpd, is deleted at boot time. + ''; + }; + + virtualHosts = mkOption { + type = types.listOf (types.submodule ( + { options = import { + inherit lib; + forMainServer = false; + }; + })); + default = []; + example = [ + { hostName = "foo"; + documentRoot = "/data/webroot-foo"; + } + { hostName = "bar"; + documentRoot = "/data/webroot-bar"; + } + ]; + description = '' + Specification of the virtual hosts served by Apache. Each + element should be an attribute set specifying the + configuration of the virtual host. The available options + are the non-global options permissible for the main host. + ''; + }; + + enableMellon = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the mod_auth_mellon module."; + }; + + enablePHP = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the PHP module."; + }; + + phpPackage = mkOption { + type = types.package; + default = pkgs.php; + defaultText = "pkgs.php"; + description = '' + Overridable attribute of the PHP package to use. + ''; + }; + + enablePerl = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the Perl module (mod_perl)."; + }; + + phpOptions = mkOption { + type = types.lines; + default = ""; + example = + '' + date.timezone = "CET" + ''; + description = + "Options appended to the PHP configuration file php.ini."; + }; + + multiProcessingModule = mkOption { + type = types.str; + default = "prefork"; + example = "worker"; + description = + '' + Multi-processing module to be used by Apache. Available + modules are prefork (the default; + handles each request in a separate child process), + worker (hybrid approach that starts a + number of child processes each running a number of + threads) and event (a recent variant of + worker that handles persistent + connections more efficiently). + ''; + }; + + maxClients = mkOption { + type = types.int; + default = 150; + example = 8; + description = "Maximum number of httpd processes (prefork)"; + }; + + maxRequestsPerChild = mkOption { + type = types.int; + default = 0; + example = 500; + description = + "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited"; + }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1"; + example = "All -SSLv2 -SSLv3"; + description = "Allowed SSL/TLS protocol versions."; + }; + } + + # Include the options shared between the main server and virtual hosts. + // (import { + inherit lib; + forMainServer = true; + }); + + }; + + + ###### implementation + + config = mkIf config.services.httpd."${httpdName}".enable { + + assertions = [ { assertion = mainCfg.enableSSL == true + -> mainCfg.sslServerCert != null + && mainCfg.sslServerKey != null; + message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } + ]; + + warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); + + users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton + { name = "wwwrun"; + group = mainCfg.group; + description = "Apache httpd user"; + uid = config.ids.uids.wwwrun; + }); + + users.groups = optionalAttrs (withUsers && mainCfg.group == "wwwrun") (singleton + { name = "wwwrun"; + gid = config.ids.gids.wwwrun; + }); + + environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices; + + services.httpd."${httpdName}".phpOptions = + '' + ; Needed for PHP's mail() function. + sendmail_path = sendmail -t -i + + ; Don't advertise PHP + expose_php = off + '' + optionalString (!isNull config.time.timeZone) '' + + ; Apparently PHP doesn't use $TZ. + date.timezone = "${config.time.timeZone}" + ''; + + systemd.services."httpd${httpdName}" = + { description = "Apache HTTPD"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "keys.target" ]; + after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ]; + + path = + [ httpd pkgs.coreutils pkgs.gnugrep ] + ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function. + ++ concatMap (svc: svc.extraServerPath) allSubservices; + + environment = + optionalAttrs enablePHP { PHPRC = phpIni; } + // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; } + // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices)); + + preStart = + '' + mkdir -m 0750 -p ${mainCfg.stateDir} + [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} + ${optionalString version24 '' + mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" + [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" + ''} + mkdir -m 0700 -p ${mainCfg.logDir} + + # Get rid of old semaphores. These tend to accumulate across + # server restarts, eventually preventing it from restarting + # successfully. + for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do + ${pkgs.utillinux}/bin/ipcrm -s $i + done + + # Run the startup hooks for the subservices. + for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do + echo Running Apache startup hook $i... + $i + done + ''; + + serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}"; + serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop"; + serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful"; + serviceConfig.Type = "forking"; + serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid"; + serviceConfig.Restart = "always"; + serviceConfig.RestartSec = "5s"; + }; + + }; +} diff --git a/modules/websites/nosslVhost/index.html b/modules/websites/nosslVhost/index.html new file mode 100644 index 00000000..4401a806 --- /dev/null +++ b/modules/websites/nosslVhost/index.html @@ -0,0 +1,11 @@ + + + + No SSL site + + +

No SSL on this site

+

Use for wifi networks with login page that doesn't work well with + https.

+ + -- cgit v1.2.3