diff options
author | Julien Langlois <langlois.jf@gmail.com> | 2018-05-01 02:36:36 -0700 |
---|---|---|
committer | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-05-01 10:36:36 +0100 |
commit | 519b64592d5bd89c0975b44120b88ec2684d8352 (patch) | |
tree | fb5a56c1067939a1857291a2fecdfebad0c8d5b1 /nixos/modules/services/web-servers | |
parent | 164b580b361bccd9ee2df8e7f610814db1af8e49 (diff) | |
download | nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar.gz nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar.bz2 nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar.lz nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar.xz nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.tar.zst nixlib-519b64592d5bd89c0975b44120b88ec2684d8352.zip |
hitch: init at 1.4.8 + service + test (#39358)
Add the Hitch TLS reverse proxy as an option for TLS termination.
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r-- | nixos/modules/services/web-servers/hitch/default.nix | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/hitch/default.nix b/nixos/modules/services/web-servers/hitch/default.nix new file mode 100644 index 000000000000..895d02827f71 --- /dev/null +++ b/nixos/modules/services/web-servers/hitch/default.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, ...}: +let + cfg = config.services.hitch; + ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp"; + hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [ + ("backend = \"${cfg.backend}\"") + (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend) + (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files) + ("ciphers = \"${cfg.ciphers}\"") + ("ocsp-dir = \"${ocspDir}\"") + "user = \"${cfg.user}\"" + "group = \"${cfg.group}\"" + cfg.extraConfig + ]); +in +with lib; +{ + options = { + services.hitch = { + enable = mkEnableOption "Hitch Server"; + + backend = mkOption { + type = types.str; + description = '' + The host and port Hitch connects to when receiving + a connection in the form [HOST]:PORT + ''; + }; + + ciphers = mkOption { + type = types.str; + default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + description = "The list of ciphers to use"; + }; + + frontend = mkOption { + type = types.either types.str (types.listOf types.str); + default = "[127.0.0.1]:443"; + description = '' + The port and interface of the listen endpoint in the ++ form [HOST]:PORT[+CERT]. + ''; + apply = toList; + }; + + pem-files = mkOption { + type = types.listOf types.path; + default = []; + description = "PEM files to use"; + }; + + ocsp-stapling = { + enabled = mkOption { + type = types.bool; + default = true; + description = "Whether to enable OCSP Stapling"; + }; + }; + + user = mkOption { + type = types.str; + default = "hitch"; + description = "The user to run as"; + }; + + group = mkOption { + type = types.str; + default = "hitch"; + description = "The group to run as"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional configuration lines"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.hitch = { + description = "Hitch"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig} + '' + (optionalString cfg.ocsp-stapling.enabled '' + mkdir -p ${ocspDir} + chown -R hitch:hitch ${ocspDir} + ''); + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "5s"; + LimitNOFILE = 131072; + }; + }; + + environment.systemPackages = [ pkgs.hitch ]; + + users.extraUsers.hitch.group = "hitch"; + users.extraGroups.hitch = {}; + }; +} |