diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-servers')
43 files changed, 8505 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/web-servers/agate.nix b/nixpkgs/nixos/modules/services/web-servers/agate.nix new file mode 100644 index 000000000000..e03174c87945 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/agate.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.agate; +in +{ + options = { + services.agate = { + enable = mkEnableOption (lib.mdDoc "Agate Server"); + + package = mkPackageOption pkgs "agate" { }; + + addresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0:1965" ]; + description = lib.mdDoc '' + Addresses to listen on, IP:PORT, if you haven't disabled forwarding + only set IPv4. + ''; + }; + + contentDir = mkOption { + default = "/var/lib/agate/content"; + type = types.path; + description = lib.mdDoc "Root of the content directory."; + }; + + certificatesDir = mkOption { + default = "/var/lib/agate/certificates"; + type = types.path; + description = lib.mdDoc "Root of the certificate directory."; + }; + + hostnames = mkOption { + default = [ ]; + type = types.listOf types.str; + description = lib.mdDoc '' + Domain name of this Gemini server, enables checking hostname and port + in requests. (multiple occurrences means basic vhosts) + ''; + }; + + language = mkOption { + default = null; + type = types.nullOr types.str; + description = lib.mdDoc "RFC 4646 Language code for text/gemini documents."; + }; + + onlyTls_1_3 = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc "Only use TLSv1.3 (default also allows TLSv1.2)."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = [ "" ]; + example = [ "--log-ip" ]; + description = lib.mdDoc "Extra arguments to use running agate."; + }; + }; + }; + + config = mkIf cfg.enable { + # available for generating certs by hand + # it can be a bit arduous with openssl + environment.systemPackages = [ cfg.package ]; + + systemd.services.agate = { + description = "Agate"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + + script = + let + prefixKeyList = key: list: concatMap (v: [ key v ]) list; + addresses = prefixKeyList "--addr" cfg.addresses; + hostnames = prefixKeyList "--hostname" cfg.hostnames; + in + '' + exec ${cfg.package}/bin/agate ${ + escapeShellArgs ( + [ + "--content" "${cfg.contentDir}" + "--certs" "${cfg.certificatesDir}" + ] ++ + addresses ++ + (optionals (cfg.hostnames != []) hostnames) ++ + (optionals (cfg.language != null) [ "--lang" cfg.language ]) ++ + (optionals cfg.onlyTls_1_3 [ "--only-tls13" ]) ++ + (optionals (cfg.extraArgs != []) cfg.extraArgs) + ) + } + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + DynamicUser = true; + StateDirectory = "agate"; + + # Security options: + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + + LockPersonality = true; + + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@obsolete" + "~@privileged" + "~@setuid" + ]; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix new file mode 100644 index 000000000000..016e4885a095 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -0,0 +1,828 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.httpd; + + certs = config.security.acme.certs; + + runtimeDir = "/run/httpd"; + + pkg = cfg.package.out; + + apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } '' + mkdir -p $out/bin + cp ${pkg}/bin/apachectl $out/bin/apachectl + sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|' + ''; + + php = cfg.phpPackage.override { apxs2Support = true; apacheHttpd = pkg; }; + + phpModuleName = let + majorVersion = lib.versions.major (lib.getVersion php); + in (if majorVersion == "8" then "php" else "php${majorVersion}"); + + mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = pkg; }; + + vhosts = attrValues cfg.virtualHosts; + + # certName is used later on to determine systemd service names. + acmeEnabledVhosts = map (hostOpts: hostOpts // { + certName = if hostOpts.useACMEHost != null then hostOpts.useACMEHost else hostOpts.hostName; + }) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts); + + dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts); + + mkListenInfo = hostOpts: + if hostOpts.listen != [] then + hostOpts.listen + else + optionals (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) (map (addr: { ip = addr; port = 443; ssl = true; }) hostOpts.listenAddresses) ++ + optionals (!hostOpts.onlySSL) (map (addr: { ip = addr; port = 80; ssl = false; }) hostOpts.listenAddresses) + ; + + listenInfo = unique (concatMap mkListenInfo vhosts); + + enableHttp2 = any (vhost: vhost.http2) vhosts; + enableSSL = any (listen: listen.ssl) listenInfo; + enableUserDir = any (vhost: vhost.enableUserDir) vhosts; + + # NOTE: generally speaking order of modules is very important + modules = + [ # required apache modules our httpd service cannot run without + "authn_core" "authz_core" + "log_config" + "mime" "autoindex" "negotiation" "dir" + "alias" "rewrite" + "unixd" "slotmem_shm" "socache_shmcb" + "mpm_${cfg.mpm}" + ] + ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ]) + ++ optional enableHttp2 "http2" + ++ optional enableSSL "ssl" + ++ optional enableUserDir "userdir" + ++ optional cfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; } + ++ optional cfg.enablePHP { name = phpModuleName; path = "${php}/modules/lib${phpModuleName}.so"; } + ++ optional cfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } + ++ cfg.extraModules; + + loggingConf = (if cfg.logFormat != "none" then '' + ErrorLog ${cfg.logDir}/error.log + + LogLevel notice + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + + CustomLog ${cfg.logDir}/access.log ${cfg.logFormat} + '' else '' + ErrorLog /dev/null + ''); + + + browserHacks = '' + <IfModule mod_setenvif.c> + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully + BrowserMatch "^WebDrive" redirect-carefully + BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully + BrowserMatch "^gnome-vfs" redirect-carefully + </IfModule> + ''; + + + sslConf = '' + <IfModule mod_ssl.c> + SSLSessionCache shmcb:${runtimeDir}/ssl_scache(512000) + + Mutex posixsem + + SSLRandomSeed startup builtin + SSLRandomSeed connect builtin + + SSLProtocol ${cfg.sslProtocols} + SSLCipherSuite ${cfg.sslCiphers} + SSLHonorCipherOrder on + </IfModule> + ''; + + + mimeConf = '' + TypesConfig ${pkg}/conf/mime.types + + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + AddType application/x-httpd-php .php .phtml + + <IfModule mod_mime_magic.c> + MIMEMagicFile ${pkg}/conf/magic + </IfModule> + ''; + + luaSetPaths = let + # support both lua and lua.withPackages derivations + luaversion = cfg.package.lua5.lua.luaversion or cfg.package.lua5.luaversion; + in + '' + <IfModule mod_lua.c> + LuaPackageCPath ${cfg.package.lua5}/lib/lua/${luaversion}/?.so + LuaPackagePath ${cfg.package.lua5}/share/lua/${luaversion}/?.lua + </IfModule> + ''; + + mkVHostConf = hostOpts: + let + adminAddr = if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr; + listen = filter (listen: !listen.ssl) (mkListenInfo hostOpts); + listenSSL = filter (listen: listen.ssl) (mkListenInfo hostOpts); + + useACME = hostOpts.enableACME || hostOpts.useACMEHost != null; + sslCertDir = + if hostOpts.enableACME then certs.${hostOpts.hostName}.directory + else if hostOpts.useACMEHost != null then certs.${hostOpts.useACMEHost}.directory + else abort "This case should never happen."; + + sslServerCert = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerCert; + sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey; + sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain; + + acmeChallenge = optionalString (useACME && hostOpts.acmeRoot != null) '' + Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/" + <Directory "${hostOpts.acmeRoot}"> + AllowOverride None + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + Require all granted + </Directory> + ''; + in + optionalString (listen != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"} + <IfModule mod_ssl.c> + SSLEngine off + </IfModule> + ${acmeChallenge} + ${if hostOpts.forceSSL then '' + <IfModule mod_rewrite.c> + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + </IfModule> + '' else mkVHostCommonConf hostOpts} + </VirtualHost> + '' + + optionalString (listenSSL != []) '' + <VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}> + ServerName ${hostOpts.hostName} + ${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases} + ${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"} + SSLEngine on + SSLCertificateFile ${sslServerCert} + SSLCertificateKeyFile ${sslServerKey} + ${optionalString (sslServerChain != null) "SSLCertificateChainFile ${sslServerChain}"} + ${optionalString hostOpts.http2 "Protocols h2 h2c http/1.1"} + ${acmeChallenge} + ${mkVHostCommonConf hostOpts} + </VirtualHost> + '' + ; + + mkVHostCommonConf = hostOpts: + let + documentRoot = if hostOpts.documentRoot != null + then hostOpts.documentRoot + else pkgs.emptyDirectory + ; + + mkLocations = locations: concatStringsSep "\n" (map (config: '' + <Location ${config.location}> + ${optionalString (config.proxyPass != null) '' + <IfModule mod_proxy.c> + ProxyPass ${config.proxyPass} + ProxyPassReverse ${config.proxyPass} + </IfModule> + ''} + ${optionalString (config.index != null) '' + <IfModule mod_dir.c> + DirectoryIndex ${config.index} + </IfModule> + ''} + ${optionalString (config.alias != null) '' + <IfModule mod_alias.c> + Alias "${config.alias}" + </IfModule> + ''} + ${config.extraConfig} + </Location> + '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations))); + in + '' + ${optionalString cfg.logPerVirtualHost '' + ErrorLog ${cfg.logDir}/error-${hostOpts.hostName}.log + CustomLog ${cfg.logDir}/access-${hostOpts.hostName}.log ${hostOpts.logFormat} + ''} + + ${optionalString (hostOpts.robotsEntries != "") '' + Alias /robots.txt ${pkgs.writeText "robots.txt" hostOpts.robotsEntries} + ''} + + DocumentRoot "${documentRoot}" + + <Directory "${documentRoot}"> + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + </Directory> + + ${optionalString hostOpts.enableUserDir '' + UserDir public_html + UserDir disabled root + <Directory "/home/*/public_html"> + AllowOverride FileInfo AuthConfig Limit Indexes + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Require all granted + </Limit> + <LimitExcept GET POST OPTIONS> + Require all denied + </LimitExcept> + </Directory> + ''} + + ${optionalString (hostOpts.globalRedirect != null && hostOpts.globalRedirect != "") '' + RedirectPermanent / ${hostOpts.globalRedirect} + ''} + + ${ + let makeDirConf = elem: '' + Alias ${elem.urlPath} ${elem.dir}/ + <Directory ${elem.dir}> + Options +Indexes + Require all granted + AllowOverride All + </Directory> + ''; + in concatMapStrings makeDirConf hostOpts.servedDirs + } + + ${mkLocations hostOpts.locations} + ${hostOpts.extraConfig} + '' + ; + + + confFile = pkgs.writeText "httpd.conf" '' + + ServerRoot ${pkg} + ServerName ${config.networking.hostName} + DefaultRuntimeDir ${runtimeDir}/runtime + + PidFile ${runtimeDir}/httpd.pid + + ${optionalString (cfg.mpm != "prefork") '' + # mod_cgid requires this. + ScriptSock ${runtimeDir}/cgisock + ''} + + <IfModule prefork.c> + MaxClients ${toString cfg.maxClients} + MaxRequestsPerChild ${toString cfg.maxRequestsPerChild} + </IfModule> + + ${let + toStr = listen: "Listen ${listen.ip}:${toString listen.port} ${if listen.ssl then "https" else "http"}"; + uniqueListen = uniqList {inputList = map toStr listenInfo;}; + in concatStringsSep "\n" uniqueListen + } + + User ${cfg.user} + Group ${cfg.group} + + ${let + mkModule = module: + if isString module then { name = module; path = "${pkg}/modules/mod_${module}.so"; } + else if isAttrs module then { inherit (module) name path; } + else throw "Expecting either a string or attribute set including a name and path."; + in + concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules)) + } + + AddHandler type-map var + + <Files ~ "^\.ht"> + Require all denied + </Files> + + ${mimeConf} + ${loggingConf} + ${browserHacks} + + Include ${pkg}/conf/extra/httpd-default.conf + Include ${pkg}/conf/extra/httpd-autoindex.conf + Include ${pkg}/conf/extra/httpd-multilang-errordoc.conf + Include ${pkg}/conf/extra/httpd-languages.conf + + TraceEnable off + + ${sslConf} + + ${optionalString cfg.package.luaSupport luaSetPaths} + + # Fascist default - deny access to everything. + <Directory /> + Options FollowSymLinks + AllowOverride None + Require all denied + </Directory> + + # But do allow access to files in the store so that we don't have + # to generate <Directory> clauses for every generated file that we + # want to serve. + <Directory /nix/store> + Require all granted + </Directory> + + ${cfg.extraConfig} + + ${concatMapStringsSep "\n" mkVHostConf vhosts} + ''; + + # Generate the PHP configuration file. Should probably be factored + # out into a separate module. + phpIni = pkgs.runCommand "php.ini" + { options = cfg.phpOptions; + preferLocalBuild = true; + } + '' + cat ${php}/etc/php.ini > $out + cat ${php.phpIni} > $out + echo "$options" >> $out + ''; + + mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; +in + + +{ + + imports = [ + (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") + (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ]) + + # virtualHosts options + (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableSSL" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "enableUserDir" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "globalRedirect" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "hostName" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "listen" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "robotsEntries" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedDirs" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "servedFiles" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "serverAliases" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerCert" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerChain" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + (mkRemovedOptionModule [ "services" "httpd" "sslServerKey" ] "Please define a virtual host using `services.httpd.virtualHosts`.") + ]; + + # interface + + options = { + + services.httpd = { + + enable = mkEnableOption (lib.mdDoc "the Apache HTTP Server"); + + package = mkPackageOption pkgs "apacheHttpd" { }; + + configFile = mkOption { + type = types.path; + default = confFile; + defaultText = literalExpression "confFile"; + example = literalExpression ''pkgs.writeText "httpd.conf" "# my custom config file ..."''; + description = lib.mdDoc '' + Override the configuration file used by Apache. By default, + NixOS generates one automatically. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Configuration lines appended to the generated Apache + configuration file. Note that this mechanism will not work + when {option}`configFile` is overridden. + ''; + }; + + extraModules = mkOption { + type = types.listOf types.unspecified; + default = []; + example = literalExpression '' + [ + "proxy_connect" + { name = "jk"; path = "''${pkgs.tomcat_connectors}/modules/mod_jk.so"; } + ] + ''; + description = lib.mdDoc '' + Additional Apache modules to be used. These can be + specified as a string in the case of modules distributed + with Apache, or as an attribute set specifying the + {var}`name` and {var}`path` of the + module. + ''; + }; + + adminAddr = mkOption { + type = types.nullOr types.str; + example = "admin@example.org"; + default = null; + description = lib.mdDoc "E-mail address of the server administrator."; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = lib.mdDoc '' + Log format for log files. Possible values are: combined, common, referer, agent, none. + See <https://httpd.apache.org/docs/2.4/logs.html> for more details. + ''; + }; + + logPerVirtualHost = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, each virtual host gets its own + {file}`access.log` and + {file}`error.log`, namely suffixed by the + {option}`hostName` of the virtual host. + ''; + }; + + user = mkOption { + type = types.str; + default = "wwwrun"; + description = lib.mdDoc '' + User account under which httpd children processes run. + + If you require the main httpd process to run as + `root` add the following configuration: + ``` + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + ``` + ''; + }; + + group = mkOption { + type = types.str; + default = "wwwrun"; + description = lib.mdDoc '' + Group under which httpd children processes run. + ''; + }; + + logDir = mkOption { + type = types.path; + default = "/var/log/httpd"; + description = lib.mdDoc '' + Directory for Apache's log files. It is created automatically. + ''; + }; + + virtualHosts = mkOption { + type = with types; attrsOf (submodule (import ./vhost-options.nix)); + default = { + localhost = { + documentRoot = "${pkg}/htdocs"; + }; + }; + defaultText = literalExpression '' + { + localhost = { + documentRoot = "''${package.out}/htdocs"; + }; + } + ''; + example = literalExpression '' + { + "foo.example.com" = { + forceSSL = true; + documentRoot = "/var/www/foo.example.com" + }; + "bar.example.com" = { + addSSL = true; + documentRoot = "/var/www/bar.example.com"; + }; + } + ''; + description = lib.mdDoc '' + Specification of the virtual hosts served by Apache. Each + element should be an attribute set specifying the + configuration of the virtual host. + ''; + }; + + enableMellon = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable the mod_auth_mellon module."; + }; + + enablePHP = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable the PHP module."; + }; + + phpPackage = mkPackageOption pkgs "php" { }; + + enablePerl = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable the Perl module (mod_perl)."; + }; + + phpOptions = mkOption { + type = types.lines; + default = ""; + example = + '' + date.timezone = "CET" + ''; + description = lib.mdDoc '' + Options appended to the PHP configuration file {file}`php.ini`. + ''; + }; + + mpm = mkOption { + type = types.enum [ "event" "prefork" "worker" ]; + default = "event"; + example = "worker"; + description = + lib.mdDoc '' + Multi-processing module to be used by Apache. Available + modules are `prefork` (handles each + request in a separate child process), `worker` + (hybrid approach that starts a number of child processes + each running a number of threads) and `event` + (the default; a recent variant of `worker` + that handles persistent connections more efficiently). + ''; + }; + + maxClients = mkOption { + type = types.int; + default = 150; + example = 8; + description = lib.mdDoc "Maximum number of httpd processes (prefork)"; + }; + + maxRequestsPerChild = mkOption { + type = types.int; + default = 0; + example = 500; + description = lib.mdDoc '' + Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited. + ''; + }; + + sslCiphers = mkOption { + type = types.str; + default = "HIGH:!aNULL:!MD5:!EXP"; + description = lib.mdDoc "Cipher Suite available for negotiation in SSL proxy handshake."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"; + example = "All -SSLv2 -SSLv3"; + description = lib.mdDoc "Allowed SSL/TLS protocol versions."; + }; + }; + + }; + + # implementation + + config = mkIf cfg.enable { + + assertions = [ + { + assertion = all (hostOpts: !hostOpts.enableSSL) vhosts; + message = '' + The option `services.httpd.virtualHosts.<name>.enableSSL` no longer has any effect; please remove it. + Select one of `services.httpd.virtualHosts.<name>.addSSL`, `services.httpd.virtualHosts.<name>.forceSSL`, + or `services.httpd.virtualHosts.<name>.onlySSL`. + ''; + } + { + assertion = all (hostOpts: with hostOpts; !(addSSL && onlySSL) && !(forceSSL && onlySSL) && !(addSSL && forceSSL)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.addSSL`, + `services.httpd.virtualHosts.<name>.onlySSL` and `services.httpd.virtualHosts.<name>.forceSSL` + are mutually exclusive. + ''; + } + { + assertion = all (hostOpts: !(hostOpts.enableACME && hostOpts.useACMEHost != null)) vhosts; + message = '' + Options `services.httpd.virtualHosts.<name>.enableACME` and + `services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive. + ''; + } + { + assertion = cfg.enablePHP -> php.ztsSupport; + message = '' + The php package provided by `services.httpd.phpPackage` is not built with zts support. Please + ensure the php has zts support by settings `services.httpd.phpPackage = php.override { ztsSupport = true; }` + ''; + } + ] ++ map (name: mkCertOwnershipAssertion { + inherit (cfg) group user; + cert = config.security.acme.certs.${name}; + groups = config.users.groups; + }) dependentCertNames; + + warnings = + mapAttrsToList (name: hostOpts: '' + Using config.services.httpd.virtualHosts."${name}".servedFiles is deprecated and will become unsupported in a future release. Your configuration will continue to work as is but please migrate your configuration to config.services.httpd.virtualHosts."${name}".locations before the 20.09 release of NixOS. + '') (filterAttrs (name: hostOpts: hostOpts.servedFiles != []) cfg.virtualHosts); + + users.users = optionalAttrs (cfg.user == "wwwrun") { + wwwrun = { + group = cfg.group; + description = "Apache httpd user"; + uid = config.ids.uids.wwwrun; + }; + }; + + users.groups = optionalAttrs (cfg.group == "wwwrun") { + wwwrun.gid = config.ids.gids.wwwrun; + }; + + security.acme.certs = let + acmePairs = map (hostOpts: let + hasRoot = hostOpts.acmeRoot != null; + in nameValuePair hostOpts.hostName { + group = mkDefault cfg.group; + # if acmeRoot is null inherit config.security.acme + # Since config.security.acme.certs.<cert>.webroot's own default value + # should take precedence set priority higher than mkOptionDefault + webroot = mkOverride (if hasRoot then 1000 else 2000) hostOpts.acmeRoot; + # Also nudge dnsProvider to null in case it is inherited + dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null; + extraDomainNames = hostOpts.serverAliases; + # Use the vhost-specific email address if provided, otherwise let + # security.acme.email or security.acme.certs.<cert>.email be used. + email = mkOverride 2000 (if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr); + # Filter for enableACME-only vhosts. Don't want to create dud certs + }) (filter (hostOpts: hostOpts.useACMEHost == null) acmeEnabledVhosts); + in listToAttrs acmePairs; + + # httpd requires a stable path to the configuration file for reloads + environment.etc."httpd/httpd.conf".source = cfg.configFile; + environment.systemPackages = [ + apachectl + pkg + ]; + + services.logrotate = optionalAttrs (cfg.logFormat != "none") { + enable = mkDefault true; + settings.httpd = { + files = "${cfg.logDir}/*.log"; + su = "${cfg.user} ${cfg.group}"; + frequency = "daily"; + rotate = 28; + sharedscripts = true; + compress = true; + delaycompress = true; + postrotate = "systemctl reload httpd.service > /dev/null 2>/dev/null || true"; + }; + }; + + services.httpd.phpOptions = + '' + ; Don't advertise PHP + expose_php = off + '' + optionalString (config.time.timeZone != null) '' + + ; Apparently PHP doesn't use $TZ. + date.timezone = "${config.time.timeZone}" + ''; + + services.httpd.extraModules = mkBefore [ + # HTTP authentication mechanisms: basic and digest. + "auth_basic" "auth_digest" + + # Authentication: is the user who he claims to be? + "authn_file" "authn_dbm" "authn_anon" + + # Authorization: is the user allowed access? + "authz_user" "authz_groupfile" "authz_host" + + # Other modules. + "ext_filter" "include" "env" "mime_magic" + "cern_meta" "expires" "headers" "usertrack" "setenvif" + "dav" "status" "asis" "info" "dav_fs" + "vhost_alias" "imagemap" "actions" "speling" + "proxy" "proxy_http" + "cache" "cache_disk" + + # For compatibility with old configurations, the new module mod_access_compat is provided. + "access_compat" + ]; + + systemd.tmpfiles.rules = + let + svc = config.systemd.services.httpd.serviceConfig; + in + [ + "d '${cfg.logDir}' 0700 ${svc.User} ${svc.Group}" + "Z '${cfg.logDir}' - ${svc.User} ${svc.Group}" + ]; + + systemd.services.httpd = { + description = "Apache HTTPD"; + wantedBy = [ "multi-user.target" ]; + wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames); + after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames; + before = map (certName: "acme-${certName}.service") dependentCertNames; + restartTriggers = [ cfg.configFile ]; + + path = [ pkg pkgs.coreutils pkgs.gnugrep ]; + + environment = + optionalAttrs cfg.enablePHP { PHPRC = phpIni; } + // optionalAttrs cfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; }; + + preStart = + '' + # Get rid of old semaphores. These tend to accumulate across + # server restarts, eventually preventing it from restarting + # successfully. + for i in $(${pkgs.util-linux}/bin/ipcs -s | grep ' ${cfg.user} ' | cut -f2 -d ' '); do + ${pkgs.util-linux}/bin/ipcrm -s $i + done + ''; + + serviceConfig = { + ExecStart = "@${pkg}/bin/httpd httpd -f /etc/httpd/httpd.conf"; + ExecStop = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful-stop"; + ExecReload = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; + User = cfg.user; + Group = cfg.group; + Type = "forking"; + PIDFile = "${runtimeDir}/httpd.pid"; + Restart = "always"; + RestartSec = "5s"; + RuntimeDirectory = "httpd httpd/runtime"; + RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + + # postRun hooks on cert renew can't be used to restart Apache since renewal + # runs as the unprivileged acme user. sslTargets are added to wantedBy + before + # which allows the acme-finished-$cert.target to signify the successful updating + # of certs end-to-end. + systemd.services.httpd-config-reload = let + sslServices = map (certName: "acme-${certName}.service") dependentCertNames; + sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames; + in mkIf (sslServices != []) { + wantedBy = sslServices ++ [ "multi-user.target" ]; + # Before the finished targets, after the renew services. + # This service might be needed for HTTP-01 challenges, but we only want to confirm + # certs are updated _after_ config has been reloaded. + before = sslTargets; + after = sslServices; + restartTriggers = [ cfg.configFile ]; + # Block reloading if not all certs exist yet. + # Happens when config changes add new vhosts/certs. + unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 60; + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active httpd.service"; + ExecStartPre = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -t"; + ExecStart = "/run/current-system/systemd/bin/systemctl reload httpd.service"; + }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/location-options.nix new file mode 100644 index 000000000000..f2d4f8357047 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/location-options.nix @@ -0,0 +1,54 @@ +{ config, lib, name, ... }: +let + inherit (lib) mkOption types; +in +{ + options = { + + proxyPass = mkOption { + type = with types; nullOr str; + default = null; + example = "http://www.example.org/"; + description = lib.mdDoc '' + Sets up a simple reverse proxy as described by <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>. + ''; + }; + + index = mkOption { + type = with types; nullOr str; + default = null; + example = "index.php index.html"; + description = lib.mdDoc '' + Adds DirectoryIndex directive. See <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>. + ''; + }; + + alias = mkOption { + type = with types; nullOr path; + default = null; + example = "/your/alias/directory"; + description = lib.mdDoc '' + Alias directory for requests. See <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + These lines go to the end of the location verbatim. + ''; + }; + + priority = mkOption { + type = types.int; + default = 1000; + description = lib.mdDoc '' + Order of this location block in relation to the others in the vhost. + The semantics are the same as with `lib.mkOrder`. Smaller values have + a greater priority. + ''; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix new file mode 100644 index 000000000000..7b87f9ef4bde --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -0,0 +1,291 @@ +{ config, lib, name, ... }: +let + inherit (lib) literalExpression mkOption nameValuePair types; +in +{ + options = { + + hostName = mkOption { + type = types.str; + default = name; + description = lib.mdDoc "Canonical hostname for the server."; + }; + + serverAliases = mkOption { + type = types.listOf types.str; + default = []; + example = ["www.example.org" "www.example.org:8080" "example.org"]; + description = lib.mdDoc '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listen = mkOption { + type = with types; listOf (submodule ({ + options = { + port = mkOption { + type = types.port; + description = lib.mdDoc "Port to listen on"; + }; + ip = mkOption { + type = types.str; + default = "*"; + description = lib.mdDoc "IP to listen on. 0.0.0.0 for IPv4 only, * for all."; + }; + ssl = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable SSL (https) support."; + }; + }; + })); + default = []; + example = [ + { ip = "195.154.1.1"; port = 443; ssl = true;} + { ip = "192.154.1.1"; port = 80; } + { ip = "*"; port = 8080; } + ]; + description = lib.mdDoc '' + Listen addresses and ports for this virtual host. + + ::: {.note} + This option overrides `addSSL`, `forceSSL` and `onlySSL`. + + If you only want to set the addresses manually and not the ports, take a look at `listenAddresses`. + ::: + ''; + }; + + listenAddresses = mkOption { + type = with types; nonEmptyListOf str; + + description = lib.mdDoc '' + Listen addresses for this virtual host. + Compared to `listen` this only sets the addresses + and the ports are chosen automatically. + ''; + default = [ "*" ]; + example = [ "127.0.0.1" ]; + }; + + enableSSL = mkOption { + type = types.bool; + visible = false; + default = false; + }; + + addSSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + `listen` to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for `listen` to listen on all interfaces on port 443. + ''; + }; + + forceSSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to add a separate nginx server block that permanently redirects (301) + all plain HTTP traffic to HTTPS. This will set defaults for + `listen` to listen on all interfaces on the respective default + ports (80, 443), where the non-SSL listens are used for the redirect vhosts. + ''; + }; + + enableACME = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through {option}`useACMEHost`. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + [rate limit](https://letsencrypt.org/docs/rate-limits). + Alternately, you can generate a certificate through {option}`enableACME`. + *Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using [](#opt-security.acme.certs).* + ''; + }; + + acmeRoot = mkOption { + type = types.nullOr types.str; + default = "/var/lib/acme/acme-challenge"; + description = lib.mdDoc '' + Directory for the acme challenge which is PUBLIC, don't put certs or keys in here. + Set to null to inherit from config.security.acme. + ''; + }; + + sslServerCert = mkOption { + type = types.path; + example = "/var/host.cert"; + description = lib.mdDoc "Path to server SSL certificate."; + }; + + sslServerKey = mkOption { + type = types.path; + example = "/var/host.key"; + description = lib.mdDoc "Path to server SSL certificate key."; + }; + + sslServerChain = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/ca.pem"; + description = lib.mdDoc "Path to server SSL chain file."; + }; + + http2 = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. *However, if you use the prefork mpm, there will + be severe restrictions.* Refer to <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config> for details. + ''; + }; + + adminAddr = mkOption { + type = types.nullOr types.str; + default = null; + example = "admin@example.org"; + description = lib.mdDoc "E-mail address of the server administrator."; + }; + + documentRoot = mkOption { + type = types.nullOr types.path; + default = null; + example = "/data/webserver/docs"; + description = lib.mdDoc '' + The path of Apache's document root directory. If left undefined, + an empty directory in the Nix store will be used as root. + ''; + }; + + servedDirs = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/nix"; + dir = "/home/eelco/Dev/nix-homepage"; + } + ]; + description = lib.mdDoc '' + This option provides a simple way to serve static directories. + ''; + }; + + servedFiles = mkOption { + type = types.listOf types.attrs; + default = []; + example = [ + { urlPath = "/foo/bar.png"; + file = "/home/eelco/some-file.png"; + } + ]; + description = lib.mdDoc '' + This option provides a simple way to serve individual, static files. + + ::: {.note} + This option has been deprecated and will be removed in a future + version of NixOS. You can achieve the same result by making use of + the `locations.<name>.alias` option. + ::: + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + <Directory /home> + Options FollowSymlinks + AllowOverride All + </Directory> + ''; + description = lib.mdDoc '' + These lines go to httpd.conf verbatim. They will go after + directories and directory aliases defined by default. + ''; + }; + + enableUserDir = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable serving {file}`~/public_html` as + `/~«username»`. + ''; + }; + + globalRedirect = mkOption { + type = types.nullOr types.str; + default = null; + example = "http://newserver.example.org/"; + description = lib.mdDoc '' + If set, all requests for this host are redirected permanently to + the given URL. + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "common"; + example = "combined"; + description = lib.mdDoc '' + Log format for Apache's log files. Possible values are: combined, common, referer, agent. + ''; + }; + + robotsEntries = mkOption { + type = types.lines; + default = ""; + example = "Disallow: /foo/"; + description = lib.mdDoc '' + Specification of pages to be ignored by web crawlers. See <http://www.robotstxt.org/> for details. + ''; + }; + + locations = mkOption { + type = with types; attrsOf (submodule (import ./location-options.nix)); + default = {}; + example = literalExpression '' + { + "/" = { + proxyPass = "http://localhost:3000"; + }; + "/foo/bar.png" = { + alias = "/home/eelco/some-file.png"; + }; + }; + ''; + description = lib.mdDoc '' + Declarative location config. See <https://httpd.apache.org/docs/2.4/mod/core.html#location> for details. + ''; + }; + + }; + + config = { + + locations = builtins.listToAttrs (map (elem: nameValuePair elem.urlPath { alias = elem.file; }) config.servedFiles); + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix new file mode 100644 index 000000000000..95dc219d108c --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -0,0 +1,407 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.caddy; + + virtualHosts = attrValues cfg.virtualHosts; + acmeVHosts = filter (hostOpts: hostOpts.useACMEHost != null) virtualHosts; + + mkVHostConf = hostOpts: + let + sslCertDir = config.security.acme.certs.${hostOpts.useACMEHost}.directory; + in + '' + ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} { + ${optionalString (hostOpts.listenAddresses != [ ]) "bind ${concatStringsSep " " hostOpts.listenAddresses}"} + ${optionalString (hostOpts.useACMEHost != null) "tls ${sslCertDir}/cert.pem ${sslCertDir}/key.pem"} + log { + ${hostOpts.logFormat} + } + + ${hostOpts.extraConfig} + } + ''; + + settingsFormat = pkgs.formats.json { }; + + configFile = + if cfg.settings != { } then + settingsFormat.generate "caddy.json" cfg.settings + else + let + Caddyfile = pkgs.writeTextDir "Caddyfile" '' + { + ${cfg.globalConfig} + } + ${cfg.extraConfig} + ${concatMapStringsSep "\n" mkVHostConf virtualHosts} + ''; + + Caddyfile-formatted = pkgs.runCommand "Caddyfile-formatted" { nativeBuildInputs = [ cfg.package ]; } '' + mkdir -p $out + cp --no-preserve=mode ${Caddyfile}/Caddyfile $out/Caddyfile + caddy fmt --overwrite $out/Caddyfile + ''; + in + "${if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then Caddyfile-formatted else Caddyfile}/Caddyfile"; + + etcConfigFile = "caddy/caddy_config"; + + configPath = "/etc/${etcConfigFile}"; + + acmeHosts = unique (catAttrs "useACMEHost" acmeVHosts); + + mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; +in +{ + imports = [ + (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2") + (mkRenamedOptionModule [ "services" "caddy" "ca" ] [ "services" "caddy" "acmeCA" ]) + (mkRenamedOptionModule [ "services" "caddy" "config" ] [ "services" "caddy" "extraConfig" ]) + ]; + + # interface + options.services.caddy = { + enable = mkEnableOption (lib.mdDoc "Caddy web server"); + + user = mkOption { + default = "caddy"; + type = types.str; + description = lib.mdDoc '' + User account under which caddy runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the Caddy service starts. + ::: + ''; + }; + + group = mkOption { + default = "caddy"; + type = types.str; + description = lib.mdDoc '' + Group account under which caddy runs. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the Caddy service starts. + ::: + ''; + }; + + package = mkPackageOption pkgs "caddy" { }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/caddy"; + description = lib.mdDoc '' + The data directory for caddy. + + ::: {.note} + If left as the default value this directory will automatically be created + before the Caddy server starts, otherwise you are responsible for ensuring + the directory exists with appropriate ownership and permissions. + + Caddy v2 replaced `CADDYPATH` with XDG directories. + See <https://caddyserver.com/docs/conventions#file-locations>. + ::: + ''; + }; + + logDir = mkOption { + type = types.path; + default = "/var/log/caddy"; + description = lib.mdDoc '' + Directory for storing Caddy access logs. + + ::: {.note} + If left as the default value this directory will automatically be created + before the Caddy server starts, otherwise the sysadmin is responsible for + ensuring the directory exists with appropriate ownership and permissions. + ::: + ''; + }; + + logFormat = mkOption { + type = types.lines; + default = '' + level ERROR + ''; + example = literalExpression '' + mkForce "level INFO"; + ''; + description = lib.mdDoc '' + Configuration for the default logger. See + <https://caddyserver.com/docs/caddyfile/options#log> + for details. + ''; + }; + + configFile = mkOption { + type = types.path; + default = configFile; + defaultText = "A Caddyfile automatically generated by values from services.caddy.*"; + example = literalExpression '' + pkgs.writeText "Caddyfile" ''' + example.com + + root * /var/www/wordpress + php_fastcgi unix//run/php/php-version-fpm.sock + file_server + '''; + ''; + description = lib.mdDoc '' + Override the configuration file used by Caddy. By default, + NixOS generates one automatically. + + The configuration file is exposed at {file}`${configPath}`. + ''; + }; + + adapter = mkOption { + default = if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null; + defaultText = literalExpression '' + if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null + ''; + example = literalExpression "nginx"; + type = with types; nullOr str; + description = lib.mdDoc '' + Name of the config adapter to use. + See <https://caddyserver.com/docs/config-adapters> + for the full list. + + If `null` is specified, the `--adapter` argument is omitted when + starting or restarting Caddy. Notably, this allows specification of a + configuration file in Caddy's native JSON format, as long as the + filename does not start with `Caddyfile` (in which case the `caddyfile` + adapter is implicitly enabled). See + <https://caddyserver.com/docs/command-line#caddy-run> for details. + + ::: {.note} + Any value other than `null` or `caddyfile` is only valid when providing + your own `configFile`. + ::: + ''; + }; + + resume = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Use saved config, if any (and prefer over any specified configuration passed with `--config`). + ''; + }; + + globalConfig = mkOption { + type = types.lines; + default = ""; + example = '' + debug + servers { + protocol { + experimental_http3 + } + } + ''; + description = lib.mdDoc '' + Additional lines of configuration appended to the global config section + of the `Caddyfile`. + + Refer to <https://caddyserver.com/docs/caddyfile/options#global-options> + for details on supported values. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + example.com { + encode gzip + log + root /srv/http + } + ''; + description = lib.mdDoc '' + Additional lines of configuration appended to the automatically + generated `Caddyfile`. + ''; + }; + + virtualHosts = mkOption { + type = with types; attrsOf (submodule (import ./vhost-options.nix { inherit cfg; })); + default = {}; + example = literalExpression '' + { + "hydra.example.com" = { + serverAliases = [ "www.hydra.example.com" ]; + extraConfig = ''' + encode gzip + root /srv/http + '''; + }; + }; + ''; + description = lib.mdDoc '' + Declarative specification of virtual hosts served by Caddy. + ''; + }; + + acmeCA = mkOption { + default = null; + example = "https://acme-v02.api.letsencrypt.org/directory"; + type = with types; nullOr str; + description = lib.mdDoc '' + ::: {.note} + Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca) + in the global options block of the resulting Caddyfile. + ::: + + The URL to the ACME CA's directory. It is strongly recommended to set + this to `https://acme-staging-v02.api.letsencrypt.org/directory` for + Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/) + while testing or in development. + + Value `null` should be prefered for production setups, + as it omits the `acme_ca` option to enable + [automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback). + ''; + }; + + email = mkOption { + default = null; + type = with types; nullOr str; + description = lib.mdDoc '' + Your email address. Mainly used when creating an ACME account with your + CA, and is highly recommended in case there are problems with your + certificates. + ''; + }; + + enableReload = mkOption { + default = true; + type = types.bool; + description = lib.mdDoc '' + Reload Caddy instead of restarting it when configuration file changes. + + Note that enabling this option requires the [admin API](https://caddyserver.com/docs/caddyfile/options#admin) + to not be turned off. + + If you enable this option, consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period) + to a non-infinite value in {option}`services.caddy.globalConfig` + to prevent Caddy waiting for active connections to finish, + which could delay the reload essentially indefinitely. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = {}; + description = lib.mdDoc '' + Structured configuration for Caddy to generate a Caddy JSON configuration file. + See <https://caddyserver.com/docs/json/> for available options. + + ::: {.warning} + Using a [Caddyfile](https://caddyserver.com/docs/caddyfile) instead of a JSON config is highly recommended by upstream. + There are only very few exception to this. + + Please use a Caddyfile via {option}`services.caddy.configFile`, {option}`services.caddy.virtualHosts` or + {option}`services.caddy.extraConfig` with {option}`services.caddy.globalConfig` instead. + ::: + + ::: {.note} + Takes presence over most `services.caddy.*` options, such as {option}`services.caddy.configFile` and {option}`services.caddy.virtualHosts`, if specified. + ::: + ''; + }; + }; + + # implementation + config = mkIf cfg.enable { + + assertions = [ + { assertion = cfg.configFile == configFile -> cfg.adapter == "caddyfile" || cfg.adapter == null; + message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`"; + } + ] ++ map (name: mkCertOwnershipAssertion { + inherit (cfg) group user; + cert = config.security.acme.certs.${name}; + groups = config.users.groups; + }) acmeHosts; + + services.caddy.globalConfig = '' + ${optionalString (cfg.email != null) "email ${cfg.email}"} + ${optionalString (cfg.acmeCA != null) "acme_ca ${cfg.acmeCA}"} + log { + ${cfg.logFormat} + } + ''; + + # https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes + boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000; + boot.kernel.sysctl."net.core.wmem_max" = mkDefault 2500000; + + systemd.packages = [ cfg.package ]; + systemd.services.caddy = { + wants = map (hostOpts: "acme-finished-${hostOpts.useACMEHost}.target") acmeVHosts; + after = map (hostOpts: "acme-selfsigned-${hostOpts.useACMEHost}.service") acmeVHosts; + before = map (hostOpts: "acme-${hostOpts.useACMEHost}.service") acmeVHosts; + + wantedBy = [ "multi-user.target" ]; + startLimitIntervalSec = 14400; + startLimitBurst = 10; + reloadTriggers = optional cfg.enableReload cfg.configFile; + + serviceConfig = let + runOptions = ''--config ${configPath} ${optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"}''; + in { + # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= + # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect. + ExecStart = [ "" ''${cfg.package}/bin/caddy run ${runOptions} ${optionalString cfg.resume "--resume"}'' ]; + # Validating the configuration before applying it ensures we’ll get a proper error that will be reported when switching to the configuration + ExecReload = [ "" ''${cfg.package}/bin/caddy reload ${runOptions} --force'' ]; + User = cfg.user; + Group = cfg.group; + ReadWriteDirectories = cfg.dataDir; + StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ]; + LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ]; + Restart = "on-failure"; + RestartPreventExitStatus = 1; + RestartSec = "5s"; + + # TODO: attempt to upstream these options + NoNewPrivileges = true; + PrivateDevices = true; + ProtectHome = true; + }; + }; + + users.users = optionalAttrs (cfg.user == "caddy") { + caddy = { + group = cfg.group; + uid = config.ids.uids.caddy; + home = cfg.dataDir; + }; + }; + + users.groups = optionalAttrs (cfg.group == "caddy") { + caddy.gid = config.ids.gids.caddy; + }; + + security.acme.certs = + let + certCfg = map (useACMEHost: nameValuePair useACMEHost { + group = mkDefault cfg.group; + reloadServices = [ "caddy.service" ]; + }) acmeHosts; + in + listToAttrs certCfg; + + environment.etc.${etcConfigFile}.source = cfg.configFile; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix new file mode 100644 index 000000000000..229b53efb49f --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix @@ -0,0 +1,77 @@ +{ cfg }: +{ config, lib, name, ... }: +let + inherit (lib) literalExpression mkOption types; +in +{ + options = { + + hostName = mkOption { + type = types.str; + default = name; + description = lib.mdDoc "Canonical hostname for the server."; + }; + + serverAliases = mkOption { + type = with types; listOf str; + default = [ ]; + example = [ "www.example.org" "example.org" ]; + description = lib.mdDoc '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listenAddresses = mkOption { + type = with types; listOf str; + description = lib.mdDoc '' + A list of host interfaces to bind to for this virtual host. + ''; + default = [ ]; + example = [ "127.0.0.1" "::1" ]; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + A host of an existing Let's Encrypt certificate to use. + This is mostly useful if you use DNS challenges but Caddy does not + currently support your provider. + + *Note that this option does not create any certificates, nor + does it add subdomains to existing ones – you will need to create them + manually using [](#opt-security.acme.certs).* + ''; + }; + + logFormat = mkOption { + type = types.lines; + default = '' + output file ${cfg.logDir}/access-${config.hostName}.log + ''; + defaultText = '' + output file ''${config.services.caddy.logDir}/access-''${hostName}.log + ''; + example = literalExpression '' + mkForce ''' + output discard + '''; + ''; + description = lib.mdDoc '' + Configuration for HTTP request logging (also known as access logs). See + <https://caddyserver.com/docs/caddyfile/directives/log#log> + for details. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Additional lines of configuration appended to this virtual host in the + automatically generated `Caddyfile`. + ''; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix b/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix new file mode 100644 index 000000000000..1e3a7166bc41 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.darkhttpd; + + args = concatStringsSep " " ([ + cfg.rootDir + "--port ${toString cfg.port}" + "--addr ${cfg.address}" + ] ++ cfg.extraArgs + ++ optional cfg.hideServerId "--no-server-id" + ++ optional config.networking.enableIPv6 "--ipv6"); + +in { + options.services.darkhttpd = with types; { + enable = mkEnableOption (lib.mdDoc "DarkHTTPd web server"); + + port = mkOption { + default = 80; + type = types.port; + description = lib.mdDoc '' + Port to listen on. + Pass 0 to let the system choose any free port for you. + ''; + }; + + address = mkOption { + default = "127.0.0.1"; + type = str; + description = lib.mdDoc '' + Address to listen on. + Pass `all` to listen on all interfaces. + ''; + }; + + rootDir = mkOption { + type = path; + description = lib.mdDoc '' + Path from which to serve files. + ''; + }; + + hideServerId = mkOption { + type = bool; + default = true; + description = lib.mdDoc '' + Don't identify the server type in headers or directory listings. + ''; + }; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = lib.mdDoc '' + Additional configuration passed to the executable. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.darkhttpd = { + description = "Dark HTTPd"; + wants = [ "network.target" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.darkhttpd}/bin/darkhttpd ${args}"; + AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; + Restart = "on-failure"; + RestartSec = "2s"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix b/nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix new file mode 100644 index 000000000000..649b058bd22f --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.fcgiwrap; +in { + + options = { + services.fcgiwrap = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable fcgiwrap, a server for running CGI applications over FastCGI."; + }; + + preforkProcesses = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc "Number of processes to prefork."; + }; + + socketType = mkOption { + type = types.enum [ "unix" "tcp" "tcp6" ]; + default = "unix"; + description = lib.mdDoc "Socket type: 'unix', 'tcp' or 'tcp6'."; + }; + + socketAddress = mkOption { + type = types.str; + default = "/run/fcgiwrap.sock"; + example = "1.2.3.4:5678"; + description = lib.mdDoc "Socket address. In case of a UNIX socket, this should be its filesystem path."; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "User permissions for the socket."; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "Group permissions for the socket."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.fcgiwrap = { + after = [ "nss-user-lookup.target" ]; + wantedBy = optional (cfg.socketType != "unix") "multi-user.target"; + + serviceConfig = { + ExecStart = "${pkgs.fcgiwrap}/sbin/fcgiwrap -c ${builtins.toString cfg.preforkProcesses} ${ + optionalString (cfg.socketType != "unix") "-s ${cfg.socketType}:${cfg.socketAddress}" + }"; + } // (if cfg.user != null && cfg.group != null then { + User = cfg.user; + Group = cfg.group; + } else { + DynamicUser = true; + }); + }; + + systemd.sockets = if (cfg.socketType == "unix") then { + fcgiwrap = { + wantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = cfg.socketAddress; + }; + } else { }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/garage.md b/nixpkgs/nixos/modules/services/web-servers/garage.md new file mode 100644 index 000000000000..3a9b85ce0603 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/garage.md @@ -0,0 +1,96 @@ +# Garage {#module-services-garage} + +[Garage](https://garagehq.deuxfleurs.fr/) +is an open-source, self-hostable S3 store, simpler than MinIO, for geodistributed stores. +The server setup can be automated using +[services.garage](#opt-services.garage.enable). A + client configured to your local Garage instance is available in + the global environment as `garage-manage`. + +The current default by NixOS is `garage_0_8` which is also the latest +major version available. + +## General considerations on upgrades {#module-services-garage-upgrade-scenarios} + +Garage provides a cookbook documentation on how to upgrade: +<https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/> + +::: {.warning} +Garage has two types of upgrades: patch-level upgrades and minor/major version upgrades. + +In all cases, you should read the changelog and ideally test the upgrade on a staging cluster. + +Checking the health of your cluster can be achieved using `garage-manage repair`. +::: + +::: {.warning} +Until 1.0 is released, patch-level upgrades are considered as minor version upgrades. +Minor version upgrades are considered as major version upgrades. +i.e. 0.6 to 0.7 is a major version upgrade. +::: + + - **Straightforward upgrades (patch-level upgrades).** + Upgrades must be performed one by one, i.e. for each node, stop it, upgrade it : change [stateVersion](#opt-system.stateVersion) or [services.garage.package](#opt-services.garage.package), restart it if it was not already by switching. + - **Multiple version upgrades.** + Garage do not provide any guarantee on moving more than one major-version forward. + E.g., if you're on `0.7`, you cannot upgrade to `0.9`. + You need to upgrade to `0.8` first. + As long as [stateVersion](#opt-system.stateVersion) is declared properly, + this is enforced automatically. The module will issue a warning to remind the user to upgrade to latest + Garage *after* that deploy. + +## Advanced upgrades (minor/major version upgrades) {#module-services-garage-advanced-upgrades} + +Here are some baseline instructions to handle advanced upgrades in Garage, when in doubt, please refer to upstream instructions. + + - Disable API and web access to Garage. + - Perform `garage-manage repair --all-nodes --yes tables` and `garage-manage repair --all-nodes --yes blocks`. + - Verify the resulting logs and check that data is synced properly between all nodes. + If you have time, do additional checks (`scrub`, `block_refs`, etc.). + - Check if queues are empty by `garage-manage stats` or through monitoring tools. + - Run `systemctl stop garage` to stop the actual Garage version. + - Backup the metadata folder of ALL your nodes, e.g. for a metadata directory (the default one) in `/var/lib/garage/meta`, + you can run `pushd /var/lib/garage; tar -acf meta-v0.7.tar.zst meta/; popd`. + - Run the offline migration: `nix-shell -p garage_0_8 --run "garage offline-repair --yes"`, this can take some time depending on how many objects are stored in your cluster. + - Bump Garage version in your NixOS configuration, either by changing [stateVersion](#opt-system.stateVersion) or bumping [services.garage.package](#opt-services.garage.package), this should restart Garage automatically. + - Perform `garage-manage repair --all-nodes --yes tables` and `garage-manage repair --all-nodes --yes blocks`. + - Wait for a full table sync to run. + +Your upgraded cluster should be in a working state, re-enable API and web access. + +## Maintainer information {#module-services-garage-maintainer-info} + +As stated in the previous paragraph, we must provide a clean upgrade-path for Garage +since it cannot move more than one major version forward on a single upgrade. This chapter +adds some notes how Garage updates should be rolled out in the future. +This is inspired from how Nextcloud does it. + +While patch-level updates are no problem and can be done directly in the +package-expression (and should be backported to supported stable branches after that), +major-releases should be added in a new attribute (e.g. Garage `v0.8.0` +should be available in `nixpkgs` as `pkgs.garage_0_8_0`). +To provide simple upgrade paths it's generally useful to backport those as well to stable +branches. As long as the package-default isn't altered, this won't break existing setups. +After that, the versioning-warning in the `garage`-module should be +updated to make sure that the +[package](#opt-services.garage.package)-option selects the latest version +on fresh setups. + +If major-releases will be abandoned by upstream, we should check first if those are needed +in NixOS for a safe upgrade-path before removing those. In that case we should keep those +packages, but mark them as insecure in an expression like this (in +`<nixpkgs/pkgs/tools/filesystem/garage/default.nix>`): +``` +/* ... */ +{ + garage_0_7_3 = generic { + version = "0.7.3"; + sha256 = "0000000000000000000000000000000000000000000000000000"; + eol = true; + }; +} +``` + +Ideally we should make sure that it's possible to jump two NixOS versions forward: +i.e. the warnings and the logic in the module should guard a user to upgrade from a +Garage on e.g. 22.11 to a Garage on 23.11. diff --git a/nixpkgs/nixos/modules/services/web-servers/garage.nix b/nixpkgs/nixos/modules/services/web-servers/garage.nix new file mode 100644 index 000000000000..48dd5b34757c --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/garage.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.garage; + toml = pkgs.formats.toml { }; + configFile = toml.generate "garage.toml" cfg.settings; +in +{ + meta = { + doc = ./garage.md; + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; + + options.services.garage = { + enable = mkEnableOption (lib.mdDoc "Garage Object Storage (S3 compatible)"); + + extraEnvironment = mkOption { + type = types.attrsOf types.str; + description = lib.mdDoc "Extra environment variables to pass to the Garage server."; + default = { }; + example = { RUST_BACKTRACE = "yes"; }; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "File containing environment variables to be passed to the Garage server."; + default = null; + }; + + logLevel = mkOption { + type = types.enum ([ "error" "warn" "info" "debug" "trace" ]); + default = "info"; + example = "debug"; + description = lib.mdDoc "Garage log level, see <https://garagehq.deuxfleurs.fr/documentation/quick-start/#launching-the-garage-server> for examples."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = toml.type; + + options = { + metadata_dir = mkOption { + default = "/var/lib/garage/meta"; + type = types.path; + description = lib.mdDoc "The metadata directory, put this on a fast disk (e.g. SSD) if possible."; + }; + + data_dir = mkOption { + default = "/var/lib/garage/data"; + type = types.path; + description = lib.mdDoc "The main data storage, put this on your large storage (e.g. high capacity HDD)"; + }; + + replication_mode = mkOption { + default = "none"; + type = types.enum ([ "none" "1" "2" "3" "2-dangerous" "3-dangerous" "3-degraded" 1 2 3 ]); + apply = v: toString v; + description = lib.mdDoc "Garage replication mode, defaults to none, see: <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#replication-mode> for reference."; + }; + }; + }; + description = lib.mdDoc "Garage configuration, see <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/> for reference."; + }; + + package = mkOption { + type = types.package; + description = lib.mdDoc "Garage package to use, needs to be set explicitly. If you are upgrading from a major version, please read NixOS and Garage release notes for upgrade instructions."; + }; + }; + + config = mkIf cfg.enable { + environment.etc."garage.toml" = { + source = configFile; + }; + + environment.systemPackages = [ cfg.package ]; # For administration + + systemd.services.garage = { + description = "Garage Object Storage (S3 compatible)"; + after = [ "network.target" "network-online.target" ]; + wants = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ] ++ (lib.optional (cfg.environmentFile != null) cfg.environmentFile); + serviceConfig = { + ExecStart = "${cfg.package}/bin/garage server"; + + StateDirectory = mkIf (hasPrefix "/var/lib/garage" cfg.settings.data_dir || hasPrefix "/var/lib/garage" cfg.settings.metadata_dir) "garage"; + DynamicUser = lib.mkDefault true; + ProtectHome = true; + NoNewPrivileges = true; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + }; + environment = { + RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}"; + } // cfg.extraEnvironment; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix new file mode 100644 index 000000000000..6c8b3cda5f72 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/hitch/default.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, ...}: +let + cfg = config.services.hitch; + ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp"; + hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [ + ("backend = \"${cfg.backend}\"") + (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend) + (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files) + ("ciphers = \"${cfg.ciphers}\"") + ("ocsp-dir = \"${ocspDir}\"") + "user = \"${cfg.user}\"" + "group = \"${cfg.group}\"" + cfg.extraConfig + ]); +in +with lib; +{ + options = { + services.hitch = { + enable = mkEnableOption (lib.mdDoc "Hitch Server"); + + backend = mkOption { + type = types.str; + description = lib.mdDoc '' + The host and port Hitch connects to when receiving + a connection in the form [HOST]:PORT + ''; + }; + + ciphers = mkOption { + type = types.str; + default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + description = lib.mdDoc "The list of ciphers to use"; + }; + + frontend = mkOption { + type = types.either types.str (types.listOf types.str); + default = "[127.0.0.1]:443"; + description = lib.mdDoc '' + The port and interface of the listen endpoint in the + form [HOST]:PORT[+CERT]. + ''; + apply = toList; + }; + + pem-files = mkOption { + type = types.listOf types.path; + default = []; + description = lib.mdDoc "PEM files to use"; + }; + + ocsp-stapling = { + enabled = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Whether to enable OCSP Stapling"; + }; + }; + + user = mkOption { + type = types.str; + default = "hitch"; + description = lib.mdDoc "The user to run as"; + }; + + group = mkOption { + type = types.str; + default = "hitch"; + description = lib.mdDoc "The group to run as"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "Additional configuration lines"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.hitch = { + description = "Hitch"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig} + '' + (optionalString cfg.ocsp-stapling.enabled '' + mkdir -p ${ocspDir} + chown -R hitch:hitch ${ocspDir} + ''); + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "5s"; + LimitNOFILE = 131072; + }; + }; + + environment.systemPackages = [ pkgs.hitch ]; + + users.users.hitch = { + group = "hitch"; + isSystemUser = true; + }; + users.groups.hitch = {}; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/hydron.nix b/nixpkgs/nixos/modules/services/web-servers/hydron.nix new file mode 100644 index 000000000000..9d30fdc0caab --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/hydron.nix @@ -0,0 +1,164 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.hydron; +in with lib; { + options.services.hydron = { + enable = mkEnableOption (lib.mdDoc "hydron"); + + dataDir = mkOption { + type = types.path; + default = "/var/lib/hydron"; + example = "/home/okina/hydron"; + description = lib.mdDoc "Location where hydron runs and stores data."; + }; + + interval = mkOption { + type = types.str; + default = "weekly"; + example = "06:00"; + description = lib.mdDoc '' + How often we run hydron import and possibly fetch tags. Runs by default every week. + + The format is described in + {manpage}`systemd.time(7)`. + ''; + }; + + password = mkOption { + type = types.str; + default = "hydron"; + example = "dumbpass"; + description = lib.mdDoc "Password for the hydron database."; + }; + + passwordFile = mkOption { + type = types.path; + default = "/run/keys/hydron-password-file"; + example = "/home/okina/hydron/keys/pass"; + description = lib.mdDoc "Password file for the hydron database."; + }; + + postgresArgs = mkOption { + type = types.str; + description = lib.mdDoc "Postgresql connection arguments."; + example = '' + { + "driver": "postgres", + "connection": "user=hydron password=dumbpass dbname=hydron sslmode=disable" + } + ''; + }; + + postgresArgsFile = mkOption { + type = types.path; + default = "/run/keys/hydron-postgres-args"; + example = "/home/okina/hydron/keys/postgres"; + description = lib.mdDoc "Postgresql connection arguments file."; + }; + + listenAddress = mkOption { + type = types.nullOr types.str; + default = null; + example = "127.0.0.1:8010"; + description = lib.mdDoc "Listen on a specific IP address and port."; + }; + + importPaths = mkOption { + type = types.listOf types.path; + default = []; + example = [ "/home/okina/Pictures" ]; + description = lib.mdDoc "Paths that hydron will recursively import."; + }; + + fetchTags = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Fetch tags for imported images and webm from gelbooru."; + }; + }; + + config = mkIf cfg.enable { + services.hydron.passwordFile = mkDefault (pkgs.writeText "hydron-password-file" cfg.password); + services.hydron.postgresArgsFile = mkDefault (pkgs.writeText "hydron-postgres-args" cfg.postgresArgs); + services.hydron.postgresArgs = mkDefault '' + { + "driver": "postgres", + "connection": "user=hydron password=${cfg.password} host=/run/postgresql dbname=hydron sslmode=disable" + } + ''; + + services.postgresql = { + enable = true; + ensureDatabases = [ "hydron" ]; + ensureUsers = [ + { name = "hydron"; + ensureDBOwnership = true; + } + ]; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0750 hydron hydron - -" + "d '${cfg.dataDir}/.hydron' - hydron hydron - -" + "d '${cfg.dataDir}/images' - hydron hydron - -" + "Z '${cfg.dataDir}' - hydron hydron - -" + + "L+ '${cfg.dataDir}/.hydron/db_conf.json' - - - - ${cfg.postgresArgsFile}" + ]; + + systemd.services.hydron = { + description = "hydron"; + after = [ "network.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "hydron"; + Group = "hydron"; + ExecStart = "${pkgs.hydron}/bin/hydron serve" + + optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}"; + }; + }; + + systemd.services.hydron-fetch = { + description = "Import paths into hydron and possibly fetch tags"; + + serviceConfig = { + Type = "oneshot"; + User = "hydron"; + Group = "hydron"; + ExecStart = "${pkgs.hydron}/bin/hydron import " + + optionalString cfg.fetchTags "-f " + + (escapeShellArg cfg.dataDir) + "/images " + (escapeShellArgs cfg.importPaths); + }; + }; + + systemd.timers.hydron-fetch = { + description = "Automatically import paths into hydron and possibly fetch tags"; + after = [ "network.target" "hydron.service" ]; + wantedBy = [ "timers.target" ]; + + timerConfig = { + Persistent = true; + OnCalendar = cfg.interval; + }; + }; + + users = { + groups.hydron.gid = config.ids.gids.hydron; + + users.hydron = { + description = "hydron server service user"; + home = cfg.dataDir; + group = "hydron"; + uid = config.ids.uids.hydron; + }; + }; + }; + + imports = [ + (mkRenamedOptionModule [ "services" "hydron" "baseDir" ] [ "services" "hydron" "dataDir" ]) + ]; + + meta.maintainers = with maintainers; [ Madouura ]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh b/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh new file mode 100644 index 000000000000..8c49b87db060 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/jboss/builder.sh @@ -0,0 +1,73 @@ +set -e + +if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi +source $stdenv/setup + +mkdir -p $out/bin + +cat > $out/bin/control <<EOF +mkdir -p $logDir +chown -R $user $logDir +export PATH=$PATH:$su/bin + +start() +{ + su $user -s /bin/sh -c "$jboss/bin/run.sh \ + -Djboss.server.base.dir=$serverDir \ + -Djboss.server.base.url=file://$serverDir \ + -Djboss.server.temp.dir=$tempDir \ + -Djboss.server.log.dir=$logDir \ + -Djboss.server.lib.url=$libUrl \ + -c default" +} + +stop() +{ + su $user -s /bin/sh -c "$jboss/bin/shutdown.sh -S" +} + +if test "\$1" = start +then + trap stop 15 + + start +elif test "\$1" = stop +then + stop +elif test "\$1" = init +then + echo "Are you sure you want to create a new server instance (old server instance will be lost!)?" + read answer + + if ! test \$answer = "yes" + then + exit 1 + fi + + rm -rf $serverDir + mkdir -p $serverDir + cd $serverDir + cp -av $jboss/server/default . + sed -i -e "s|deploy/|$deployDir|" default/conf/jboss-service.xml + + if ! test "$useJK" = "" + then + sed -i -e 's|<attribute name="UseJK">false</attribute>|<attribute name="UseJK">true</attribute>|' default/deploy/jboss-web.deployer/META-INF/jboss-service.xml + sed -i -e 's|<Engine name="jboss.web" defaultHost="localhost">|<Engine name="jboss.web" defaultHost="localhost" jvmRoute="node1">|' default/deploy/jboss-web.deployer/server.xml + fi + + # Make files accessible for the server user + + chown -R $user $serverDir + for i in \`find $serverDir -type d\` + do + chmod 755 \$i + done + for i in \`find $serverDir -type f\` + do + chmod 644 \$i + done +fi +EOF + +chmod +x $out/bin/* diff --git a/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix b/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix new file mode 100644 index 000000000000..05b354d567fe --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/jboss/default.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.jboss; + + jbossService = pkgs.stdenv.mkDerivation { + name = "jboss-server"; + builder = ./builder.sh; + inherit (pkgs) jboss su; + inherit (cfg) tempDir logDir libUrl deployDir serverDir user useJK; + }; + +in + +{ + + ###### interface + + options = { + + services.jboss = { + + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities."; + }; + + tempDir = mkOption { + default = "/tmp"; + type = types.str; + description = lib.mdDoc "Location where JBoss stores its temp files"; + }; + + logDir = mkOption { + default = "/var/log/jboss"; + type = types.str; + description = lib.mdDoc "Location of the logfile directory of JBoss"; + }; + + serverDir = mkOption { + description = lib.mdDoc "Location of the server instance files"; + default = "/var/jboss/server"; + type = types.str; + }; + + deployDir = mkOption { + description = lib.mdDoc "Location of the deployment files"; + default = "/nix/var/nix/profiles/default/server/default/deploy/"; + type = types.str; + }; + + libUrl = mkOption { + default = "file:///nix/var/nix/profiles/default/server/default/lib"; + description = lib.mdDoc "Location where the shared library JARs are stored"; + type = types.str; + }; + + user = mkOption { + default = "nobody"; + description = lib.mdDoc "User account under which jboss runs."; + type = types.str; + }; + + useJK = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to use to connector to the Apache HTTP server"; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.jboss.enable { + systemd.services.jboss = { + description = "JBoss server"; + script = "${jbossService}/bin/control start"; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/keter/bundle.nix b/nixpkgs/nixos/modules/services/web-servers/keter/bundle.nix new file mode 100644 index 000000000000..32b08c3be206 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/keter/bundle.nix @@ -0,0 +1,40 @@ +/* This makes a keter bundle as described on the github page: + https://github.com/snoyberg/keter#bundling-your-app-for-keter +*/ +{ keterDomain +, keterExecutable +, gnutar +, writeTextFile +, lib +, stdenv +, ... +}: + +let + str.stanzas = [{ + # we just use nix as an absolute path so we're not bundling any binaries + type = "webapp"; + /* Note that we're not actually putting the executable in the bundle, + we already can use the nix store for copying, so we just + symlink to the app. */ + exec = keterExecutable; + host = keterDomain; + }]; + configFile = writeTextFile { + name = "keter.yml"; + text = (lib.generators.toYAML { } str); + }; + +in +stdenv.mkDerivation { + name = "keter-bundle"; + buildCommand = '' + mkdir -p config + cp ${configFile} config/keter.yaml + + echo 'create a gzipped tarball' + mkdir -p $out + tar -zcvf $out/bundle.tar.gz.keter ./. + ''; + buildInputs = [ gnutar ]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/keter/default.nix b/nixpkgs/nixos/modules/services/web-servers/keter/default.nix new file mode 100644 index 000000000000..0cd9c30cea14 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/keter/default.nix @@ -0,0 +1,191 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.keter; + yaml = pkgs.formats.yaml { }; +in +{ + meta = { + maintainers = with lib.maintainers; [ jappie ]; + }; + + imports = [ + (lib.mkRenamedOptionModule [ "services" "keter" "keterRoot" ] [ "services" "keter" "root" ]) + (lib.mkRenamedOptionModule [ "services" "keter" "keterPackage" ] [ "services" "keter" "package" ]) + ]; + + options.services.keter = { + enable = lib.mkEnableOption (lib.mdDoc ''keter, a web app deployment manager. +Note that this module only support loading of webapps: +Keep an old app running and swap the ports when the new one is booted +''); + + root = lib.mkOption { + type = lib.types.str; + default = "/var/lib/keter"; + description = lib.mdDoc "Mutable state folder for keter"; + }; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.haskellPackages.keter; + defaultText = lib.literalExpression "pkgs.haskellPackages.keter"; + description = lib.mdDoc "The keter package to be used"; + }; + + + globalKeterConfig = lib.mkOption { + type = lib.types.submodule { + freeformType = yaml.type; + options = { + ip-from-header = lib.mkOption { + default = true; + type = lib.types.bool; + description = lib.mdDoc "You want that ip-from-header in the nginx setup case. It allows nginx setting the original ip address rather then it being localhost (due to reverse proxying)"; + }; + listeners = lib.mkOption { + default = [{ host = "*"; port = 6981; }]; + type = lib.types.listOf (lib.types.submodule { + options = { + host = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "host"; + }; + port = lib.mkOption { + type = lib.types.port; + description = lib.mdDoc "port"; + }; + }; + }); + description = lib.mdDoc '' + You want that ip-from-header in + the nginx setup case. + It allows nginx setting the original ip address rather + then it being localhost (due to reverse proxying). + However if you configure keter to accept connections + directly you may want to set this to false.''; + }; + rotate-logs = lib.mkOption { + default = false; + type = lib.types.bool; + description = lib.mdDoc '' + emits keter logs and it's applications to stderr. + which allows journald to capture them. + Set to true to let keter put the logs in files + (useful on non systemd systems, this is the old approach + where keter handled log management)''; + }; + }; + }; + description = lib.mdDoc "Global config for keter, see <https://github.com/snoyberg/keter/blob/master/etc/keter-config.yaml> for reference"; + }; + + bundle = { + appName = lib.mkOption { + type = lib.types.str; + default = "myapp"; + description = lib.mdDoc "The name keter assigns to this bundle"; + }; + + executable = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc "The executable to be run"; + }; + + domain = lib.mkOption { + type = lib.types.str; + default = "example.com"; + description = lib.mdDoc "The domain keter will bind to"; + }; + + publicScript = lib.mkOption { + type = lib.types.str; + default = ""; + description = lib.mdDoc '' + Allows loading of public environment variables, + these are emitted to the log so it shouldn't contain secrets. + ''; + example = "ADMIN_EMAIL=hi@example.com"; + }; + + secretScript = lib.mkOption { + type = lib.types.str; + default = ""; + description = lib.mdDoc "Allows loading of private environment variables"; + example = "MY_AWS_KEY=$(cat /run/keys/AWS_ACCESS_KEY_ID)"; + }; + }; + + }; + + config = lib.mkIf cfg.enable ( + let + incoming = "${cfg.root}/incoming"; + + + globalKeterConfigFile = pkgs.writeTextFile { + name = "keter-config.yml"; + text = (lib.generators.toYAML { } (cfg.globalKeterConfig // { root = cfg.root; })); + }; + + # If things are expected to change often, put it in the bundle! + bundle = pkgs.callPackage ./bundle.nix + (cfg.bundle // { keterExecutable = executable; keterDomain = cfg.bundle.domain; }); + + # This indirection is required to ensure the nix path + # gets copied over to the target machine in remote deployments. + # Furthermore, it's important that we use exec to + # run the binary otherwise we get process leakage due to this + # being executed on every change. + executable = pkgs.writeShellScript "bundle-wrapper" '' + set -e + ${cfg.bundle.secretScript} + set -xe + ${cfg.bundle.publicScript} + exec ${cfg.bundle.executable} + ''; + + in + { + systemd.services.keter = { + description = "keter app loader"; + script = '' + set -xe + mkdir -p ${incoming} + ${lib.getExe cfg.package} ${globalKeterConfigFile}; + ''; + wantedBy = [ "multi-user.target" "nginx.service" ]; + + serviceConfig = { + Restart = "always"; + RestartSec = "10s"; + }; + + after = [ + "network.target" + "local-fs.target" + "postgresql.service" + ]; + }; + + # On deploy this will load our app, by moving it into the incoming dir + # If the bundle content changes, this will run again. + # Because the bundle content contains the nix path to the executable, + # we inherit nix based cache busting. + systemd.services.load-keter-bundle = { + description = "load keter bundle into incoming folder"; + after = [ "keter.service" ]; + wantedBy = [ "multi-user.target" ]; + # we can't override keter bundles because it'll stop the previous app + # https://github.com/snoyberg/keter#deploying + script = '' + set -xe + cp ${bundle}/bundle.tar.gz.keter ${incoming}/${cfg.bundle.appName}.keter + ''; + path = [ + executable + cfg.bundle.executable + ]; # this is a hack to get the executable copied over to the machine. + }; + } + ); +} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix new file mode 100644 index 000000000000..e9f42c41183b --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.lighttpd.cgit; + pathPrefix = optionalString (stringLength cfg.subdir != 0) ("/" + cfg.subdir); + configFile = pkgs.writeText "cgitrc" + '' + # default paths to static assets + css=${pathPrefix}/cgit.css + logo=${pathPrefix}/cgit.png + favicon=${pathPrefix}/favicon.ico + + # user configuration + ${cfg.configText} + ''; +in +{ + + options.services.lighttpd.cgit = { + + enable = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If true, enable cgit (fast web interface for git repositories) as a + sub-service in lighttpd. + ''; + }; + + subdir = mkOption { + default = "cgit"; + example = ""; + type = types.str; + description = lib.mdDoc '' + The subdirectory in which to serve cgit. The web application will be + accessible at http://yourserver/''${subdir} + ''; + }; + + configText = mkOption { + default = ""; + example = literalExpression '' + ''' + source-filter=''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=''${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + cache-size=1000 + scan-path=/srv/git + ''' + ''; + type = types.lines; + description = lib.mdDoc '' + Verbatim contents of the cgit runtime configuration file. Documentation + (with cgitrc example file) is available in "man cgitrc". Or online: + http://git.zx2c4.com/cgit/tree/cgitrc.5.txt + ''; + }; + + }; + + config = mkIf cfg.enable { + + # make the cgitrc manpage available + environment.systemPackages = [ pkgs.cgit ]; + + # declare module dependencies + services.lighttpd.enableModules = [ "mod_cgi" "mod_alias" "mod_setenv" ]; + + services.lighttpd.extraConfig = '' + $HTTP["url"] =~ "^/${cfg.subdir}" { + cgi.assign = ( + "cgit.cgi" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + alias.url = ( + "${pathPrefix}/cgit.css" => "${pkgs.cgit}/cgit/cgit.css", + "${pathPrefix}/cgit.png" => "${pkgs.cgit}/cgit/cgit.png", + "${pathPrefix}" => "${pkgs.cgit}/cgit/cgit.cgi" + ) + setenv.add-environment = ( + "CGIT_CONFIG" => "${configFile}" + ) + } + ''; + + systemd.services.lighttpd.preStart = '' + mkdir -p /var/cache/cgit + chown lighttpd:lighttpd /var/cache/cgit + ''; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/collectd.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/collectd.nix new file mode 100644 index 000000000000..9a4285e3e2d2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/collectd.nix @@ -0,0 +1,62 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.lighttpd.collectd; + opt = options.services.lighttpd.collectd; + + collectionConf = pkgs.writeText "collection.conf" '' + datadir: "${config.services.collectd.dataDir}" + libdir: "${config.services.collectd.package}/lib/collectd" + ''; + + defaultCollectionCgi = config.services.collectd.package.overrideDerivation(old: { + name = "collection.cgi"; + dontConfigure = true; + buildPhase = "true"; + installPhase = '' + substituteInPlace contrib/collection.cgi --replace '"/etc/collection.conf"' '$ENV{COLLECTION_CONF}' + cp contrib/collection.cgi $out + ''; + }); +in +{ + + options.services.lighttpd.collectd = { + + enable = mkEnableOption (lib.mdDoc "collectd subservice accessible at http://yourserver/collectd"); + + collectionCgi = mkOption { + type = types.path; + default = defaultCollectionCgi; + defaultText = literalMD '' + `config.${options.services.collectd.package}` configured for lighttpd + ''; + description = lib.mdDoc '' + Path to collection.cgi script from (collectd sources)/contrib/collection.cgi + This option allows to use a customized version + ''; + }; + }; + + config = mkIf cfg.enable { + services.lighttpd.enableModules = [ "mod_cgi" "mod_alias" "mod_setenv" ]; + + services.lighttpd.extraConfig = '' + $HTTP["url"] =~ "^/collectd" { + cgi.assign = ( + ".cgi" => "${pkgs.perl}/bin/perl" + ) + alias.url = ( + "/collectd" => "${cfg.collectionCgi}" + ) + setenv.add-environment = ( + "PERL5LIB" => "${with pkgs.perlPackages; makePerlPath [ CGI HTMLParser URI pkgs.rrdtool ]}", + "COLLECTION_CONF" => "${collectionConf}" + ) + } + ''; + }; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix new file mode 100644 index 000000000000..3a33137b27d2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix @@ -0,0 +1,262 @@ +# NixOS module for lighttpd web server + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.lighttpd; + + # List of known lighttpd modules, ordered by how the lighttpd documentation + # recommends them being imported: + # https://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails + # + # Some modules are always imported and should not appear in the config: + # disallowedModules = [ "mod_indexfile" "mod_dirlisting" "mod_staticfile" ]; + # + # For full module list, see the output of running ./configure in the lighttpd + # source. + allKnownModules = [ + "mod_rewrite" + "mod_redirect" + "mod_alias" + "mod_access" + "mod_auth" + "mod_status" + "mod_simple_vhost" + "mod_evhost" + "mod_userdir" + "mod_secdownload" + "mod_fastcgi" + "mod_proxy" + "mod_cgi" + "mod_ssi" + "mod_compress" + "mod_usertrack" + "mod_expire" + "mod_rrdtool" + "mod_accesslog" + # Remaining list of modules, order assumed to be unimportant. + "mod_authn_dbi" + "mod_authn_file" + "mod_authn_gssapi" + "mod_authn_ldap" + "mod_authn_mysql" + "mod_authn_pam" + "mod_authn_sasl" + "mod_cml" + "mod_deflate" + "mod_evasive" + "mod_extforward" + "mod_flv_streaming" + "mod_geoip" + "mod_magnet" + "mod_mysql_vhost" + "mod_openssl" # since v1.4.46 + "mod_scgi" + "mod_setenv" + "mod_trigger_b4_dl" + "mod_uploadprogress" + "mod_vhostdb" # since v1.4.46 + "mod_webdav" + "mod_wstunnel" # since v1.4.46 + ]; + + maybeModuleString = moduleName: + optionalString (elem moduleName cfg.enableModules) ''"${moduleName}"''; + + modulesIncludeString = concatStringsSep ",\n" + (filter (x: x != "") (map maybeModuleString allKnownModules)); + + configFile = if cfg.configText != "" then + pkgs.writeText "lighttpd.conf" '' + ${cfg.configText} + '' + else + pkgs.writeText "lighttpd.conf" '' + server.document-root = "${cfg.document-root}" + server.port = ${toString cfg.port} + server.username = "lighttpd" + server.groupname = "lighttpd" + + # As for why all modules are loaded here, instead of having small + # server.modules += () entries in each sub-service extraConfig snippet, + # read this: + # + # https://redmine.lighttpd.net/projects/1/wiki/Server_modulesDetails + # https://redmine.lighttpd.net/issues/2337 + # + # Basically, lighttpd doesn't want to load (or even silently ignore) a + # module for a second time, and there is no way to check if a module has + # been loaded already. So if two services were to put the same module in + # server.modules += (), that would break the lighttpd configuration. + server.modules = ( + ${modulesIncludeString} + ) + + # Logging (logs end up in systemd journal) + accesslog.use-syslog = "enable" + server.errorlog-use-syslog = "enable" + + ${lib.optionalString cfg.enableUpstreamMimeTypes '' + include "${pkgs.lighttpd}/share/lighttpd/doc/config/conf.d/mime.conf" + ''} + + static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" ) + index-file.names = ( "index.html" ) + + ${optionalString cfg.mod_userdir '' + userdir.path = "public_html" + ''} + + ${optionalString cfg.mod_status '' + status.status-url = "/server-status" + status.statistics-url = "/server-statistics" + status.config-url = "/server-config" + ''} + + ${cfg.extraConfig} + ''; + +in + +{ + + options = { + + services.lighttpd = { + + enable = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable the lighttpd web server. + ''; + }; + + package = mkPackageOption pkgs "lighttpd" { }; + + port = mkOption { + default = 80; + type = types.port; + description = lib.mdDoc '' + TCP port number for lighttpd to bind to. + ''; + }; + + document-root = mkOption { + default = "/srv/www"; + type = types.path; + description = lib.mdDoc '' + Document-root of the web server. Must be readable by the "lighttpd" user. + ''; + }; + + mod_userdir = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If true, requests in the form /~user/page.html are rewritten to take + the file public_html/page.html from the home directory of the user. + ''; + }; + + enableModules = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "mod_cgi" "mod_status" ]; + description = lib.mdDoc '' + List of lighttpd modules to enable. Sub-services take care of + enabling modules as needed, so this option is mainly for when you + want to add custom stuff to + {option}`services.lighttpd.extraConfig` that depends on a + certain module. + ''; + }; + + enableUpstreamMimeTypes = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to include the list of mime types bundled with lighttpd + (upstream). If you disable this, no mime types will be added by + NixOS and you will have to add your own mime types in + {option}`services.lighttpd.extraConfig`. + ''; + }; + + mod_status = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Show server status overview at /server-status, statistics at + /server-statistics and list of loaded modules at /server-config. + ''; + }; + + configText = mkOption { + default = ""; + type = types.lines; + example = "...verbatim config file contents..."; + description = lib.mdDoc '' + Overridable config file contents to use for lighttpd. By default, use + the contents automatically generated by NixOS. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = lib.mdDoc '' + These configuration lines will be appended to the generated lighttpd + config file. Note that this mechanism does not work when the manual + {option}`configText` option is used. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + assertions = [ + { assertion = all (x: elem x allKnownModules) cfg.enableModules; + message = '' + One (or more) modules in services.lighttpd.enableModules are + unrecognized. + + Known modules: ${toString allKnownModules} + + services.lighttpd.enableModules: ${toString cfg.enableModules} + ''; + } + ]; + + services.lighttpd.enableModules = mkMerge + [ (mkIf cfg.mod_status [ "mod_status" ]) + (mkIf cfg.mod_userdir [ "mod_userdir" ]) + # always load mod_accesslog so that we can log to the journal + [ "mod_accesslog" ] + ]; + + systemd.services.lighttpd = { + description = "Lighttpd Web Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${cfg.package}/sbin/lighttpd -D -f ${configFile}"; + serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -SIGUSR1 $MAINPID"; + # SIGINT => graceful shutdown + serviceConfig.KillSignal = "SIGINT"; + }; + + users.users.lighttpd = { + group = "lighttpd"; + description = "lighttpd web server privilege separation user"; + uid = config.ids.uids.lighttpd; + }; + + users.groups.lighttpd.gid = config.ids.gids.lighttpd; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix b/nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix new file mode 100644 index 000000000000..e129e8bc1666 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.gitweb; + package = pkgs.gitweb.override (optionalAttrs cfg.gitwebTheme { + gitwebTheme = true; + }); + +in +{ + + options.services.lighttpd.gitweb = { + + enable = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If true, enable gitweb in lighttpd. Access it at http://yourserver/gitweb + ''; + }; + + }; + + config = mkIf config.services.lighttpd.gitweb.enable { + + # declare module dependencies + services.lighttpd.enableModules = [ "mod_cgi" "mod_redirect" "mod_alias" "mod_setenv" ]; + + services.lighttpd.extraConfig = '' + $HTTP["url"] =~ "^/gitweb" { + cgi.assign = ( + ".cgi" => "${pkgs.perl}/bin/perl" + ) + url.redirect = ( + "^/gitweb$" => "/gitweb/" + ) + alias.url = ( + "/gitweb/static/" => "${package}/static/", + "/gitweb/" => "${package}/gitweb.cgi" + ) + setenv.add-environment = ( + "GITWEB_CONFIG" => "${cfg.gitwebConfigFile}", + "HOME" => "${cfg.projectroot}" + ) + } + ''; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/merecat.nix b/nixpkgs/nixos/modules/services/web-servers/merecat.nix new file mode 100644 index 000000000000..aad93605b717 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/merecat.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.merecat; + format = pkgs.formats.keyValue { + mkKeyValue = generators.mkKeyValueDefault { + mkValueString = v: + # In merecat.conf, booleans are "true" and "false" + if builtins.isBool v + then if v then "true" else "false" + else generators.mkValueStringDefault {} v; + } "="; + }; + configFile = format.generate "merecat.conf" cfg.settings; + +in { + + options.services.merecat = { + + enable = mkEnableOption (lib.mdDoc "Merecat HTTP server"); + + settings = mkOption { + inherit (format) type; + default = { }; + description = lib.mdDoc '' + Merecat configuration. Refer to merecat(8) for details on supported values. + ''; + example = { + hostname = "localhost"; + port = 8080; + virtual-host = true; + directory = "/srv/www"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.merecat = { + description = "Merecat HTTP server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.merecat}/bin/merecat -n -f ${configFile}"; + AmbientCapabilities = lib.mkIf ((cfg.settings.port or 80) < 1024) [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix b/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix new file mode 100644 index 000000000000..bb75dc4f2ff4 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mighttpd2; + configFile = pkgs.writeText "mighty-config" cfg.config; + routingFile = pkgs.writeText "mighty-routing" cfg.routing; +in { + options.services.mighttpd2 = { + enable = mkEnableOption (lib.mdDoc "Mighttpd2 web server"); + + config = mkOption { + default = ""; + example = '' + # Example configuration for Mighttpd 2 + Port: 80 + # IP address or "*" + Host: * + Debug_Mode: Yes # Yes or No + # If available, "nobody" is much more secure for User:. + User: root + # If available, "nobody" is much more secure for Group:. + Group: root + Pid_File: /run/mighty.pid + Logging: Yes # Yes or No + Log_File: /var/log/mighty # The directory must be writable by User: + Log_File_Size: 16777216 # bytes + Log_Backup_Number: 10 + Index_File: index.html + Index_Cgi: index.cgi + Status_File_Dir: /usr/local/share/mighty/status + Connection_Timeout: 30 # seconds + Fd_Cache_Duration: 10 # seconds + # Server_Name: Mighttpd/3.x.y + Tls_Port: 443 + Tls_Cert_File: cert.pem # should change this with an absolute path + # should change this with comma-separated absolute paths + Tls_Chain_Files: chain.pem + # Currently, Tls_Key_File must not be encrypted. + Tls_Key_File: privkey.pem # should change this with an absolute path + Service: 0 # 0 is HTTP only, 1 is HTTPS only, 2 is both + ''; + type = types.lines; + description = lib.mdDoc '' + Verbatim config file to use + (see https://kazu-yamamoto.github.io/mighttpd2/config.html) + ''; + }; + + routing = mkOption { + default = ""; + example = '' + # Example routing for Mighttpd 2 + + # Domain lists + [localhost www.example.com] + + # Entries are looked up in the specified order + # All paths must end with "/" + + # A path to CGI scripts should be specified with "=>" + /~alice/cgi-bin/ => /home/alice/public_html/cgi-bin/ + + # A path to static files should be specified with "->" + /~alice/ -> /home/alice/public_html/ + /cgi-bin/ => /export/cgi-bin/ + + # Reverse proxy rules should be specified with ">>" + # /path >> host:port/path2 + # Either "host" or ":port" can be committed, but not both. + /app/cal/ >> example.net/calendar/ + # Yesod app in the same server + /app/wiki/ >> 127.0.0.1:3000/ + + / -> /export/www/ + ''; + type = types.lines; + description = lib.mdDoc '' + Verbatim routing file to use + (see https://kazu-yamamoto.github.io/mighttpd2/config.html) + ''; + }; + + cores = mkOption { + default = null; + type = types.nullOr types.int; + description = lib.mdDoc '' + How many cores to use. + If null it will be determined automatically + ''; + }; + + }; + + config = mkIf cfg.enable { + assertions = + [ { assertion = cfg.routing != ""; + message = "You need at least one rule in mighttpd2.routing"; + } + ]; + systemd.services.mighttpd2 = { + description = "Mighttpd2 web server"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.haskellPackages.mighttpd2}/bin/mighty \ + ${configFile} \ + ${routingFile} \ + +RTS -N${optionalString (cfg.cores != null) "${cfg.cores}"} + ''; + Type = "simple"; + User = "mighttpd2"; + Group = "mighttpd2"; + Restart = "on-failure"; + AmbientCapabilities = "cap_net_bind_service"; + CapabilityBoundingSet = "cap_net_bind_service"; + }; + }; + + users.users.mighttpd2 = { + group = "mighttpd2"; + uid = config.ids.uids.mighttpd2; + isSystemUser = true; + }; + + users.groups.mighttpd2.gid = config.ids.gids.mighttpd2; + }; + + meta.maintainers = with lib.maintainers; [ fgaz ]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/minio.nix b/nixpkgs/nixos/modules/services/web-servers/minio.nix new file mode 100644 index 000000000000..be6946657e23 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/minio.nix @@ -0,0 +1,159 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.minio; + + legacyCredentials = cfg: pkgs.writeText "minio-legacy-credentials" '' + MINIO_ROOT_USER=${cfg.accessKey} + MINIO_ROOT_PASSWORD=${cfg.secretKey} + ''; +in +{ + meta.maintainers = [ maintainers.bachp ]; + + options.services.minio = { + enable = mkEnableOption (lib.mdDoc "Minio Object Storage"); + + listenAddress = mkOption { + default = ":9000"; + type = types.str; + description = lib.mdDoc "IP address and port of the server."; + }; + + consoleAddress = mkOption { + default = ":9001"; + type = types.str; + description = lib.mdDoc "IP address and port of the web UI (console)."; + }; + + dataDir = mkOption { + default = [ "/var/lib/minio/data" ]; + type = types.listOf (types.either types.path types.str); + description = lib.mdDoc "The list of data directories or nodes for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode."; + }; + + configDir = mkOption { + default = "/var/lib/minio/config"; + type = types.path; + description = lib.mdDoc "The config directory, for the access keys and other settings."; + }; + + accessKey = mkOption { + default = ""; + type = types.str; + description = lib.mdDoc '' + Access key of 5 to 20 characters in length that clients use to access the server. + This overrides the access key that is generated by minio on first startup and stored inside the + `configDir` directory. + ''; + }; + + secretKey = mkOption { + default = ""; + type = types.str; + description = lib.mdDoc '' + Specify the Secret key of 8 to 40 characters in length that clients use to access the server. + This overrides the secret key that is generated by minio on first startup and stored inside the + `configDir` directory. + ''; + }; + + rootCredentialsFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + File containing the MINIO_ROOT_USER, default is "minioadmin", and + MINIO_ROOT_PASSWORD (length >= 8), default is "minioadmin"; in the format of + an EnvironmentFile=, as described by systemd.exec(5). + ''; + example = "/etc/nixos/minio-root-credentials"; + }; + + region = mkOption { + default = "us-east-1"; + type = types.str; + description = lib.mdDoc '' + The physical location of the server. By default it is set to us-east-1, which is same as AWS S3's and Minio's default region. + ''; + }; + + browser = mkOption { + default = true; + type = types.bool; + description = lib.mdDoc "Enable or disable access to web UI."; + }; + + package = mkPackageOption pkgs "minio" { }; + }; + + config = mkIf cfg.enable { + warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead."; + + systemd = lib.mkMerge [{ + tmpfiles.rules = [ + "d '${cfg.configDir}' - minio minio - -" + ] ++ (map (x: "d '" + x + "' - minio minio - - ") (builtins.filter lib.types.path.check cfg.dataDir)); + + services.minio = { + description = "Minio Object Storage"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; + Type = "simple"; + User = "minio"; + Group = "minio"; + LimitNOFILE = 65536; + EnvironmentFile = + if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile + else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg) + else null; + }; + environment = { + MINIO_REGION = "${cfg.region}"; + MINIO_BROWSER = "${if cfg.browser then "on" else "off"}"; + }; + }; + } + + (lib.mkIf (cfg.rootCredentialsFile != null) { + # The service will fail if the credentials file is missing + services.minio.unitConfig.ConditionPathExists = cfg.rootCredentialsFile; + + # The service will not restart if the credentials file has + # been changed. This can cause stale root credentials. + paths.minio-root-credentials = { + wantedBy = [ "multi-user.target" ]; + + pathConfig = { + PathChanged = [ cfg.rootCredentialsFile ]; + Unit = "minio-restart.service"; + }; + }; + + services.minio-restart = { + description = "Restart MinIO"; + + script = '' + systemctl restart minio.service + ''; + + serviceConfig = { + Type = "oneshot"; + Restart = "on-failure"; + RestartSec = 5; + }; + }; + })]; + + users.users.minio = { + group = "minio"; + uid = config.ids.uids.minio; + }; + + users.groups.minio.gid = config.ids.uids.minio; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/molly-brown.nix b/nixpkgs/nixos/modules/services/web-servers/molly-brown.nix new file mode 100644 index 000000000000..6d7ca0c12ef7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/molly-brown.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.molly-brown; + settingsFormat = pkgs.formats.toml { }; + configFile = settingsFormat.generate "molly-brown.toml" cfg.settings; +in { + + options.services.molly-brown = { + + enable = mkEnableOption (lib.mdDoc "Molly-Brown Gemini server"); + + port = mkOption { + default = 1965; + type = types.port; + description = lib.mdDoc '' + TCP port for molly-brown to bind to. + ''; + }; + + hostName = mkOption { + type = types.str; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + description = lib.mdDoc '' + The hostname to respond to requests for. Requests for URLs with + other hosts will result in a status 53 (PROXY REQUEST REFUSED) + response. + ''; + }; + + certPath = mkOption { + type = types.path; + example = "/var/lib/acme/example.com/cert.pem"; + description = lib.mdDoc '' + Path to TLS certificate. An ACME certificate and key may be + shared with an HTTP server, but only if molly-brown has + permissions allowing it to read such keys. + + As an example: + ``` + systemd.services.molly-brown.serviceConfig.SupplementaryGroups = + [ config.security.acme.certs."example.com".group ]; + ``` + ''; + }; + + keyPath = mkOption { + type = types.path; + example = "/var/lib/acme/example.com/key.pem"; + description = lib.mdDoc "Path to TLS key. See {option}`CertPath`."; + }; + + docBase = mkOption { + type = types.path; + example = "/var/lib/molly-brown"; + description = lib.mdDoc "Base directory for Gemini content."; + }; + + settings = mkOption { + inherit (settingsFormat) type; + default = { }; + description = lib.mdDoc '' + molly-brown configuration. Refer to + <https://tildegit.org/solderpunk/molly-brown/src/branch/master/example.conf> + for details on supported values. + ''; + }; + + }; + + config = mkIf cfg.enable { + + services.molly-brown.settings = let logDir = "/var/log/molly-brown"; + in { + Port = cfg.port; + Hostname = cfg.hostName; + CertPath = cfg.certPath; + KeyPath = cfg.keyPath; + DocBase = cfg.docBase; + AccessLog = "${logDir}/access.log"; + ErrorLog = "${logDir}/error.log"; + }; + + systemd.services.molly-brown = { + description = "Molly Brown gemini server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + LogsDirectory = "molly-brown"; + ExecStart = "${pkgs.molly-brown}/bin/molly-brown -c ${configFile}"; + Restart = "always"; + }; + }; + + }; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix new file mode 100644 index 000000000000..93b1a3fdfadd --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -0,0 +1,1356 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx; + inherit (config.security.acme) certs; + vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts; + acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null) vhostsConfigs; + dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts); + virtualHosts = mapAttrs (vhostName: vhostConfig: + let + serverName = if vhostConfig.serverName != null + then vhostConfig.serverName + else vhostName; + certName = if vhostConfig.useACMEHost != null + then vhostConfig.useACMEHost + else serverName; + in + vhostConfig // { + inherit serverName certName; + } // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) { + sslCertificate = "${certs.${certName}.directory}/fullchain.pem"; + sslCertificateKey = "${certs.${certName}.directory}/key.pem"; + sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null + then vhostConfig.sslTrustedCertificate + else "${certs.${certName}.directory}/chain.pem"; + }) + ) cfg.virtualHosts; + inherit (config.networking) enableIPv6; + + # Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli + # and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx + # "text/html" is implicitly included in {brotli,gzip,zstd}_types + compressMimeTypes = [ + "application/atom+xml" + "application/geo+json" + "application/javascript" # Deprecated by IETF RFC 9239, but still widely used + "application/json" + "application/ld+json" + "application/manifest+json" + "application/rdf+xml" + "application/vnd.ms-fontobject" + "application/wasm" + "application/x-rss+xml" + "application/x-web-app-manifest+json" + "application/xhtml+xml" + "application/xliff+xml" + "application/xml" + "font/collection" + "font/otf" + "font/ttf" + "image/bmp" + "image/svg+xml" + "image/vnd.microsoft.icon" + "text/cache-manifest" + "text/calendar" + "text/css" + "text/csv" + "text/javascript" + "text/markdown" + "text/plain" + "text/vcard" + "text/vnd.rim.location.xloc" + "text/vtt" + "text/x-component" + "text/xml" + ]; + + defaultFastcgiParams = { + SCRIPT_FILENAME = "$document_root$fastcgi_script_name"; + QUERY_STRING = "$query_string"; + REQUEST_METHOD = "$request_method"; + CONTENT_TYPE = "$content_type"; + CONTENT_LENGTH = "$content_length"; + + SCRIPT_NAME = "$fastcgi_script_name"; + REQUEST_URI = "$request_uri"; + DOCUMENT_URI = "$document_uri"; + DOCUMENT_ROOT = "$document_root"; + SERVER_PROTOCOL = "$server_protocol"; + REQUEST_SCHEME = "$scheme"; + HTTPS = "$https if_not_empty"; + + GATEWAY_INTERFACE = "CGI/1.1"; + SERVER_SOFTWARE = "nginx/$nginx_version"; + + REMOTE_ADDR = "$remote_addr"; + REMOTE_PORT = "$remote_port"; + SERVER_ADDR = "$server_addr"; + SERVER_PORT = "$server_port"; + SERVER_NAME = "$server_name"; + + REDIRECT_STATUS = "200"; + }; + + recommendedProxyConfig = pkgs.writeText "nginx-recommended-proxy-headers.conf" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + ''; + + proxyCachePathConfig = concatStringsSep "\n" (mapAttrsToList (name: proxyCachePath: '' + proxy_cache_path ${concatStringsSep " " [ + "/var/cache/nginx/${name}" + "keys_zone=${proxyCachePath.keysZoneName}:${proxyCachePath.keysZoneSize}" + "levels=${proxyCachePath.levels}" + "use_temp_path=${if proxyCachePath.useTempPath then "on" else "off"}" + "inactive=${proxyCachePath.inactive}" + "max_size=${proxyCachePath.maxSize}" + ]}; + '') (filterAttrs (name: conf: conf.enable) cfg.proxyCachePath)); + + toUpstreamParameter = key: value: + if builtins.isBool value + then lib.optionalString value key + else "${key}=${toString value}"; + + upstreamConfig = toString (flip mapAttrsToList cfg.upstreams (name: upstream: '' + upstream ${name} { + ${toString (flip mapAttrsToList upstream.servers (name: server: '' + server ${name} ${concatStringsSep " " (mapAttrsToList toUpstreamParameter server)}; + ''))} + ${upstream.extraConfig} + } + '')); + + commonHttpConfig = '' + # Load mime types. + include ${cfg.defaultMimeTypes}; + # When recommendedOptimisation is disabled nginx fails to start because the mailmap mime.types database + # contains 1026 entries and the default is only 1024. Setting to a higher number to remove the need to + # overwrite it because nginx does not allow duplicated settings. + types_hash_max_size 4096; + + include ${cfg.package}/conf/fastcgi.conf; + include ${cfg.package}/conf/uwsgi_params; + + default_type application/octet-stream; + ''; + + configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' + pid /run/nginx/nginx.pid; + error_log ${cfg.logError}; + daemon off; + + ${optionalString cfg.enableQuicBPF '' + quic_bpf on; + ''} + + ${cfg.config} + + ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' + events { + ${cfg.eventsConfig} + } + ''} + + ${optionalString (cfg.httpConfig == "" && cfg.config == "") '' + http { + ${commonHttpConfig} + + ${optionalString (cfg.resolver.addresses != []) '' + resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"}; + ''} + ${upstreamConfig} + + ${optionalString cfg.recommendedOptimisation '' + # optimisation + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + ''} + + ssl_protocols ${cfg.sslProtocols}; + ${optionalString (cfg.sslCiphers != null) "ssl_ciphers ${cfg.sslCiphers};"} + ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} + + ${optionalString cfg.recommendedTlsSettings '' + # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135 + ssl_session_tickets off; + # We don't enable insecure ciphers by default, so this allows + # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260 + ssl_prefer_server_ciphers off; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ''} + + ${optionalString cfg.recommendedBrotliSettings '' + brotli on; + brotli_static on; + brotli_comp_level 5; + brotli_window 512k; + brotli_min_length 256; + brotli_types ${lib.concatStringsSep " " compressMimeTypes}; + ''} + + ${optionalString cfg.recommendedGzipSettings + # https://docs.nginx.com/nginx/admin-guide/web-server/compression/ + '' + gzip on; + gzip_static on; + gzip_vary on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private auth; + gzip_types ${lib.concatStringsSep " " compressMimeTypes}; + ''} + + ${optionalString cfg.recommendedZstdSettings '' + zstd on; + zstd_comp_level 9; + zstd_min_length 256; + zstd_static on; + zstd_types ${lib.concatStringsSep " " compressMimeTypes}; + ''} + + ${optionalString cfg.recommendedProxySettings '' + proxy_redirect off; + proxy_connect_timeout ${cfg.proxyTimeout}; + proxy_send_timeout ${cfg.proxyTimeout}; + proxy_read_timeout ${cfg.proxyTimeout}; + proxy_http_version 1.1; + # don't let clients close the keep-alive connection to upstream. See the nginx blog for details: + # https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives + proxy_set_header "Connection" ""; + include ${recommendedProxyConfig}; + ''} + + ${optionalString (cfg.mapHashBucketSize != null) '' + map_hash_bucket_size ${toString cfg.mapHashBucketSize}; + ''} + + ${optionalString (cfg.mapHashMaxSize != null) '' + map_hash_max_size ${toString cfg.mapHashMaxSize}; + ''} + + ${optionalString (cfg.serverNamesHashBucketSize != null) '' + server_names_hash_bucket_size ${toString cfg.serverNamesHashBucketSize}; + ''} + + ${optionalString (cfg.serverNamesHashMaxSize != null) '' + server_names_hash_max_size ${toString cfg.serverNamesHashMaxSize}; + ''} + + # $connection_upgrade is used for websocket proxying + map $http_upgrade $connection_upgrade { + default upgrade; + ''' close; + } + client_max_body_size ${cfg.clientMaxBodySize}; + + server_tokens ${if cfg.serverTokens then "on" else "off"}; + + ${cfg.commonHttpConfig} + + ${proxyCachePathConfig} + + ${vhosts} + + ${cfg.appendHttpConfig} + }''} + + ${optionalString (cfg.httpConfig != "") '' + http { + ${commonHttpConfig} + ${cfg.httpConfig} + }''} + + ${optionalString (cfg.streamConfig != "") '' + stream { + ${cfg.streamConfig} + } + ''} + + ${cfg.appendConfig} + ''; + + configPath = if cfg.enableReload + then "/etc/nginx/nginx.conf" + else configFile; + + execCommand = "${cfg.package}/bin/nginx -c '${configPath}'"; + + vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost: + let + onlySSL = vhost.onlySSL || vhost.enableSSL; + hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL; + + # First evaluation of defaultListen based on a set of listen lines. + mkDefaultListenVhost = listenLines: + # If this vhost has SSL or is a SSL rejection host. + # We enable a TLS variant for lines without explicit ssl or ssl = true. + optionals (hasSSL || vhost.rejectSSL) + (map (listen: { port = cfg.defaultSSLListenPort; ssl = true; } // listen) + (filter (listen: !(listen ? ssl) || listen.ssl) listenLines)) + # If this vhost is supposed to serve HTTP + # We provide listen lines for those without explicit ssl or ssl = false. + ++ optionals (!onlySSL) + (map (listen: { port = cfg.defaultHTTPListenPort; ssl = false; } // listen) + (filter (listen: !(listen ? ssl) || !listen.ssl) listenLines)); + + defaultListen = + if vhost.listen != [] then vhost.listen + else + if cfg.defaultListen != [] then mkDefaultListenVhost + # Cleanup nulls which will mess up with //. + # TODO: is there a better way to achieve this? i.e. mergeButIgnoreNullPlease? + (map (listenLine: filterAttrs (_: v: (v != null)) listenLine) cfg.defaultListen) + else + let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else cfg.defaultListenAddresses; + in mkDefaultListenVhost (map (addr: { inherit addr; }) addrs); + + + hostListen = + if vhost.forceSSL + then filter (x: x.ssl) defaultListen + else defaultListen; + + listenString = { addr, port, ssl, proxyProtocol ? false, extraParameters ? [], ... }: + # UDP listener for QUIC transport protocol. + (optionalString (ssl && vhost.quic) (" + listen ${addr}${optionalString (port != null) ":${toString port}"} quic " + + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + + optionalString (extraParameters != []) (concatStringsSep " " + (let inCompatibleParameters = [ "accept_filter" "backlog" "deferred" "fastopen" "http2" "proxy_protocol" "so_keepalive" "ssl" ]; + isCompatibleParameter = param: !(any (p: lib.hasPrefix p param) inCompatibleParameters); + in filter isCompatibleParameter extraParameters)) + + ";")) + + " + listen ${addr}${optionalString (port != null) ":${toString port}"} " + + optionalString (ssl && vhost.http2 && oldHTTP2) "http2 " + + optionalString ssl "ssl " + + optionalString vhost.default "default_server " + + optionalString vhost.reuseport "reuseport " + + optionalString proxyProtocol "proxy_protocol " + + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) + + ";"; + + redirectListen = filter (x: !x.ssl) defaultListen; + + # The acme-challenge location doesn't need to be added if we are not using any automated + # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge + acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) + # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) + # We use ^~ here, so that we don't check any regexes (which could + # otherwise easily override this intended match accidentally). + '' + location ^~ /.well-known/acme-challenge/ { + ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"} + ${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"} + auth_basic off; + auth_request off; + } + ${optionalString (vhost.acmeFallbackHost != null) '' + location @acme-fallback { + auth_basic off; + auth_request off; + proxy_pass http://${vhost.acmeFallbackHost}; + } + ''} + ''; + + in '' + ${optionalString vhost.forceSSL '' + server { + ${concatMapStringsSep "\n" listenString redirectListen} + + server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + + location / { + return ${toString vhost.redirectCode} https://$host$request_uri; + } + ${acmeLocation} + } + ''} + + server { + ${concatMapStringsSep "\n" listenString hostListen} + server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + ${optionalString (hasSSL && vhost.http2 && !oldHTTP2) '' + http2 on; + ''} + ${optionalString (hasSSL && vhost.quic) '' + http3 ${if vhost.http3 then "on" else "off"}; + http3_hq ${if vhost.http3_hq then "on" else "off"}; + ''} + ${optionalString hasSSL '' + ssl_certificate ${vhost.sslCertificate}; + ssl_certificate_key ${vhost.sslCertificateKey}; + ''} + ${optionalString (hasSSL && vhost.sslTrustedCertificate != null) '' + ssl_trusted_certificate ${vhost.sslTrustedCertificate}; + ''} + ${optionalString vhost.rejectSSL '' + ssl_reject_handshake on; + ''} + ${optionalString (hasSSL && vhost.kTLS) '' + ssl_conf_command Options KTLS; + ''} + + ${mkBasicAuth vhostName vhost} + + ${optionalString (vhost.root != null) "root ${vhost.root};"} + + ${optionalString (vhost.globalRedirect != null) '' + location / { + return ${toString vhost.redirectCode} http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri; + } + ''} + ${acmeLocation} + ${mkLocations vhost.locations} + + ${vhost.extraConfig} + } + '' + ) virtualHosts); + mkLocations = locations: concatStringsSep "\n" (map (config: '' + location ${config.location} { + ${optionalString (config.proxyPass != null && !cfg.proxyResolveWhileRunning) + "proxy_pass ${config.proxyPass};" + } + ${optionalString (config.proxyPass != null && cfg.proxyResolveWhileRunning) '' + set $nix_proxy_target "${config.proxyPass}"; + proxy_pass $nix_proxy_target; + ''} + ${optionalString config.proxyWebsockets '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''} + ${concatStringsSep "\n" + (mapAttrsToList (n: v: ''fastcgi_param ${n} "${v}";'') + (optionalAttrs (config.fastcgiParams != {}) + (defaultFastcgiParams // config.fastcgiParams)))} + ${optionalString (config.index != null) "index ${config.index};"} + ${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"} + ${optionalString (config.root != null) "root ${config.root};"} + ${optionalString (config.alias != null) "alias ${config.alias};"} + ${optionalString (config.return != null) "return ${toString config.return};"} + ${config.extraConfig} + ${optionalString (config.proxyPass != null && config.recommendedProxySettings) "include ${recommendedProxyConfig};"} + ${mkBasicAuth "sublocation" config} + } + '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations))); + + mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let + auth_file = if zone.basicAuthFile != null + then zone.basicAuthFile + else mkHtpasswd name zone.basicAuth; + in '' + auth_basic secured; + auth_basic_user_file ${auth_file}; + ''); + mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" ( + concatStringsSep "\n" (mapAttrsToList (user: password: '' + ${user}:{PLAIN}${password} + '') authDef) + ); + + mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; + + oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")); +in + +{ + options = { + services.nginx = { + enable = mkEnableOption (lib.mdDoc "Nginx Web Server"); + + statusPage = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable status page reachable from localhost on http://127.0.0.1/nginx_status. + ''; + }; + + recommendedTlsSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended TLS settings. + ''; + }; + + recommendedOptimisation = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended optimisation settings. + ''; + }; + + recommendedBrotliSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended brotli settings. + Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/). + + This adds `pkgs.nginxModules.brotli` to `services.nginx.additionalModules`. + ''; + }; + + recommendedGzipSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended gzip settings. + Learn more about compression in Gzip format [here](https://docs.nginx.com/nginx/admin-guide/web-server/compression/). + ''; + }; + + recommendedZstdSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended zstd settings. + Learn more about compression in Zstd format [here](https://github.com/tokers/zstd-nginx-module). + + This adds `pkgs.nginxModules.zstd` to `services.nginx.additionalModules`. + ''; + }; + + recommendedProxySettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Whether to enable recommended proxy settings if a vhost does not specify the option manually. + ''; + }; + + proxyTimeout = mkOption { + type = types.str; + default = "60s"; + example = "20s"; + description = lib.mdDoc '' + Change the proxy related timeouts in recommendedProxySettings. + ''; + }; + + defaultListen = mkOption { + type = with types; listOf (submodule { + options = { + addr = mkOption { + type = str; + description = lib.mdDoc "IP address."; + }; + port = mkOption { + type = nullOr port; + description = lib.mdDoc "Port number."; + default = null; + }; + ssl = mkOption { + type = nullOr bool; + default = null; + description = lib.mdDoc "Enable SSL."; + }; + proxyProtocol = mkOption { + type = bool; + description = lib.mdDoc "Enable PROXY protocol."; + default = false; + }; + extraParameters = mkOption { + type = listOf str; + description = lib.mdDoc "Extra parameters of this listen directive."; + default = [ ]; + example = [ "backlog=1024" "deferred" ]; + }; + }; + }); + default = []; + example = literalExpression '' + [ + { addr = "10.0.0.12"; proxyProtocol = true; ssl = true; } + { addr = "0.0.0.0"; } + { addr = "[::0]"; } + ] + ''; + description = lib.mdDoc '' + If vhosts do not specify listen, use these addresses by default. + This option takes precedence over {option}`defaultListenAddresses` and + other listen-related defaults options. + ''; + }; + + defaultListenAddresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]"; + defaultText = literalExpression ''[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"''; + example = literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]''; + description = lib.mdDoc '' + If vhosts do not specify listenAddresses, use these addresses by default. + This is akin to writing `defaultListen = [ { addr = "0.0.0.0" } ]`. + ''; + }; + + defaultHTTPListenPort = mkOption { + type = types.port; + default = 80; + example = 8080; + description = lib.mdDoc '' + If vhosts do not specify listen.port, use these ports for HTTP by default. + ''; + }; + + defaultSSLListenPort = mkOption { + type = types.port; + default = 443; + example = 8443; + description = lib.mdDoc '' + If vhosts do not specify listen.port, use these ports for SSL by default. + ''; + }; + + defaultMimeTypes = mkOption { + type = types.path; + default = "${pkgs.mailcap}/etc/nginx/mime.types"; + defaultText = literalExpression "$''{pkgs.mailcap}/etc/nginx/mime.types"; + example = literalExpression "$''{pkgs.nginx}/conf/mime.types"; + description = lib.mdDoc '' + Default MIME types for NGINX, as MIME types definitions from NGINX are very incomplete, + we use by default the ones bundled in the mailcap package, used by most of the other + Linux distributions. + ''; + }; + + package = mkOption { + default = pkgs.nginxStable; + defaultText = literalExpression "pkgs.nginxStable"; + type = types.package; + apply = p: p.override { + modules = lib.unique (p.modules ++ cfg.additionalModules); + }; + description = lib.mdDoc '' + Nginx package to use. This defaults to the stable version. Note + that the nginx team recommends to use the mainline version which + available in nixpkgs as `nginxMainline`. + Supported Nginx forks include `angie`, `openresty` and `tengine`. + For HTTP/3 support use `nginxQuic` or `angieQuic`. + ''; + }; + + additionalModules = mkOption { + default = []; + type = types.listOf (types.attrsOf types.anything); + example = literalExpression "[ pkgs.nginxModules.echo ]"; + description = lib.mdDoc '' + Additional [third-party nginx modules](https://www.nginx.com/resources/wiki/modules/) + to install. Packaged modules are available in `pkgs.nginxModules`. + ''; + }; + + logError = mkOption { + default = "stderr"; + type = types.str; + description = lib.mdDoc '' + Configures logging. + The first parameter defines a file that will store the log. The + special value stderr selects the standard error file. Logging to + syslog can be configured by specifying the “syslog:” prefix. + The second parameter determines the level of logging, and can be + one of the following: debug, info, notice, warn, error, crit, + alert, or emerg. Log levels above are listed in the order of + increasing severity. Setting a certain log level will cause all + messages of the specified and more severe log levels to be logged. + If this parameter is omitted then error is used. + ''; + }; + + preStart = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Shell commands executed before the service's nginx is started. + ''; + }; + + config = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + Verbatim {file}`nginx.conf` configuration. + This is mutually exclusive to any other config option for + {file}`nginx.conf` except for + - [](#opt-services.nginx.appendConfig) + - [](#opt-services.nginx.httpConfig) + - [](#opt-services.nginx.logError) + + If additional verbatim config in addition to other options is needed, + [](#opt-services.nginx.appendConfig) should be used instead. + ''; + }; + + appendConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Configuration lines appended to the generated Nginx + configuration file. Commonly used by different modules + providing http snippets. {option}`appendConfig` + can be specified more than once and its value will be + concatenated (contrary to {option}`config` which + can be set only once). + ''; + }; + + commonHttpConfig = mkOption { + type = types.lines; + default = ""; + example = '' + resolver 127.0.0.1 valid=5s; + + log_format myformat '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ''; + description = lib.mdDoc '' + With nginx you must provide common http context definitions before + they are used, e.g. log_format, resolver, etc. inside of server + or location contexts. Use this attribute to set these definitions + at the appropriate location. + ''; + }; + + httpConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Configuration lines to be set inside the http block. + This is mutually exclusive with the structured configuration + via virtualHosts and the recommendedXyzSettings configuration + options. See appendHttpConfig for appending to the generated http block. + ''; + }; + + streamConfig = mkOption { + type = types.lines; + default = ""; + example = '' + server { + listen 127.0.0.1:53 udp reuseport; + proxy_timeout 20s; + proxy_pass 192.168.0.1:53535; + } + ''; + description = lib.mdDoc '' + Configuration lines to be set inside the stream block. + ''; + }; + + eventsConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Configuration lines to be set inside the events block. + ''; + }; + + appendHttpConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Configuration lines to be appended to the generated http block. + This is mutually exclusive with using config and httpConfig for + specifying the whole http block verbatim. + ''; + }; + + enableReload = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Reload nginx when configuration file changes (instead of restart). + The configuration file is exposed at {file}`/etc/nginx/nginx.conf`. + See also `systemd.services.*.restartIfChanged`. + ''; + }; + + enableQuicBPF = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enables routing of QUIC packets using eBPF. When enabled, this allows + to support QUIC connection migration. The directive is only supported + on Linux 5.7+. + Note that enabling this option will make nginx run with extended + capabilities that are usually limited to processes running as root + namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. + ''; + }; + + user = mkOption { + type = types.str; + default = "nginx"; + description = lib.mdDoc "User account under which nginx runs."; + }; + + group = mkOption { + type = types.str; + default = "nginx"; + description = lib.mdDoc "Group account under which nginx runs."; + }; + + serverTokens = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Show nginx version in headers and error pages."; + }; + + clientMaxBodySize = mkOption { + type = types.str; + default = "10m"; + description = lib.mdDoc "Set nginx global client_max_body_size."; + }; + + sslCiphers = mkOption { + type = types.nullOr types.str; + # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate + default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + description = lib.mdDoc "Ciphers to choose from when negotiating TLS handshakes."; + }; + + sslProtocols = mkOption { + type = types.str; + default = "TLSv1.2 TLSv1.3"; + example = "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"; + description = lib.mdDoc "Allowed TLS protocol versions."; + }; + + sslDhparam = mkOption { + type = types.nullOr types.path; + default = null; + example = "/path/to/dhparams.pem"; + description = lib.mdDoc "Path to DH parameters file."; + }; + + proxyResolveWhileRunning = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Resolves domains of proxyPass targets at runtime + and not only at start, you have to set + services.nginx.resolver, too. + ''; + }; + + mapHashBucketSize = mkOption { + type = types.nullOr (types.enum [ 32 64 128 ]); + default = null; + description = lib.mdDoc '' + Sets the bucket size for the map variables hash tables. Default + value depends on the processor’s cache line size. + ''; + }; + + mapHashMaxSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = lib.mdDoc '' + Sets the maximum size of the map variables hash tables. + ''; + }; + + serverNamesHashBucketSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = lib.mdDoc '' + Sets the bucket size for the server names hash tables. Default + value depends on the processor’s cache line size. + ''; + }; + + serverNamesHashMaxSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = lib.mdDoc '' + Sets the maximum size of the server names hash tables. + ''; + }; + + proxyCachePath = mkOption { + type = types.attrsOf (types.submodule ({ ... }: { + options = { + enable = mkEnableOption (lib.mdDoc "this proxy cache path entry"); + + keysZoneName = mkOption { + type = types.str; + default = "cache"; + example = "my_cache"; + description = lib.mdDoc "Set name to shared memory zone."; + }; + + keysZoneSize = mkOption { + type = types.str; + default = "10m"; + example = "32m"; + description = lib.mdDoc "Set size to shared memory zone."; + }; + + levels = mkOption { + type = types.str; + default = "1:2"; + example = "1:2:2"; + description = lib.mdDoc '' + The levels parameter defines structure of subdirectories in cache: from + 1 to 3, each level accepts values 1 or 2. Сan be used any combination of + 1 and 2 in these formats: x, x:x and x:x:x. + ''; + }; + + useTempPath = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Nginx first writes files that are destined for the cache to a temporary + storage area, and the use_temp_path=off directive instructs Nginx to + write them to the same directories where they will be cached. Recommended + that you set this parameter to off to avoid unnecessary copying of data + between file systems. + ''; + }; + + inactive = mkOption { + type = types.str; + default = "10m"; + example = "1d"; + description = lib.mdDoc '' + Cached data that has not been accessed for the time specified by + the inactive parameter is removed from the cache, regardless of + its freshness. + ''; + }; + + maxSize = mkOption { + type = types.str; + default = "1g"; + example = "2048m"; + description = lib.mdDoc "Set maximum cache size"; + }; + }; + })); + default = {}; + description = lib.mdDoc '' + Configure a proxy cache path entry. + See <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path> for documentation. + ''; + }; + + resolver = mkOption { + type = types.submodule { + options = { + addresses = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression ''[ "[::1]" "127.0.0.1:5353" ]''; + description = lib.mdDoc "List of resolvers to use"; + }; + valid = mkOption { + type = types.str; + default = ""; + example = "30s"; + description = lib.mdDoc '' + By default, nginx caches answers using the TTL value of a response. + An optional valid parameter allows overriding it + ''; + }; + ipv6 = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + By default, nginx will look up both IPv4 and IPv6 addresses while resolving. + If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be + specified. + ''; + }; + }; + }; + description = lib.mdDoc '' + Configures name servers used to resolve names of upstream servers into addresses + ''; + default = {}; + }; + + upstreams = mkOption { + type = types.attrsOf (types.submodule { + options = { + servers = mkOption { + type = types.attrsOf (types.submodule { + freeformType = types.attrsOf (types.oneOf [ types.bool types.int types.str ]); + options = { + backup = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Marks the server as a backup server. It will be passed + requests when the primary servers are unavailable. + ''; + }; + }; + }); + description = lib.mdDoc '' + Defines the address and other parameters of the upstream servers. + See [the documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#server) + for the available parameters. + ''; + default = {}; + example = lib.literalMD "see [](#opt-services.nginx.upstreams)"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + These lines go to the end of the upstream verbatim. + ''; + }; + }; + }); + description = lib.mdDoc '' + Defines a group of servers to use as proxy target. + ''; + default = {}; + example = { + "backend" = { + servers = { + "backend1.example.com:8080" = { weight = 5; }; + "backend2.example.com" = { max_fails = 3; fail_timeout = "30s"; }; + "backend3.example.com" = {}; + "backup1.example.com" = { backup = true; }; + "backup2.example.com" = { backup = true; }; + }; + extraConfig = '' + keepalive 16; + ''; + }; + "memcached" = { + servers."unix:/run//memcached/memcached.sock" = {}; + }; + }; + }; + + virtualHosts = mkOption { + type = types.attrsOf (types.submodule (import ./vhost-options.nix { + inherit config lib; + })); + default = { + localhost = {}; + }; + example = literalExpression '' + { + "hydra.example.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + }; + ''; + description = lib.mdDoc "Declarative vhost config"; + }; + }; + }; + + imports = [ + (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] '' + The Nginx log directory has been moved to /var/log/nginx, the cache directory + to /var/cache/nginx. The option services.nginx.stateDir has been removed. + '') + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "inactive" ] [ "services" "nginx" "proxyCachePath" "" "inactive" ]) + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "useTempPath" ] [ "services" "nginx" "proxyCachePath" "" "useTempPath" ]) + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "levels" ] [ "services" "nginx" "proxyCachePath" "" "levels" ]) + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "keysZoneSize" ] [ "services" "nginx" "proxyCachePath" "" "keysZoneSize" ]) + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "keysZoneName" ] [ "services" "nginx" "proxyCachePath" "" "keysZoneName" ]) + (mkRenamedOptionModule [ "services" "nginx" "proxyCache" "enable" ] [ "services" "nginx" "proxyCachePath" "" "enable" ]) + ]; + + config = mkIf cfg.enable { + warnings = + let + deprecatedSSL = name: config: optional config.enableSSL + '' + config.services.nginx.virtualHosts.<name>.enableSSL is deprecated, + use config.services.nginx.virtualHosts.<name>.onlySSL instead. + ''; + + in flatten (mapAttrsToList deprecatedSSL virtualHosts); + + assertions = + let + hostOrAliasIsNull = l: l.root == null || l.alias == null; + in [ + { + assertion = all (host: all hostOrAliasIsNull (attrValues host.locations)) (attrValues virtualHosts); + message = "Only one of nginx root or alias can be specified on a location."; + } + + { + assertion = all (host: with host; + count id [ addSSL (onlySSL || enableSSL) forceSSL rejectSSL ] <= 1 + ) (attrValues virtualHosts); + message = '' + Options services.nginx.service.virtualHosts.<name>.addSSL, + services.nginx.virtualHosts.<name>.onlySSL, + services.nginx.virtualHosts.<name>.forceSSL and + services.nginx.virtualHosts.<name>.rejectSSL are mutually exclusive. + ''; + } + + { + assertion = any (host: host.rejectSSL) (attrValues virtualHosts) -> versionAtLeast cfg.package.version "1.19.4"; + message = '' + services.nginx.virtualHosts.<name>.rejectSSL requires nginx version + 1.19.4 or above; see the documentation for services.nginx.package. + ''; + } + + { + assertion = all (host: !(host.enableACME && host.useACMEHost != null)) (attrValues virtualHosts); + message = '' + Options services.nginx.service.virtualHosts.<name>.enableACME and + services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. + ''; + } + + { + assertion = cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> !(cfg.enableQuicBPF); + message = '' + services.nginx.enableQuicBPF requires using nginxQuic package, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or + `services.nginx.package = pkgs.angieQuic;`. + ''; + } + + { + assertion = cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> all (host: !host.quic) (attrValues virtualHosts); + message = '' + services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic or angie packages, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or + `services.nginx.package = pkgs.angieQuic;`. + ''; + } + + { + # The idea is to understand whether there is a virtual host with a listen configuration + # that requires ACME configuration but has no HTTP listener which will make deterministically fail + # this operation. + # Options' priorities are the following at the moment: + # listen (vhost) > defaultListen (server) > listenAddresses (vhost) > defaultListenAddresses (server) + assertion = + let + hasAtLeastHttpListener = listenOptions: any (listenLine: if listenLine ? proxyProtocol then !listenLine.proxyProtocol else true) listenOptions; + hasAtLeastDefaultHttpListener = if cfg.defaultListen != [] then hasAtLeastHttpListener cfg.defaultListen else (cfg.defaultListenAddresses != []); + in + all (host: + let + hasAtLeastVhostHttpListener = if host.listen != [] then hasAtLeastHttpListener host.listen else (host.listenAddresses != []); + vhostAuthority = host.listen != [] || (cfg.defaultListen == [] && host.listenAddresses != []); + in + # Either vhost has precedence and we need a vhost specific http listener + # Either vhost set nothing and inherit from server settings + host.enableACME -> ((vhostAuthority && hasAtLeastVhostHttpListener) || (!vhostAuthority && hasAtLeastDefaultHttpListener)) + ) (attrValues virtualHosts); + message = '' + services.nginx.virtualHosts.<name>.enableACME requires a HTTP listener + to answer to ACME requests. + ''; + } + ] ++ map (name: mkCertOwnershipAssertion { + inherit (cfg) group user; + cert = config.security.acme.certs.${name}; + groups = config.users.groups; + }) dependentCertNames; + + services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli + ++ lib.optional cfg.recommendedZstdSettings pkgs.nginxModules.zstd; + + services.nginx.virtualHosts.localhost = mkIf cfg.statusPage { + listenAddresses = lib.mkDefault ([ + "0.0.0.0" + ] ++ lib.optional enableIPv6 "[::]"); + locations."/nginx_status" = { + extraConfig = '' + stub_status on; + access_log off; + allow 127.0.0.1; + ${optionalString enableIPv6 "allow ::1;"} + deny all; + ''; + }; + }; + + systemd.services.nginx = { + description = "Nginx Web Server"; + wantedBy = [ "multi-user.target" ]; + wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames); + after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames; + # Nginx needs to be started in order to be able to request certificates + # (it's hosting the acme challenge after all) + # This fixes https://github.com/NixOS/nixpkgs/issues/81842 + before = map (certName: "acme-${certName}.service") dependentCertNames; + stopIfChanged = false; + preStart = '' + ${cfg.preStart} + ${execCommand} -t + ''; + + startLimitIntervalSec = 60; + serviceConfig = { + ExecStart = execCommand; + ExecReload = [ + "${execCommand} -t" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; + Restart = "always"; + RestartSec = "10s"; + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "nginx"; + RuntimeDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "nginx"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "nginx"; + LogsDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; + # New file permissions + UMask = "0027"; # 0640 / 0750 + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; + # Security + NoNewPrivileges = true; + # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = !((builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules) || (cfg.package == pkgs.openresty)); + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] + ++ optional cfg.enableQuicBPF [ "bpf" ] + ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; + }; + }; + + environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload { + source = configFile; + }; + + # This service waits for all certificates to be available + # before reloading nginx configuration. + # sslTargets are added to wantedBy + before + # which allows the acme-finished-$cert.target to signify the successful updating + # of certs end-to-end. + systemd.services.nginx-config-reload = let + sslServices = map (certName: "acme-${certName}.service") dependentCertNames; + sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames; + in mkIf (cfg.enableReload || sslServices != []) { + wants = optionals cfg.enableReload [ "nginx.service" ]; + wantedBy = sslServices ++ [ "multi-user.target" ]; + # Before the finished targets, after the renew services. + # This service might be needed for HTTP-01 challenges, but we only want to confirm + # certs are updated _after_ config has been reloaded. + before = sslTargets; + after = sslServices; + restartTriggers = optionals cfg.enableReload [ configFile ]; + # Block reloading if not all certs exist yet. + # Happens when config changes add new vhosts/certs. + unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames); + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 60; + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active nginx.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl reload nginx.service"; + }; + }; + + security.acme.certs = let + acmePairs = map (vhostConfig: let + hasRoot = vhostConfig.acmeRoot != null; + in nameValuePair vhostConfig.serverName { + group = mkDefault cfg.group; + # if acmeRoot is null inherit config.security.acme + # Since config.security.acme.certs.<cert>.webroot's own default value + # should take precedence set priority higher than mkOptionDefault + webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot; + # Also nudge dnsProvider to null in case it is inherited + dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null; + extraDomainNames = vhostConfig.serverAliases; + # Filter for enableACME-only vhosts. Don't want to create dud certs + }) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts); + in listToAttrs acmePairs; + + users.users = optionalAttrs (cfg.user == "nginx") { + nginx = { + group = cfg.group; + isSystemUser = true; + uid = config.ids.uids.nginx; + }; + }; + + users.groups = optionalAttrs (cfg.group == "nginx") { + nginx.gid = config.ids.gids.nginx; + }; + + boot.kernelModules = optional (versionAtLeast config.boot.kernelPackages.kernel.version "4.17") "tls"; + + # do not delete the default temp directories created upon nginx startup + systemd.tmpfiles.rules = [ + "X /tmp/systemd-private-%b-nginx.service-*/tmp/nginx_*" + ]; + + services.logrotate.settings.nginx = mapAttrs (_: mkDefault) { + files = "/var/log/nginx/*.log"; + frequency = "weekly"; + su = "${cfg.user} ${cfg.group}"; + rotate = 26; + compress = true; + delaycompress = true; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix new file mode 100644 index 000000000000..ec2c432ca573 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx.gitweb; + gitwebConfig = config.services.gitweb; + package = pkgs.gitweb.override (optionalAttrs gitwebConfig.gitwebTheme { + gitwebTheme = true; + }); + +in +{ + + options.services.nginx.gitweb = { + + enable = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + If true, enable gitweb in nginx. + ''; + }; + + location = mkOption { + default = "/gitweb"; + type = types.str; + description = lib.mdDoc '' + Location to serve gitweb on. + ''; + }; + + user = mkOption { + default = "nginx"; + type = types.str; + description = lib.mdDoc '' + Existing user that the CGI process will belong to. (Default almost surely will do.) + ''; + }; + + group = mkOption { + default = "nginx"; + type = types.str; + description = lib.mdDoc '' + Group that the CGI process will belong to. (Set to `config.services.gitolite.group` if you are using gitolite.) + ''; + }; + + virtualHost = mkOption { + default = "_"; + type = types.str; + description = lib.mdDoc '' + VirtualHost to serve gitweb on. Default is catch-all. + ''; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.gitweb = { + description = "GitWeb service"; + script = "${package}/gitweb.cgi --fastcgi --nproc=1"; + environment = { + FCGI_SOCKET_PATH = "/run/gitweb/gitweb.sock"; + }; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + RuntimeDirectory = [ "gitweb" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + services.nginx = { + virtualHosts.${cfg.virtualHost} = { + locations."${cfg.location}/static/" = { + alias = "${package}/static/"; + }; + locations."${cfg.location}/" = { + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param GITWEB_CONFIG ${gitwebConfig.gitwebConfigFile}; + fastcgi_pass unix:/run/gitweb/gitweb.sock; + ''; + }; + }; + }; + + }; + + meta.maintainers = with maintainers; [ ]; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix new file mode 100644 index 000000000000..2138e551fd43 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix @@ -0,0 +1,141 @@ +# This file defines the options that can be used both for the Nginx +# main server configuration, and for the virtual hosts. (The latter +# has additional options that affect the web server as a whole, like +# the user/group to run under.) + +{ lib, config }: + +with lib; + +{ + options = { + basicAuth = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExpression '' + { + user = "password"; + }; + ''; + description = lib.mdDoc '' + Basic Auth protection for a vhost. + + WARNING: This is implemented to store the password in plain text in the + Nix store. + ''; + }; + + basicAuthFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Basic Auth password file for a vhost. + Can be created via: {command}`htpasswd -c <filename> <username>`. + + WARNING: The generate file contains the users' passwords in a + non-cryptographically-securely hashed way. + ''; + }; + + proxyPass = mkOption { + type = types.nullOr types.str; + default = null; + example = "http://www.example.org/"; + description = lib.mdDoc '' + Adds proxy_pass directive and sets recommended proxy headers if + recommendedProxySettings is enabled. + ''; + }; + + proxyWebsockets = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + Whether to support proxying websocket connections with HTTP/1.1. + ''; + }; + + index = mkOption { + type = types.nullOr types.str; + default = null; + example = "index.php index.html"; + description = lib.mdDoc '' + Adds index directive. + ''; + }; + + tryFiles = mkOption { + type = types.nullOr types.str; + default = null; + example = "$uri =404"; + description = lib.mdDoc '' + Adds try_files directive. + ''; + }; + + root = mkOption { + type = types.nullOr types.path; + default = null; + example = "/your/root/directory"; + description = lib.mdDoc '' + Root directory for requests. + ''; + }; + + alias = mkOption { + type = types.nullOr types.path; + default = null; + example = "/your/alias/directory"; + description = lib.mdDoc '' + Alias directory for requests. + ''; + }; + + return = mkOption { + type = with types; nullOr (oneOf [ str int ]); + default = null; + example = "301 http://example.com$request_uri"; + description = lib.mdDoc '' + Adds a return directive, for e.g. redirections. + ''; + }; + + fastcgiParams = mkOption { + type = types.attrsOf (types.either types.str types.path); + default = {}; + description = lib.mdDoc '' + FastCGI parameters to override. Unlike in the Nginx + configuration file, overriding only some default parameters + won't unset the default values for other parameters. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + These lines go to the end of the location verbatim. + ''; + }; + + priority = mkOption { + type = types.int; + default = 1000; + description = lib.mdDoc '' + Order of this location block in relation to the others in the vhost. + The semantics are the same as with `lib.mkOrder`. Smaller values have + a greater priority. + ''; + }; + + recommendedProxySettings = mkOption { + type = types.bool; + default = config.services.nginx.recommendedProxySettings; + defaultText = literalExpression "config.services.nginx.recommendedProxySettings"; + description = lib.mdDoc '' + Enable recommended proxy settings. + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix new file mode 100644 index 000000000000..a2e4d4a30be5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx.tailscaleAuth; +in +{ + options.services.nginx.tailscaleAuth = { + enable = mkEnableOption (lib.mdDoc "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale."); + + package = lib.mkPackageOptionMD pkgs "tailscale-nginx-auth" {}; + + user = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = lib.mdDoc "User which runs tailscale-nginx-auth"; + }; + + group = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = lib.mdDoc "Group which runs tailscale-nginx-auth"; + }; + + expectedTailnet = mkOption { + default = ""; + type = types.nullOr types.str; + example = "tailnet012345.ts.net"; + description = lib.mdDoc '' + If you want to prevent node sharing from allowing users to access services + across tailnets, declare your expected tailnets domain here. + ''; + }; + + socketPath = mkOption { + default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock"; + type = types.path; + description = lib.mdDoc '' + Path of the socket listening to nginx authorization requests. + ''; + }; + + virtualHosts = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + A list of nginx virtual hosts to put behind tailscale.nginx-auth + ''; + }; + }; + + config = mkIf cfg.enable { + services.tailscale.enable = true; + services.nginx.enable = true; + + users.users.${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + }; + users.groups.${cfg.group} = { }; + users.users.${config.services.nginx.user}.extraGroups = [ cfg.group ]; + systemd.sockets.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication socket"; + partOf = [ "tailscale-nginx-auth.service" ]; + wantedBy = [ "sockets.target" ]; + listenStreams = [ cfg.socketPath ]; + socketConfig = { + SocketMode = "0660"; + SocketUser = cfg.user; + SocketGroup = cfg.group; + }; + }; + + + systemd.services.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication service"; + after = [ "nginx.service" ]; + wants = [ "nginx.service" ]; + requires = [ "tailscale-nginx-auth.socket" ]; + + serviceConfig = { + ExecStart = "${lib.getExe cfg.package}"; + RuntimeDirectory = "tailscale-nginx-auth"; + User = cfg.user; + Group = cfg.group; + + BindPaths = [ "/run/tailscale/tailscaled.sock" ]; + + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; + }; + }; + + services.nginx.virtualHosts = genAttrs + cfg.virtualHosts + (vhost: { + locations."/auth" = { + extraConfig = '' + internal; + + proxy_pass http://unix:${cfg.socketPath}; + proxy_pass_request_body off; + + # Upstream uses $http_host here, but we are using gixy to check nginx configurations + # gixy wants us to use $host: https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md + proxy_set_header Host $host; + proxy_set_header Remote-Addr $remote_addr; + proxy_set_header Remote-Port $remote_port; + proxy_set_header Original-URI $request_uri; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; + locations."/".extraConfig = '' + auth_request /auth; + auth_request_set $auth_user $upstream_http_tailscale_user; + auth_request_set $auth_name $upstream_http_tailscale_name; + auth_request_set $auth_login $upstream_http_tailscale_login; + auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet; + auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture; + + proxy_set_header X-Webauth-User "$auth_user"; + proxy_set_header X-Webauth-Name "$auth_name"; + proxy_set_header X-Webauth-Login "$auth_login"; + proxy_set_header X-Webauth-Tailnet "$auth_tailnet"; + proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture"; + + ${lib.optionalString (cfg.expectedTailnet != "") ''proxy_set_header Expected-Tailnet "${cfg.expectedTailnet}";''} + ''; + }); + }; + + meta.maintainers = with maintainers; [ phaer ]; + +} diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix new file mode 100644 index 000000000000..ea98439d3823 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -0,0 +1,370 @@ +# This file defines the options that can be used both for the Nginx +# main server configuration, and for the virtual hosts. (The latter +# has additional options that affect the web server as a whole, like +# the user/group to run under.) + +{ config, lib, ... }: + +with lib; +{ + options = { + serverName = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Name of this virtual host. Defaults to attribute name in virtualHosts. + ''; + example = "example.org"; + }; + + serverAliases = mkOption { + type = types.listOf types.str; + default = []; + example = [ "www.example.org" "example.org" ]; + description = lib.mdDoc '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + listen = mkOption { + type = with types; listOf (submodule { + options = { + addr = mkOption { + type = str; + description = lib.mdDoc "Listen address."; + }; + port = mkOption { + type = types.nullOr port; + description = lib.mdDoc '' + Port number to listen on. + If unset and the listen address is not a socket then nginx defaults to 80. + ''; + default = null; + }; + ssl = mkOption { + type = bool; + description = lib.mdDoc "Enable SSL."; + default = false; + }; + proxyProtocol = mkOption { + type = bool; + description = lib.mdDoc "Enable PROXY protocol."; + default = false; + }; + extraParameters = mkOption { + type = listOf str; + description = lib.mdDoc "Extra parameters of this listen directive."; + default = [ ]; + example = [ "backlog=1024" "deferred" ]; + }; + }; + }); + default = []; + example = [ + { addr = "195.154.1.1"; port = 443; ssl = true; } + { addr = "192.154.1.1"; port = 80; } + { addr = "unix:/var/run/nginx.sock"; } + ]; + description = lib.mdDoc '' + Listen addresses and ports for this virtual host. + IPv6 addresses must be enclosed in square brackets. + Note: this option overrides `addSSL` + and `onlySSL`. + + If you only want to set the addresses manually and not + the ports, take a look at `listenAddresses`. + ''; + }; + + listenAddresses = mkOption { + type = with types; listOf str; + + description = lib.mdDoc '' + Listen addresses for this virtual host. + Compared to `listen` this only sets the addresses + and the ports are chosen automatically. + + Note: This option overrides `enableIPv6` + ''; + default = []; + example = [ "127.0.0.1" "[::1]" ]; + }; + + enableACME = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to ask Let's Encrypt to sign a certificate for this vhost. + Alternately, you can use an existing certificate through {option}`useACMEHost`. + ''; + }; + + useACMEHost = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + A host of an existing Let's Encrypt certificate to use. + This is useful if you have many subdomains and want to avoid hitting the + [rate limit](https://letsencrypt.org/docs/rate-limits). + Alternately, you can generate a certificate through {option}`enableACME`. + *Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using [](#opt-security.acme.certs).* + ''; + }; + + acmeRoot = mkOption { + type = types.nullOr types.str; + default = "/var/lib/acme/acme-challenge"; + description = lib.mdDoc '' + Directory for the ACME challenge, which is **public**. Don't put certs or keys in here. + Set to null to inherit from config.security.acme. + ''; + }; + + acmeFallbackHost = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Host which to proxy requests to if ACME challenge is not found. Useful + if you want multiple hosts to be able to verify the same domain name. + + With this option, you could request certificates for the present domain + with an ACME client that is running on another host, which you would + specify here. + ''; + }; + + addSSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable HTTPS in addition to plain HTTP. This will set defaults for + `listen` to listen on all interfaces on the respective default + ports (80, 443). + ''; + }; + + onlySSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable HTTPS and reject plain HTTP connections. This will set + defaults for `listen` to listen on all interfaces on port 443. + ''; + }; + + enableSSL = mkOption { + type = types.bool; + visible = false; + default = false; + }; + + forceSSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to add a separate nginx server block that redirects (defaults + to 301, configurable with `redirectCode`) all plain HTTP traffic to + HTTPS. This will set defaults for `listen` to listen on all interfaces + on the respective default ports (80, 443), where the non-SSL listens + are used for the redirect vhosts. + ''; + }; + + rejectSSL = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to listen for and reject all HTTPS connections to this vhost. Useful in + [default](#opt-services.nginx.virtualHosts._name_.default) + server blocks to avoid serving the certificate for another vhost. Uses the + `ssl_reject_handshake` directive available in nginx versions + 1.19.4 and above. + ''; + }; + + kTLS = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable kTLS support. + Implementing TLS in the kernel (kTLS) improves performance by significantly + reducing the need for copying operations between user space and the kernel. + Required Nginx version 1.21.4 or later. + ''; + }; + + sslCertificate = mkOption { + type = types.path; + example = "/var/host.cert"; + description = lib.mdDoc "Path to server SSL certificate."; + }; + + sslCertificateKey = mkOption { + type = types.path; + example = "/var/host.key"; + description = lib.mdDoc "Path to server SSL certificate key."; + }; + + sslTrustedCertificate = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; + description = lib.mdDoc "Path to root SSL certificate for stapling and client certificates."; + }; + + http2 = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable the HTTP/2 protocol. + Note that (as of writing) due to nginx's implementation, to disable + HTTP/2 you have to disable it on all vhosts that use a given + IP address / port. + If there is one server block configured to enable http2, then it is + enabled for all server blocks on this IP. + See https://stackoverflow.com/a/39466948/263061. + ''; + }; + + http3 = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether to enable the HTTP/3 protocol. + This requires using `pkgs.nginxQuic` package + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` + and activate the QUIC transport protocol + `services.nginx.virtualHosts.<name>.quic = true;`. + Note that HTTP/3 support is experimental and *not* yet recommended for production. + Read more at https://quic.nginx.org/ + HTTP/3 availability must be manually advertised, preferably in each location block. + ''; + }; + + http3_hq = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. + This requires using `pkgs.nginxQuic` package + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` + and activate the QUIC transport protocol + `services.nginx.virtualHosts.<name>.quic = true;`. + Note that special application protocol support is experimental and *not* yet recommended for production. + Read more at https://quic.nginx.org/ + ''; + }; + + quic = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable the QUIC transport protocol. + This requires using `pkgs.nginxQuic` package + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + Note that QUIC support is experimental and + *not* yet recommended for production. + Read more at https://quic.nginx.org/ + ''; + }; + + reuseport = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Create an individual listening socket . + It is required to specify only once on one of the hosts. + ''; + }; + + root = mkOption { + type = types.nullOr types.path; + default = null; + example = "/data/webserver/docs"; + description = lib.mdDoc '' + The path of the web root directory. + ''; + }; + + default = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Makes this vhost the default. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + These lines go to the end of the vhost verbatim. + ''; + }; + + globalRedirect = mkOption { + type = types.nullOr types.str; + default = null; + example = "newserver.example.org"; + description = lib.mdDoc '' + If set, all requests for this host are redirected (defaults to 301, + configurable with `redirectCode`) to the given hostname. + ''; + }; + + redirectCode = mkOption { + type = types.ints.between 300 399; + default = 301; + example = 308; + description = lib.mdDoc '' + HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases + include temporary (302, 307) redirects, keeping the request method and + body (307, 308), or explicitly resetting the method to GET (303). + See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>. + ''; + }; + + basicAuth = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExpression '' + { + user = "password"; + }; + ''; + description = lib.mdDoc '' + Basic Auth protection for a vhost. + + WARNING: This is implemented to store the password in plain text in the + Nix store. + ''; + }; + + basicAuthFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + Basic Auth password file for a vhost. + Can be created via: {command}`htpasswd -c <filename> <username>`. + + WARNING: The generate file contains the users' passwords in a + non-cryptographically-securely hashed way. + ''; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule (import ./location-options.nix { + inherit lib config; + })); + default = {}; + example = literalExpression '' + { + "/" = { + proxyPass = "http://localhost:3000"; + }; + }; + ''; + description = lib.mdDoc "Declarative location config"; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix new file mode 100644 index 000000000000..4132a97b9543 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix @@ -0,0 +1,278 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.phpfpm; + + runtimeDir = "/run/phpfpm"; + + toStr = value: + if true == value then "yes" + else if false == value then "no" + else toString value; + + fpmCfgFile = pool: poolOpts: pkgs.writeText "phpfpm-${pool}.conf" '' + [global] + ${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") cfg.settings)} + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + + [${pool}] + ${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") poolOpts.settings)} + ${concatStringsSep "\n" (mapAttrsToList (n: v: "env[${n}] = ${toStr v}") poolOpts.phpEnv)} + ${optionalString (poolOpts.extraConfig != null) poolOpts.extraConfig} + ''; + + phpIni = poolOpts: pkgs.runCommand "php.ini" { + inherit (poolOpts) phpPackage phpOptions; + preferLocalBuild = true; + passAsFile = [ "phpOptions" ]; + } '' + cat ${poolOpts.phpPackage}/etc/php.ini $phpOptionsPath > $out + ''; + + poolOpts = { name, ... }: + let + poolOpts = cfg.pools.${name}; + in + { + options = { + socket = mkOption { + type = types.str; + readOnly = true; + description = lib.mdDoc '' + Path to the unix socket file on which to accept FastCGI requests. + + ::: {.note} + This option is read-only and managed by NixOS. + ::: + ''; + example = "${runtimeDir}/<name>.sock"; + }; + + listen = mkOption { + type = types.str; + default = ""; + example = "/path/to/unix/socket"; + description = lib.mdDoc '' + The address on which to accept FastCGI requests. + ''; + }; + + phpPackage = mkOption { + type = types.package; + default = cfg.phpPackage; + defaultText = literalExpression "config.services.phpfpm.phpPackage"; + description = lib.mdDoc '' + The PHP package to use for running this PHP-FPM pool. + ''; + }; + + phpOptions = mkOption { + type = types.lines; + description = lib.mdDoc '' + "Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool." + ''; + }; + + phpEnv = lib.mkOption { + type = with types; attrsOf str; + default = {}; + description = lib.mdDoc '' + Environment variables used for this PHP-FPM pool. + ''; + example = literalExpression '' + { + HOSTNAME = "$HOSTNAME"; + TMP = "/tmp"; + TMPDIR = "/tmp"; + TEMP = "/tmp"; + } + ''; + }; + + user = mkOption { + type = types.str; + description = lib.mdDoc "User account under which this pool runs."; + }; + + group = mkOption { + type = types.str; + description = lib.mdDoc "Group account under which this pool runs."; + }; + + settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = {}; + description = lib.mdDoc '' + PHP-FPM pool directives. Refer to the "List of pool directives" section of + <https://www.php.net/manual/en/install.fpm.configuration.php> + for details. Note that settings names must be enclosed in quotes (e.g. + `"pm.max_children"` instead of `pm.max_children`). + ''; + example = literalExpression '' + { + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + } + ''; + }; + + extraConfig = mkOption { + type = with types; nullOr lines; + default = null; + description = lib.mdDoc '' + Extra lines that go into the pool configuration. + See the documentation on `php-fpm.conf` for + details on configuration directives. + ''; + }; + }; + + config = { + socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen; + group = mkDefault poolOpts.user; + phpOptions = mkBefore cfg.phpOptions; + + settings = mapAttrs (name: mkDefault){ + listen = poolOpts.socket; + user = poolOpts.user; + group = poolOpts.group; + }; + }; + }; + +in { + imports = [ + (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.") + (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "") + ]; + + options = { + services.phpfpm = { + settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = {}; + description = lib.mdDoc '' + PHP-FPM global directives. Refer to the "List of global php-fpm.conf directives" section of + <https://www.php.net/manual/en/install.fpm.configuration.php> + for details. Note that settings names must be enclosed in quotes (e.g. + `"pm.max_children"` instead of `pm.max_children`). + You need not specify the options `error_log` or + `daemonize` here, since they are generated by NixOS. + ''; + }; + + extraConfig = mkOption { + type = with types; nullOr lines; + default = null; + description = lib.mdDoc '' + Extra configuration that should be put in the global section of + the PHP-FPM configuration file. Do not specify the options + `error_log` or + `daemonize` here, since they are generated by + NixOS. + ''; + }; + + phpPackage = mkPackageOption pkgs "php" { }; + + phpOptions = mkOption { + type = types.lines; + default = ""; + example = + '' + date.timezone = "CET" + ''; + description = lib.mdDoc '' + Options appended to the PHP configuration file {file}`php.ini`. + ''; + }; + + pools = mkOption { + type = types.attrsOf (types.submodule poolOpts); + default = {}; + example = literalExpression '' + { + mypool = { + user = "php"; + group = "php"; + phpPackage = pkgs.php; + settings = { + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + }; + } + }''; + description = lib.mdDoc '' + PHP-FPM pools. If no pools are defined, the PHP-FPM + service is disabled. + ''; + }; + }; + }; + + config = mkIf (cfg.pools != {}) { + + warnings = + mapAttrsToList (pool: poolOpts: '' + Using config.services.phpfpm.pools.${pool}.listen is deprecated and will become unsupported in a future release. Please reference the read-only option config.services.phpfpm.pools.${pool}.socket to access the path of your socket. + '') (filterAttrs (pool: poolOpts: poolOpts.listen != "") cfg.pools) ++ + mapAttrsToList (pool: poolOpts: '' + Using config.services.phpfpm.pools.${pool}.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.pools.${pool}.settings. + '') (filterAttrs (pool: poolOpts: poolOpts.extraConfig != null) cfg.pools) ++ + optional (cfg.extraConfig != null) '' + Using config.services.phpfpm.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.settings. + '' + ; + + services.phpfpm.settings = { + error_log = "syslog"; + daemonize = false; + }; + + systemd.slices.phpfpm = { + description = "PHP FastCGI Process manager pools slice"; + }; + + systemd.targets.phpfpm = { + description = "PHP FastCGI Process manager pools target"; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services = mapAttrs' (pool: poolOpts: + nameValuePair "phpfpm-${pool}" { + description = "PHP FastCGI Process Manager service for pool ${pool}"; + after = [ "network.target" ]; + wantedBy = [ "phpfpm.target" ]; + partOf = [ "phpfpm.target" ]; + serviceConfig = let + cfgFile = fpmCfgFile pool poolOpts; + iniFile = phpIni poolOpts; + in { + Slice = "phpfpm.slice"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = true; + # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + Type = "notify"; + ExecStart = "${poolOpts.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; + RuntimeDirectory = "phpfpm"; + RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running + Restart = "always"; + }; + } + ) cfg.pools; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/pomerium.nix b/nixpkgs/nixos/modules/services/web-servers/pomerium.nix new file mode 100644 index 000000000000..90748f74d24e --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/pomerium.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + format = pkgs.formats.yaml {}; +in +{ + options.services.pomerium = { + enable = mkEnableOption (lib.mdDoc "the Pomerium authenticating reverse proxy"); + + configFile = mkOption { + type = with types; nullOr path; + default = null; + description = lib.mdDoc "Path to Pomerium config YAML. If set, overrides services.pomerium.settings."; + }; + + useACMEHost = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + If set, use a NixOS-generated ACME certificate with the specified name. + + Note that this will require you to use a non-HTTP-based challenge, or + disable Pomerium's in-built HTTP redirect server by setting + http_redirect_addr to null and use a different HTTP server for serving + the challenge response. + + If you're using an HTTP-based challenge, you should use the + Pomerium-native autocert option instead. + ''; + }; + + settings = mkOption { + description = lib.mdDoc '' + The contents of Pomerium's config.yaml, in Nix expressions. + + Specifying configFile will override this in its entirety. + + See [the Pomerium + configuration reference](https://pomerium.io/reference/) for more information about what to put + here. + ''; + default = {}; + type = format.type; + }; + + secretsFile = mkOption { + type = with types; nullOr path; + default = null; + description = lib.mdDoc '' + Path to file containing secrets for Pomerium, in systemd + EnvironmentFile format. See the systemd.exec(5) man page. + ''; + }; + }; + + config = let + cfg = config.services.pomerium; + cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings); + in mkIf cfg.enable ({ + systemd.services.pomerium = { + description = "Pomerium authenticating reverse proxy"; + wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target"); + after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target"); + wantedBy = [ "multi-user.target" ]; + environment = optionalAttrs (cfg.useACMEHost != null) { + CERTIFICATE_FILE = "fullchain.pem"; + CERTIFICATE_KEY_FILE = "key.pem"; + }; + startLimitIntervalSec = 60; + script = '' + if [[ -v CREDENTIALS_DIRECTORY ]]; then + cd "$CREDENTIALS_DIRECTORY" + fi + exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" + ''; + + serviceConfig = { + DynamicUser = true; + StateDirectory = [ "pomerium" ]; + + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + MemoryDenyWriteExecute = false; # breaks LuaJIT + + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + DevicePolicy = "closed"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectKernelLogs = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + LockPersonality = true; + SystemCallArchitectures = "native"; + + EnvironmentFile = cfg.secretsFile; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + + LoadCredential = optionals (cfg.useACMEHost != null) [ + "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" + "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" + ]; + }; + }; + + # postRun hooks on cert renew can't be used to restart Nginx since renewal + # runs as the unprivileged acme user. sslTargets are added to wantedBy + before + # which allows the acme-finished-$cert.target to signify the successful updating + # of certs end-to-end. + systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) { + # TODO(lukegb): figure out how to make config reloading work with credentials. + + wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ]; + # Before the finished targets, after the renew services. + before = [ "acme-finished-${cfg.useACMEHost}.target" ]; + after = [ "acme-${cfg.useACMEHost}.service" ]; + # Block reloading if not all certs exist yet. + unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 60; + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; + ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; + }; + }; + }); +} diff --git a/nixpkgs/nixos/modules/services/web-servers/rustus.nix b/nixpkgs/nixos/modules/services/web-servers/rustus.nix new file mode 100644 index 000000000000..6d3b2e6a65d9 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/rustus.nix @@ -0,0 +1,256 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.rustus; +in +{ + meta.maintainers = with maintainers; [ happysalada ]; + + options.services.rustus = { + + enable = mkEnableOption (lib.mdDoc "TUS protocol implementation in Rust"); + + host = mkOption { + type = types.str; + description = lib.mdDoc '' + The host that rustus will connect to. + ''; + default = "127.0.0.1"; + example = "127.0.0.1"; + }; + + port = mkOption { + type = types.port; + description = lib.mdDoc '' + The port that rustus will connect to. + ''; + default = 1081; + example = 1081; + }; + + log_level = mkOption { + type = types.enum [ "DEBUG" "INFO" "ERROR" ]; + description = lib.mdDoc '' + Desired log level + ''; + default = "INFO"; + example = "ERROR"; + }; + + max_body_size = mkOption { + type = types.str; + description = lib.mdDoc '' + Maximum body size in bytes + ''; + default = "10000000"; # 10 mb + example = "100000000"; + }; + + url = mkOption { + type = types.str; + description = lib.mdDoc '' + url path for uploads + ''; + default = "/files"; + }; + + disable_health_access_logs = mkOption { + type = types.bool; + description = lib.mdDoc '' + disable access log for /health endpoint + ''; + default = false; + }; + + cors = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + list of origins allowed to upload + ''; + default = ["*"]; + example = ["*.staging.domain" "*.prod.domain"]; + }; + + tus_extensions = mkOption { + type = types.listOf (types.enum [ + "getting" + "creation" + "termination" + "creation-with-upload" + "creation-defer-length" + "concatenation" + "checksum" + ]); + description = lib.mdDoc '' + Since TUS protocol offers extensibility you can turn off some protocol extensions. + ''; + default = [ + "getting" + "creation" + "termination" + "creation-with-upload" + "creation-defer-length" + "concatenation" + "checksum" + ]; + }; + + remove_parts = mkOption { + type = types.bool; + description = lib.mdDoc '' + remove parts files after successful concatenation + ''; + default = true; + example = false; + }; + + storage = lib.mkOption { + description = lib.mdDoc '' + Storages are used to actually store your files. You can configure where you want to store files. + ''; + default = {}; + example = lib.literalExpression '' + { + type = "hybrid-s3" + s3_access_key_file = konfig.age.secrets.R2_ACCESS_KEY.path; + s3_secret_key_file = konfig.age.secrets.R2_SECRET_KEY.path; + s3_bucket = "my_bucket"; + s3_url = "https://s3.example.com"; + } + ''; + type = lib.types.submodule { + options = { + type = lib.mkOption { + type = lib.types.enum ["file-storage" "hybrid-s3"]; + description = lib.mdDoc "Type of storage to use"; + }; + s3_access_key_file = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "File path that contains the S3 access key."; + }; + s3_secret_key_file = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc "File path that contains the S3 secret key."; + }; + s3_region = lib.mkOption { + type = lib.types.str; + default = "us-east-1"; + description = lib.mdDoc "S3 region name."; + }; + s3_bucket = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "S3 bucket."; + }; + s3_url = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "S3 url."; + }; + + force_sync = lib.mkOption { + type = lib.types.bool; + description = lib.mdDoc "calls fsync system call after every write to disk in local storage"; + default = true; + }; + data_dir = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "path to the local directory where all files are stored"; + default = "/var/lib/rustus"; + }; + dir_structure = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "pattern of a directory structure locally and on s3"; + default = "{year}/{month}/{day}"; + }; + }; + }; + }; + + info_storage = lib.mkOption { + description = lib.mdDoc '' + Info storages are used to store information about file uploads. These storages must be persistent, because every time chunk is uploaded rustus updates information about upload. And when someone wants to download file, information about it requested from storage to get actual path of an upload. + ''; + default = {}; + type = lib.types.submodule { + options = { + type = lib.mkOption { + type = lib.types.enum ["file-info-storage"]; + description = lib.mdDoc "Type of info storage to use"; + default = "file-info-storage"; + }; + dir = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "directory to store info about uploads"; + default = "/var/lib/rustus"; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + + systemd.services.rustus = + let + isHybridS3 = cfg.storage.type == "hybrid-s3"; + in + { + description = "Rustus server"; + documentation = [ "https://s3rius.github.io/rustus/" ]; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment = { + RUSTUS_SERVER_HOST = cfg.host; + RUSTUS_SERVER_PORT = toString cfg.port; + RUSTUS_LOG_LEVEL = cfg.log_level; + RUSTUS_MAX_BODY_SIZE = cfg.max_body_size; + RUSTUS_URL = cfg.url; + RUSTUS_DISABLE_HEALTH_ACCESS_LOG = lib.mkIf cfg.disable_health_access_logs "true"; + RUSTUS_CORS = lib.concatStringsSep "," cfg.cors; + RUSTUS_TUS_EXTENSIONS = lib.concatStringsSep "," cfg.tus_extensions; + RUSTUS_REMOVE_PARTS= if cfg.remove_parts then "true" else "false"; + RUSTUS_STORAGE = cfg.storage.type; + RUSTUS_DATA_DIR = cfg.storage.data_dir; + RUSTUS_DIR_STRUCTURE = cfg.storage.dir_structure; + RUSTUS_FORCE_FSYNC = if cfg.storage.force_sync then "true" else "false"; + RUSTUS_S3_URL = mkIf isHybridS3 cfg.storage.s3_url; + RUSTUS_S3_BUCKET = mkIf isHybridS3 cfg.storage.s3_bucket; + RUSTUS_S3_REGION = mkIf isHybridS3 cfg.storage.s3_region; + RUSTUS_S3_ACCESS_KEY_PATH = mkIf isHybridS3 "%d/S3_ACCESS_KEY_PATH"; + RUSTUS_S3_SECRET_KEY_PATH = mkIf isHybridS3 "%d/S3_SECRET_KEY_PATH"; + RUSTUS_INFO_STORAGE = cfg.info_storage.type; + RUSTUS_INFO_DIR = cfg.info_storage.dir; + }; + + serviceConfig = { + ExecStart = "${pkgs.rustus}/bin/rustus"; + StateDirectory = "rustus"; + # User name is defined here to enable restoring a backup for example + # You will run the backup restore command as sudo -u rustus in order + # to have write permissions to /var/lib + User = "rustus"; + DynamicUser = true; + LoadCredential = lib.optionals isHybridS3 [ + "S3_ACCESS_KEY_PATH:${cfg.storage.s3_access_key_file}" + "S3_SECRET_KEY_PATH:${cfg.storage.s3_secret_key_file}" + ]; + # hardening + RestrictRealtime=true; + RestrictNamespaces=true; + LockPersonality=true; + ProtectKernelModules=true; + ProtectKernelTunables=true; + ProtectKernelLogs=true; + ProtectControlGroups=true; + ProtectHostUserNamespaces=true; + ProtectClock=true; + RestrictSUIDSGID=true; + SystemCallArchitectures="native"; + CapabilityBoundingSet=""; + ProtectProc = "invisible"; + # TODO consider SystemCallFilter LimitAS ProcSubset + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/stargazer.nix b/nixpkgs/nixos/modules/services/web-servers/stargazer.nix new file mode 100644 index 000000000000..18f57363137c --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/stargazer.nix @@ -0,0 +1,224 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.stargazer; + globalSection = '' + listen = ${lib.concatStringsSep " " cfg.listen} + connection-logging = ${lib.boolToString cfg.connectionLogging} + log-ip = ${lib.boolToString cfg.ipLog} + log-ip-partial = ${lib.boolToString cfg.ipLogPartial} + request-timeout = ${toString cfg.requestTimeout} + response-timeout = ${toString cfg.responseTimeout} + + [:tls] + store = ${toString cfg.store} + organization = ${cfg.certOrg} + gen-certs = ${lib.boolToString cfg.genCerts} + regen-certs = ${lib.boolToString cfg.regenCerts} + ${lib.optionalString (cfg.certLifetime != "") "cert-lifetime = ${cfg.certLifetime}"} + + ''; + genINI = lib.generators.toINI { }; + configFile = pkgs.writeText "config.ini" (lib.strings.concatStrings ( + [ globalSection ] ++ (lib.lists.forEach cfg.routes (section: + let + name = section.route; + params = builtins.removeAttrs section [ "route" ]; + in + genINI + { + "${name}" = params; + } + "\n" + )) + )); +in +{ + options.services.stargazer = { + enable = lib.mkEnableOption (lib.mdDoc "Stargazer Gemini server"); + + listen = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; + defaultText = lib.literalExpression ''[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"''; + example = lib.literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]''; + description = lib.mdDoc '' + Address and port to listen on. + ''; + }; + + connectionLogging = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc "Whether or not to log connections to stdout."; + }; + + ipLog = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Log client IP addresses in the connection log."; + }; + + ipLogPartial = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Log partial client IP addresses in the connection log."; + }; + + requestTimeout = lib.mkOption { + type = lib.types.int; + default = 5; + description = lib.mdDoc '' + Number of seconds to wait for the client to send a complete + request. Set to 0 to disable. + ''; + }; + + responseTimeout = lib.mkOption { + type = lib.types.int; + default = 0; + description = lib.mdDoc '' + Number of seconds to wait for the client to send a complete + request and for stargazer to finish sending the response. + Set to 0 to disable. + ''; + }; + + store = lib.mkOption { + type = lib.types.path; + default = /var/lib/gemini/certs; + description = lib.mdDoc '' + Path to the certificate store on disk. This should be a + persistent directory writable by Stargazer. + ''; + }; + + certOrg = lib.mkOption { + type = lib.types.str; + default = "stargazer"; + description = lib.mdDoc '' + The name of the organization responsible for the X.509 + certificate's /O name. + ''; + }; + + genCerts = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Set to false to disable automatic certificate generation. + Use if you want to provide your own certs. + ''; + }; + + regenCerts = lib.mkOption { + type = lib.types.bool; + default = true; + description = lib.mdDoc '' + Set to false to turn off automatic regeneration of expired certificates. + Use if you want to provide your own certs. + ''; + }; + + certLifetime = lib.mkOption { + type = lib.types.str; + default = ""; + description = lib.mdDoc '' + How long certs generated by Stargazer should live for. + Certs live forever by default. + ''; + example = lib.literalExpression "\"1y\""; + }; + + routes = lib.mkOption { + type = lib.types.listOf + (lib.types.submodule { + freeformType = with lib.types; attrsOf (nullOr + (oneOf [ + bool + int + float + str + ]) // { + description = "INI atom (null, bool, int, float or string)"; + }); + options.route = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "Route section name"; + }; + }); + default = [ ]; + description = lib.mdDoc '' + Routes that Stargazer should server. + + Expressed as a list of attribute sets. Each set must have a key `route` + that becomes the section name for that route in the stargazer ini cofig. + The remaining keys and values become the parameters for that route. + + [Refer to upstream docs for other params](https://git.sr.ht/~zethra/stargazer/tree/main/item/doc/stargazer.ini.5.txt) + ''; + example = lib.literalExpression '' + [ + { + route = "example.com"; + root = "/srv/gemini/example.com" + } + { + route = "example.com:/man"; + root = "/cgi-bin"; + cgi = true; + } + { + route = "other.org~(.*)"; + redirect = "gemini://example.com"; + rewrite = "\1"; + } + ] + ''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "stargazer"; + description = lib.mdDoc "User account under which stargazer runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "stargazer"; + description = lib.mdDoc "Group account under which stargazer runs."; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.stargazer = { + description = "Stargazer gemini server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.stargazer}/bin/stargazer ${configFile}"; + Restart = "always"; + # User and group + User = cfg.user; + Group = cfg.group; + }; + }; + + # Create default cert store + systemd.tmpfiles.rules = lib.mkIf (cfg.store == /var/lib/gemini/certs) [ + ''d /var/lib/gemini/certs - "${cfg.user}" "${cfg.group}" -'' + ]; + + users.users = lib.optionalAttrs (cfg.user == "stargazer") { + stargazer = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = lib.optionalAttrs (cfg.group == "stargazer") { + stargazer = { }; + }; + }; + + meta.maintainers = with lib.maintainers; [ gaykitty ]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/static-web-server.nix b/nixpkgs/nixos/modules/services/web-servers/static-web-server.nix new file mode 100644 index 000000000000..07187f00fecc --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/static-web-server.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.static-web-server; + toml = pkgs.formats.toml {}; + configFilePath = toml.generate "config.toml" cfg.configuration; +in { + options = { + services.static-web-server = { + enable = lib.mkEnableOption (lib.mdDoc ''Static Web Server''); + listen = lib.mkOption { + default = "[::]:8787"; + type = lib.types.str; + description = lib.mdDoc '' + The "ListenStream" used in static-web-server.socket. + This is equivalent to SWS's "host" and "port" options. + See here for specific syntax: <https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=> + ''; + }; + root = lib.mkOption { + type = lib.types.path; + description = lib.mdDoc '' + The location of files for SWS to serve. Equivalent to SWS's "root" config value. + NOTE: This folder must exist before starting SWS. + ''; + }; + configuration = lib.mkOption { + default = { }; + type = toml.type; + example = { + general = { log-level = "error"; directory-listing = true; }; + }; + description = lib.mdDoc '' + Configuration for Static Web Server. See + <https://static-web-server.net/configuration/config-file/>. + NOTE: Don't set "host", "port", or "root" here. They will be ignored. + Use the top-level "listen" and "root" options instead. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.static-web-server ]; + systemd.packages = [ pkgs.static-web-server ]; + # Have to set wantedBy since systemd.packages ignores the "Install" section + systemd.sockets.static-web-server = { + wantedBy = [ "sockets.target" ]; + # Start with empty string to reset upstream option + listenStreams = [ "" cfg.listen ]; + }; + systemd.services.static-web-server = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # Remove upstream sample environment file; use config.toml exclusively + EnvironmentFile = [ "" ]; + ExecStart = [ "" "${pkgs.static-web-server}/bin/static-web-server --fd 0 --config-file ${configFilePath} --root ${cfg.root}" ]; + # Supplementary groups doesn't work unless we create the group ourselves + SupplementaryGroups = [ "" ]; + # If the user is serving files from their home dir, override ProtectHome to allow that + ProtectHome = if lib.hasPrefix "/home" cfg.root then "tmpfs" else "true"; + BindReadOnlyPaths = cfg.root; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ mac-chaffee ]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/tomcat.nix b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix new file mode 100644 index 000000000000..54ea7b66151f --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/tomcat.nix @@ -0,0 +1,400 @@ +{ config, lib, pkgs, ... }: + +let + + cfg = config.services.tomcat; + tomcat = cfg.package; +in + +{ + meta = { + maintainers = with lib.maintainers; [ danbst anthonyroussel ]; + }; + + ###### interface + + options = { + services.tomcat = { + enable = lib.mkEnableOption (lib.mdDoc "Apache Tomcat"); + + package = lib.mkPackageOption pkgs "tomcat9" { + example = "tomcat10"; + }; + + purifyOnStart = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + On startup, the `baseDir` directory is populated with various files, + subdirectories and symlinks. If this option is enabled, these items + (except for the `logs` and `work` subdirectories) are first removed. + This prevents interference from remainders of an old configuration + (libraries, webapps, etc.), so it's recommended to enable this option. + ''; + }; + + baseDir = lib.mkOption { + type = lib.types.path; + default = "/var/tomcat"; + description = lib.mdDoc '' + Location where Tomcat stores configuration files, web applications + and logfiles. Note that it is partially cleared on each service startup + if `purifyOnStart` is enabled. + ''; + }; + + logDirs = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.path; + description = lib.mdDoc "Directories to create in baseDir/logs/"; + }; + + extraConfigFiles = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.path; + description = lib.mdDoc "Extra configuration files to pull into the tomcat conf directory"; + }; + + extraEnvironment = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "ENVIRONMENT=production" ]; + description = lib.mdDoc "Environment Variables to pass to the tomcat service"; + }; + + extraGroups = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + example = [ "users" ]; + description = lib.mdDoc "Defines extra groups to which the tomcat user belongs."; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "tomcat"; + description = lib.mdDoc "User account under which Apache Tomcat runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "tomcat"; + description = lib.mdDoc "Group account under which Apache Tomcat runs."; + }; + + javaOpts = lib.mkOption { + type = lib.types.either (lib.types.listOf lib.types.str) lib.types.str; + default = ""; + description = lib.mdDoc "Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat"; + }; + + catalinaOpts = lib.mkOption { + type = lib.types.either (lib.types.listOf lib.types.str) lib.types.str; + default = ""; + description = lib.mdDoc "Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container"; + }; + + sharedLibs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = lib.mdDoc "List containing JAR files or directories with JAR files which are libraries shared by the web applications"; + }; + + serverXml = lib.mkOption { + type = lib.types.lines; + default = ""; + description = lib.mdDoc '' + Verbatim server.xml configuration. + This is mutually exclusive with the virtualHosts options. + ''; + }; + + commonLibs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + description = lib.mdDoc "List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container"; + }; + + webapps = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = [ tomcat.webapps ]; + defaultText = lib.literalExpression "[ config.services.tomcat.package.webapps ]"; + description = lib.mdDoc "List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat"; + }; + + virtualHosts = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + options = { + name = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc "name of the virtualhost"; + }; + aliases = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = lib.mdDoc "aliases of the virtualhost"; + default = [ ]; + }; + webapps = lib.mkOption { + type = lib.types.listOf lib.types.path; + description = lib.mdDoc '' + List containing web application WAR files and/or directories containing + web applications and configuration files for the virtual host. + ''; + default = [ ]; + }; + }; + }); + default = [ ]; + description = lib.mdDoc "List consisting of a virtual host name and a list of web applications to deploy on each virtual host"; + }; + + logPerVirtualHost = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Whether to enable logging per virtual host."; + }; + + jdk = lib.mkPackageOption pkgs "jdk" { }; + + axis2 = { + enable = lib.mkEnableOption "Apache Axis2 container"; + + services = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = lib.mdDoc "List containing AAR files or directories with AAR files which are web services to be deployed on Axis2"; + }; + }; + }; + }; + + ###### implementation + + config = lib.mkIf config.services.tomcat.enable { + + users.groups.tomcat.gid = config.ids.gids.tomcat; + + users.users.tomcat = + { + uid = config.ids.uids.tomcat; + description = "Tomcat user"; + home = "/homeless-shelter"; + group = "tomcat"; + extraGroups = cfg.extraGroups; + }; + + systemd.services.tomcat = { + description = "Apache Tomcat server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + ${lib.optionalString cfg.purifyOnStart '' + # Delete most directories/symlinks we create from the existing base directory, + # to get rid of remainders of an old configuration. + # The list of directories to delete is taken from the "mkdir" command below, + # excluding "logs" (because logs are valuable) and "work" (because normally + # session files are there), and additionally including "bin". + rm -rf ${cfg.baseDir}/{conf,virtualhosts,temp,lib,shared/lib,webapps,bin} + ''} + + # Create the base directory + mkdir -p \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} + chown ${cfg.user}:${cfg.group} \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} + + # Create a symlink to the bin directory of the tomcat component + ln -sfn ${tomcat}/bin ${cfg.baseDir}/bin + + # Symlink the config files in the conf/ directory (except for catalina.properties and server.xml) + for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml); do + ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` + done + + ${lib.optionalString (cfg.extraConfigFiles != []) '' + for i in ${toString cfg.extraConfigFiles}; do + ln -sfn $i ${cfg.baseDir}/conf/`basename $i` + done + ''} + + # Create a modified catalina.properties file + # Change all references from CATALINA_HOME to CATALINA_BASE and add support for shared libraries + sed -e 's|''${catalina.home}|''${catalina.base}|g' \ + -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ + ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties + + ${if cfg.serverXml != "" then '' + cp -f ${pkgs.writeTextDir "server.xml" cfg.serverXml}/* ${cfg.baseDir}/conf/ + '' else + let + hostElementForVirtualHost = virtualHost: '' + <Host name="${virtualHost.name}" appBase="virtualhosts/${virtualHost.name}/webapps" + unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> + '' + lib.concatStrings (innerElementsForVirtualHost virtualHost) + '' + </Host> + ''; + innerElementsForVirtualHost = virtualHost: + (map (alias: '' + <Alias>${alias}</Alias> + '') virtualHost.aliases) + ++ (lib.optional cfg.logPerVirtualHost '' + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs/${virtualHost.name}" + prefix="${virtualHost.name}_access_log." pattern="combined" resolveHosts="false"/> + ''); + hostElementsString = lib.concatMapStringsSep "\n" hostElementForVirtualHost cfg.virtualHosts; + hostElementsSedString = lib.replaceStrings ["\n"] ["\\\n"] hostElementsString; + in '' + # Create a modified server.xml which also includes all virtual hosts + sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\\"${lib.escapeShellArg hostElementsSedString} \ + ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml + '' + } + ${lib.optionalString (cfg.logDirs != []) '' + for i in ${toString cfg.logDirs}; do + mkdir -p ${cfg.baseDir}/logs/$i + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/$i + done + ''} + ${lib.optionalString cfg.logPerVirtualHost (toString (map (h: '' + mkdir -p ${cfg.baseDir}/logs/${h.name} + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} + '') cfg.virtualHosts))} + + # Symlink all the given common libs files or paths into the lib/ directory + for i in ${tomcat} ${toString cfg.commonLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/lib/*; do + ln -sfn $j ${cfg.baseDir}/lib/`basename $j` + done + fi + done + + # Symlink all the given shared libs files or paths into the shared/lib/ directory + for i in ${toString cfg.sharedLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/shared/lib/*; do + ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` + done + fi + done + + # Symlink all the given web applications files or paths into the webapps/ directory + for i in ${toString cfg.webapps}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/localhost + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done + fi + fi + done + + ${toString (map (virtualHost: '' + # Create webapps directory for the virtual host + mkdir -p ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps + + # Modify ownership + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps + + # Symlink all the given web applications files or paths into the webapps/ directory + # of this virtual host + for i in "${lib.optionalString (virtualHost ? webapps) (toString virtualHost.webapps)}"; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} + ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` + done + fi + fi + done + '') cfg.virtualHosts)} + + ${lib.optionalString cfg.axis2.enable '' + # Copy the Axis2 web application + cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps + + # Turn off addressing, which causes many errors + sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml + + # Modify permissions on the Axis2 application + chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 + + # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory + for i in ${toString cfg.axis2.services}; do + if [ -f $i ]; then + # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services + ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/axis2/WEB-INF/services/*; do + ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done + fi + fi + done + ''} + ''; + + serviceConfig = { + Type = "forking"; + PermissionsStartOnly = true; + PIDFile = "/run/tomcat/tomcat.pid"; + RuntimeDirectory = "tomcat"; + User = cfg.user; + Environment = [ + "CATALINA_BASE=${cfg.baseDir}" + "CATALINA_PID=/run/tomcat/tomcat.pid" + "JAVA_HOME='${cfg.jdk}'" + "JAVA_OPTS='${builtins.toString cfg.javaOpts}'" + "CATALINA_OPTS='${builtins.toString cfg.catalinaOpts}'" + ] ++ cfg.extraEnvironment; + ExecStart = "${tomcat}/bin/startup.sh"; + ExecStop = "${tomcat}/bin/shutdown.sh"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix new file mode 100644 index 000000000000..fc9eb504ebf8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -0,0 +1,187 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.traefik; + jsonValue = with types; + let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + ]) // { + description = "JSON value"; + emptyValue.value = { }; + }; + in valueType; + dynamicConfigFile = if cfg.dynamicConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.remarshal ]; + preferLocalBuild = true; + } '' + remarshal -if json -of toml \ + < ${ + pkgs.writeText "dynamic_config.json" + (builtins.toJSON cfg.dynamicConfigOptions) + } \ + > $out + '' + else + cfg.dynamicConfigFile; + staticConfigFile = if cfg.staticConfigFile == null then + pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.yj ]; + preferLocalBuild = true; + } '' + yj -jt -i \ + < ${ + pkgs.writeText "static_config.json" (builtins.toJSON + (recursiveUpdate cfg.staticConfigOptions { + providers.file.filename = "${dynamicConfigFile}"; + })) + } \ + > $out + '' + else + cfg.staticConfigFile; + + finalStaticConfigFile = + if cfg.environmentFiles == [] + then staticConfigFile + else "/run/traefik/config.toml"; +in { + options.services.traefik = { + enable = mkEnableOption (lib.mdDoc "Traefik web server"); + + staticConfigFile = mkOption { + default = null; + example = literalExpression "/path/to/static_config.toml"; + type = types.nullOr types.path; + description = lib.mdDoc '' + Path to traefik's static configuration to use. + (Using that option has precedence over `staticConfigOptions` and `dynamicConfigOptions`) + ''; + }; + + staticConfigOptions = mkOption { + description = lib.mdDoc '' + Static configuration for Traefik. + ''; + type = jsonValue; + default = { entryPoints.http.address = ":80"; }; + example = { + entryPoints.web.address = ":8080"; + entryPoints.http.address = ":80"; + + api = { }; + }; + }; + + dynamicConfigFile = mkOption { + default = null; + example = literalExpression "/path/to/dynamic_config.toml"; + type = types.nullOr types.path; + description = lib.mdDoc '' + Path to traefik's dynamic configuration to use. + (Using that option has precedence over `dynamicConfigOptions`) + ''; + }; + + dynamicConfigOptions = mkOption { + description = lib.mdDoc '' + Dynamic configuration for Traefik. + ''; + type = jsonValue; + default = { }; + example = { + http.routers.router1 = { + rule = "Host(`localhost`)"; + service = "service1"; + }; + + http.services.service1.loadBalancer.servers = + [{ url = "http://localhost:8080"; }]; + }; + }; + + dataDir = mkOption { + default = "/var/lib/traefik"; + type = types.path; + description = lib.mdDoc '' + Location for any persistent data traefik creates, ie. acme + ''; + }; + + group = mkOption { + default = "traefik"; + type = types.str; + example = "docker"; + description = lib.mdDoc '' + Set the group that traefik runs under. + For the docker backend this needs to be set to `docker` instead. + ''; + }; + + package = mkPackageOption pkgs "traefik" { }; + + environmentFiles = mkOption { + default = []; + type = types.listOf types.path; + example = [ "/run/secrets/traefik.env" ]; + description = lib.mdDoc '' + Files to load as environment file. Environment variables from this file + will be substituted into the static configuration file using envsubst. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0700 traefik traefik - -" ]; + + systemd.services.traefik = { + description = "Traefik web server"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + startLimitIntervalSec = 86400; + startLimitBurst = 5; + serviceConfig = { + EnvironmentFile = cfg.environmentFiles; + ExecStartPre = lib.optional (cfg.environmentFiles != []) + (pkgs.writeShellScript "pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${staticConfigFile}" > "${finalStaticConfigFile}" + ''); + ExecStart = "${cfg.package}/bin/traefik --configfile=${finalStaticConfigFile}"; + Type = "simple"; + User = "traefik"; + Group = cfg.group; + Restart = "on-failure"; + AmbientCapabilities = "cap_net_bind_service"; + CapabilityBoundingSet = "cap_net_bind_service"; + NoNewPrivileges = true; + LimitNPROC = 64; + LimitNOFILE = 1048576; + PrivateTmp = true; + PrivateDevices = true; + ProtectHome = true; + ProtectSystem = "full"; + ReadWriteDirectories = cfg.dataDir; + RuntimeDirectory = "traefik"; + }; + }; + + users.users.traefik = { + group = "traefik"; + home = cfg.dataDir; + createHome = true; + isSystemUser = true; + }; + + users.groups.traefik = { }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix b/nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix new file mode 100644 index 000000000000..17dece8746a1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix @@ -0,0 +1,310 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trafficserver; + user = config.users.users.trafficserver.name; + group = config.users.groups.trafficserver.name; + + getManualUrl = name: "https://docs.trafficserver.apache.org/en/latest/admin-guide/files/${name}.en.html"; + + yaml = pkgs.formats.yaml { }; + + mkYamlConf = name: cfg: + if cfg != null then { + "trafficserver/${name}.yaml".source = yaml.generate "${name}.yaml" cfg; + } else { + "trafficserver/${name}.yaml".text = ""; + }; + + mkRecordLines = path: value: + if isAttrs value then + lib.mapAttrsToList (n: v: mkRecordLines (path ++ [ n ]) v) value + else if isInt value then + "CONFIG ${concatStringsSep "." path} INT ${toString value}" + else if isFloat value then + "CONFIG ${concatStringsSep "." path} FLOAT ${toString value}" + else + "CONFIG ${concatStringsSep "." path} STRING ${toString value}"; + + mkRecordsConfig = cfg: concatStringsSep "\n" (flatten (mkRecordLines [ ] cfg)); + mkPluginConfig = cfg: concatStringsSep "\n" (map (p: "${p.path} ${p.arg}") cfg); +in +{ + options.services.trafficserver = { + enable = mkEnableOption (lib.mdDoc "Apache Traffic Server"); + + cache = mkOption { + type = types.lines; + default = ""; + example = "dest_domain=example.com suffix=js action=never-cache"; + description = lib.mdDoc '' + Caching rules that overrule the origin's caching policy. + + Consult the [upstream + documentation](${getManualUrl "cache.config"}) for more details. + ''; + }; + + hosting = mkOption { + type = types.lines; + default = ""; + example = "domain=example.com volume=1"; + description = lib.mdDoc '' + Partition the cache according to origin server or domain + + Consult the [ + upstream documentation](${getManualUrl "hosting.config"}) for more details. + ''; + }; + + ipAllow = mkOption { + type = types.nullOr yaml.type; + default = lib.importJSON ./ip_allow.json; + defaultText = literalMD "upstream defaults"; + example = literalExpression '' + { + ip_allow = [{ + apply = "in"; + ip_addrs = "127.0.0.1"; + action = "allow"; + methods = "ALL"; + }]; + } + ''; + description = lib.mdDoc '' + Control client access to Traffic Server and Traffic Server connections + to upstream servers. + + Consult the [upstream + documentation](${getManualUrl "ip_allow.yaml"}) for more details. + ''; + }; + + logging = mkOption { + type = types.nullOr yaml.type; + default = lib.importJSON ./logging.json; + defaultText = literalMD "upstream defaults"; + example = { }; + description = lib.mdDoc '' + Configure logs. + + Consult the [upstream + documentation](${getManualUrl "logging.yaml"}) for more details. + ''; + }; + + parent = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=. method=get parent="p1.example:8080; p2.example:8080" round_robin=true + ''; + description = lib.mdDoc '' + Identify the parent proxies used in an cache hierarchy. + + Consult the [upstream + documentation](${getManualUrl "parent.config"}) for more details. + ''; + }; + + plugins = mkOption { + default = [ ]; + + description = lib.mdDoc '' + Controls run-time loadable plugins available to Traffic Server, as + well as their configuration. + + Consult the [upstream + documentation](${getManualUrl "plugin.config"}) for more details. + ''; + + type = with types; + listOf (submodule { + options.path = mkOption { + type = str; + example = "xdebug.so"; + description = lib.mdDoc '' + Path to plugin. The path can either be absolute, or relative to + the plugin directory. + ''; + }; + options.arg = mkOption { + type = str; + default = ""; + example = "--header=ATS-My-Debug"; + description = lib.mdDoc "arguments to pass to the plugin"; + }; + }); + }; + + records = mkOption { + type = with types; + let valueType = (attrsOf (oneOf [ int float str valueType ])) // { + description = "Traffic Server records value"; + }; + in + valueType; + default = { }; + example = { proxy.config.proxy_name = "my_server"; }; + description = lib.mdDoc '' + List of configurable variables used by Traffic Server. + + Consult the [ + upstream documentation](${getManualUrl "records.config"}) for more details. + ''; + }; + + remap = mkOption { + type = types.lines; + default = ""; + example = "map http://from.example http://origin.example"; + description = lib.mdDoc '' + URL remapping rules used by Traffic Server. + + Consult the [ + upstream documentation](${getManualUrl "remap.config"}) for more details. + ''; + }; + + splitDns = mkOption { + type = types.lines; + default = ""; + example = '' + dest_domain=internal.corp.example named="255.255.255.255:212 255.255.255.254" def_domain=corp.example search_list="corp.example corp1.example" + dest_domain=!internal.corp.example named=255.255.255.253 + ''; + description = lib.mdDoc '' + Specify the DNS server that Traffic Server should use under specific + conditions. + + Consult the [ + upstream documentation](${getManualUrl "splitdns.config"}) for more details. + ''; + }; + + sslMulticert = mkOption { + type = types.lines; + default = ""; + example = "dest_ip=* ssl_cert_name=default.pem"; + description = lib.mdDoc '' + Configure SSL server certificates to terminate the SSL sessions. + + Consult the [ + upstream documentation](${getManualUrl "ssl_multicert.config"}) for more details. + ''; + }; + + sni = mkOption { + type = types.nullOr yaml.type; + default = null; + example = literalExpression '' + { + sni = [{ + fqdn = "no-http2.example.com"; + https = "off"; + }]; + } + ''; + description = lib.mdDoc '' + Configure aspects of TLS connection handling for both inbound and + outbound connections. + + Consult the [upstream + documentation](${getManualUrl "sni.yaml"}) for more details. + ''; + }; + + storage = mkOption { + type = types.lines; + default = "/var/cache/trafficserver 256M"; + example = "/dev/disk/by-id/XXXXX volume=1"; + description = lib.mdDoc '' + List all the storage that make up the Traffic Server cache. + + Consult the [ + upstream documentation](${getManualUrl "storage.config"}) for more details. + ''; + }; + + strategies = mkOption { + type = types.nullOr yaml.type; + default = null; + description = lib.mdDoc '' + Specify the next hop proxies used in an cache hierarchy and the + algorithms used to select the next proxy. + + Consult the [ + upstream documentation](${getManualUrl "strategies.yaml"}) for more details. + ''; + }; + + volume = mkOption { + type = types.nullOr yaml.type; + default = ""; + example = "volume=1 scheme=http size=20%"; + description = lib.mdDoc '' + Manage cache space more efficiently and restrict disk usage by + creating cache volumes of different sizes. + + Consult the [ + upstream documentation](${getManualUrl "volume.config"}) for more details. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.etc = { + "trafficserver/cache.config".text = cfg.cache; + "trafficserver/hosting.config".text = cfg.hosting; + "trafficserver/parent.config".text = cfg.parent; + "trafficserver/plugin.config".text = mkPluginConfig cfg.plugins; + "trafficserver/records.config".text = mkRecordsConfig cfg.records; + "trafficserver/remap.config".text = cfg.remap; + "trafficserver/splitdns.config".text = cfg.splitDns; + "trafficserver/ssl_multicert.config".text = cfg.sslMulticert; + "trafficserver/storage.config".text = cfg.storage; + "trafficserver/volume.config".text = cfg.volume; + } // (mkYamlConf "ip_allow" cfg.ipAllow) + // (mkYamlConf "logging" cfg.logging) + // (mkYamlConf "sni" cfg.sni) + // (mkYamlConf "strategies" cfg.strategies); + + environment.systemPackages = [ pkgs.trafficserver ]; + systemd.packages = [ pkgs.trafficserver ]; + + # Traffic Server does privilege handling independently of systemd, and + # therefore should be started as root + systemd.services.trafficserver = { + enable = true; + wantedBy = [ "multi-user.target" ]; + }; + + # These directories can't be created by systemd because: + # + # 1. Traffic Servers starts as root and switches to an unprivileged user + # afterwards. The runtime directories defined below are assumed to be + # owned by that user. + # 2. The bin/trafficserver script assumes these directories exist. + systemd.tmpfiles.rules = [ + "d '/run/trafficserver' - ${user} ${group} - -" + "d '/var/cache/trafficserver' - ${user} ${group} - -" + "d '/var/lib/trafficserver' - ${user} ${group} - -" + "d '/var/log/trafficserver' - ${user} ${group} - -" + ]; + + services.trafficserver = { + records.proxy.config.admin.user_id = user; + records.proxy.config.body_factory.template_sets_dir = + "${pkgs.trafficserver}/etc/trafficserver/body_factory"; + }; + + users.users.trafficserver = { + description = "Apache Traffic Server"; + isSystemUser = true; + inherit group; + }; + users.groups.trafficserver = { }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/trafficserver/ip_allow.json b/nixpkgs/nixos/modules/services/web-servers/trafficserver/ip_allow.json new file mode 100644 index 000000000000..fc2db8037286 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/trafficserver/ip_allow.json @@ -0,0 +1,36 @@ +{ + "ip_allow": [ + { + "apply": "in", + "ip_addrs": "127.0.0.1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "::1", + "action": "allow", + "methods": "ALL" + }, + { + "apply": "in", + "ip_addrs": "0/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + }, + { + "apply": "in", + "ip_addrs": "::/0", + "action": "deny", + "methods": [ + "PURGE", + "PUSH", + "DELETE" + ] + } + ] +} diff --git a/nixpkgs/nixos/modules/services/web-servers/trafficserver/logging.json b/nixpkgs/nixos/modules/services/web-servers/trafficserver/logging.json new file mode 100644 index 000000000000..81e7ba0186c6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/trafficserver/logging.json @@ -0,0 +1,37 @@ +{ + "logging": { + "formats": [ + { + "name": "welf", + "format": "id=firewall time=\"%<cqtd> %<cqtt>\" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg=\"%<cqup>\" result=%<pssc> ref=\"%<{Referer}cqh>\" agent=\"%<{user-agent}cqh>\" cache=%<crc>" + }, + { + "name": "squid_seconds_only_timestamp", + "format": "%<cqts> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>" + }, + { + "name": "squid", + "format": "%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>" + }, + { + "name": "common", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl>" + }, + { + "name": "extended", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>" + }, + { + "name": "extended2", + "format": "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>" + } + ], + "logs": [ + { + "filename": "squid", + "format": "squid", + "mode": "binary" + } + ] + } +} diff --git a/nixpkgs/nixos/modules/services/web-servers/ttyd.nix b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix new file mode 100644 index 000000000000..14361df2bb66 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/ttyd.nix @@ -0,0 +1,232 @@ +{ config, lib, pkgs, ... }: + +let + + cfg = config.services.ttyd; + + inherit (lib) + optionals + types + concatLists + mapAttrsToList + mkOption + ; + + # Command line arguments for the ttyd daemon + args = [ "--port" (toString cfg.port) ] + ++ optionals (cfg.socket != null) [ "--interface" cfg.socket ] + ++ optionals (cfg.interface != null) [ "--interface" cfg.interface ] + ++ [ "--signal" (toString cfg.signal) ] + ++ (concatLists (mapAttrsToList (_k: _v: [ "--client-option" "${_k}=${_v}" ]) cfg.clientOptions)) + ++ [ "--terminal-type" cfg.terminalType ] + ++ optionals cfg.checkOrigin [ "--check-origin" ] + ++ optionals cfg.writeable [ "--writable" ] # the typo is correct + ++ [ "--max-clients" (toString cfg.maxClients) ] + ++ optionals (cfg.indexFile != null) [ "--index" cfg.indexFile ] + ++ optionals cfg.enableIPv6 [ "--ipv6" ] + ++ optionals cfg.enableSSL [ "--ssl-cert" cfg.certFile + "--ssl-key" cfg.keyFile + "--ssl-ca" cfg.caFile ] + ++ [ "--debug" (toString cfg.logLevel) ]; + +in + +{ + + ###### interface + + options = { + services.ttyd = { + enable = lib.mkEnableOption ("ttyd daemon"); + + port = mkOption { + type = types.port; + default = 7681; + description = "Port to listen on (use 0 for random port)"; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/run/ttyd.sock"; + description = "UNIX domain socket path to bind."; + }; + + interface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth0"; + description = "Network interface to bind."; + }; + + username = mkOption { + type = types.nullOr types.str; + default = null; + description = "Username for basic http authentication."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + File containing the password to use for basic http authentication. + For insecurely putting the password in the globally readable store use + `pkgs.writeText "ttydpw" "MyPassword"`. + ''; + }; + + signal = mkOption { + type = types.ints.u8; + default = 1; + description = "Signal to send to the command on session close."; + }; + + entrypoint = mkOption { + type = types.listOf types.str; + default = [ "${pkgs.shadow}/bin/login" ]; + defaultText = lib.literalExpression '' + [ "''${pkgs.shadow}/bin/login" ] + ''; + example = lib.literalExpression '' + [ (lib.getExe pkgs.htop) ] + ''; + description = "Which command ttyd runs."; + apply = lib.escapeShellArgs; + }; + + user = mkOption { + type = types.str; + # `login` needs to be run as root + default = "root"; + description = "Which unix user ttyd should run as."; + }; + + writeable = mkOption { + type = types.nullOr types.bool; + default = null; # null causes an eval error, forcing the user to consider attack surface + example = true; + description = "Allow clients to write to the TTY."; + }; + + clientOptions = mkOption { + type = types.attrsOf types.str; + default = {}; + example = lib.literalExpression '' + { + fontSize = "16"; + fontFamily = "Fira Code"; + } + ''; + description = '' + Attribute set of client options for xtermjs. + <https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/> + ''; + }; + + terminalType = mkOption { + type = types.str; + default = "xterm-256color"; + description = "Terminal type to report."; + }; + + checkOrigin = mkOption { + type = types.bool; + default = false; + description = "Whether to allow a websocket connection from a different origin."; + }; + + maxClients = mkOption { + type = types.int; + default = 0; + description = "Maximum clients to support (0, no limit)"; + }; + + indexFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Custom index.html path"; + }; + + enableIPv6 = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable IPv6 support."; + }; + + enableSSL = mkOption { + type = types.bool; + default = false; + description = "Whether or not to enable SSL (https) support."; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL certificate file path."; + }; + + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + apply = value: if value == null then null else toString value; + description = '' + SSL key file path. + For insecurely putting the keyFile in the globally readable store use + `pkgs.writeText "ttydKeyFile" "SSLKEY"`. + ''; + }; + + caFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "SSL CA file path for client certificate verification."; + }; + + logLevel = mkOption { + type = types.int; + default = 7; + description = "Set log level."; + }; + }; + }; + + ###### implementation + + config = lib.mkIf cfg.enable { + + assertions = + [ { assertion = cfg.enableSSL + -> cfg.certFile != null && cfg.keyFile != null && cfg.caFile != null; + message = "SSL is enabled for ttyd, but no certFile, keyFile or caFile has been specified."; } + { assertion = cfg.writeable != null; + message = "services.ttyd.writeable must be set"; } + { assertion = ! (cfg.interface != null && cfg.socket != null); + message = "Cannot set both interface and socket for ttyd."; } + { assertion = (cfg.username != null) == (cfg.passwordFile != null); + message = "Need to set both username and passwordFile for ttyd"; } + ]; + + systemd.services.ttyd = { + description = "ttyd Web Server Daemon"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + LoadCredential = lib.optionalString (cfg.passwordFile != null) "TTYD_PASSWORD_FILE:${cfg.passwordFile}"; + }; + + script = if cfg.passwordFile != null then '' + PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/TTYD_PASSWORD_FILE") + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + --credential ${lib.escapeShellArg cfg.username}:"$PASSWORD" \ + ${cfg.entrypoint} + '' + else '' + ${pkgs.ttyd}/bin/ttyd ${lib.escapeShellArgs args} \ + ${cfg.entrypoint} + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/unit/default.nix b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix new file mode 100644 index 000000000000..a5f1a872ce81 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/unit/default.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.unit; + + configFile = pkgs.writeText "unit.json" cfg.config; + +in { + options = { + services.unit = { + enable = mkEnableOption (lib.mdDoc "Unit App Server"); + package = mkPackageOption pkgs "unit" { }; + user = mkOption { + type = types.str; + default = "unit"; + description = lib.mdDoc "User account under which unit runs."; + }; + group = mkOption { + type = types.str; + default = "unit"; + description = lib.mdDoc "Group account under which unit runs."; + }; + stateDir = mkOption { + type = types.path; + default = "/var/spool/unit"; + description = lib.mdDoc "Unit data directory."; + }; + logDir = mkOption { + type = types.path; + default = "/var/log/unit"; + description = lib.mdDoc "Unit log directory."; + }; + config = mkOption { + type = types.str; + default = '' + { + "listeners": {}, + "applications": {} + } + ''; + example = '' + { + "listeners": { + "*:8300": { + "application": "example-php-72" + } + }, + "applications": { + "example-php-72": { + "type": "php 7.2", + "processes": 4, + "user": "nginx", + "group": "nginx", + "root": "/var/www", + "index": "index.php", + "options": { + "file": "/etc/php.d/default.ini", + "admin": { + "max_execution_time": "30", + "max_input_time": "30", + "display_errors": "off", + "display_startup_errors": "off", + "open_basedir": "/dev/urandom:/proc/cpuinfo:/proc/meminfo:/etc/ssl/certs:/var/www", + "disable_functions": "exec,passthru,shell_exec,system" + } + } + } + } + } + ''; + description = lib.mdDoc "Unit configuration in JSON format. More details here https://unit.nginx.org/configuration"; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" + ]; + + systemd.services.unit = { + description = "Unit App Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json' + ''; + postStart = '' + ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + serviceConfig = { + Type = "forking"; + PIDFile = "/run/unit/unit.pid"; + ExecStart = '' + ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ + --log '${cfg.logDir}/unit.log' --statedir '${cfg.stateDir}' --tmpdir '/tmp' \ + --user ${cfg.user} --group ${cfg.group} + ''; + ExecStop = '' + ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + # Runtime directory and mode + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + # Access write directories + ReadWritePaths = [ cfg.stateDir cfg.logDir ]; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + }; + }; + + users.users = optionalAttrs (cfg.user == "unit") { + unit = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "unit") { + unit = { }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix new file mode 100644 index 000000000000..6d3a18d71e91 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/uwsgi.nix @@ -0,0 +1,233 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.uwsgi; + + isEmperor = cfg.instance.type == "emperor"; + + imperialPowers = + [ + # spawn other user processes + "CAP_SETUID" "CAP_SETGID" + "CAP_SYS_CHROOT" + # transfer capabilities + "CAP_SETPCAP" + # create other user sockets + "CAP_CHOWN" + ]; + + buildCfg = name: c: + let + plugins' = + if any (n: !any (m: m == n) cfg.plugins) (c.plugins or []) + then throw "`plugins` attribute in uWSGI configuration contains plugins not in config.services.uwsgi.plugins" + else c.plugins or cfg.plugins; + plugins = unique plugins'; + + hasPython = v: filter (n: n == "python${v}") plugins != []; + hasPython2 = hasPython "2"; + hasPython3 = hasPython "3"; + + python = + if hasPython2 && hasPython3 then + throw "`plugins` attribute in uWSGI configuration shouldn't contain both python2 and python3" + else if hasPython2 then cfg.package.python2 + else if hasPython3 then cfg.package.python3 + else null; + + pythonEnv = python.withPackages (c.pythonPackages or (self: [])); + + uwsgiCfg = { + uwsgi = + if c.type == "normal" + then { + inherit plugins; + } // removeAttrs c [ "type" "pythonPackages" ] + // optionalAttrs (python != null) { + pyhome = "${pythonEnv}"; + env = + # Argh, uwsgi expects list of key-values there instead of a dictionary. + let envs = partition (hasPrefix "PATH=") (c.env or []); + oldPaths = map (x: substring (stringLength "PATH=") (stringLength x) x) envs.right; + paths = oldPaths ++ [ "${pythonEnv}/bin" ]; + in [ "PATH=${concatStringsSep ":" paths}" ] ++ envs.wrong; + } + else if isEmperor + then { + emperor = if builtins.typeOf c.vassals != "set" then c.vassals + else pkgs.buildEnv { + name = "vassals"; + paths = mapAttrsToList buildCfg c.vassals; + }; + } // removeAttrs c [ "type" "vassals" ] + else throw "`type` attribute in uWSGI configuration should be either 'normal' or 'emperor'"; + }; + + in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg); + +in { + + options = { + services.uwsgi = { + + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Enable uWSGI"; + }; + + runDir = mkOption { + type = types.path; + default = "/run/uwsgi"; + description = lib.mdDoc "Where uWSGI communication sockets can live"; + }; + + package = mkOption { + type = types.package; + internal = true; + }; + + instance = mkOption { + type = with types; let + valueType = nullOr (oneOf [ + bool + int + float + str + (lazyAttrsOf valueType) + (listOf valueType) + (mkOptionType { + name = "function"; + description = "function"; + check = x: isFunction x; + merge = mergeOneOption; + }) + ]) // { + description = "Json value or lambda"; + emptyValue.value = {}; + }; + in valueType; + default = { + type = "normal"; + }; + example = literalExpression '' + { + type = "emperor"; + vassals = { + moin = { + type = "normal"; + pythonPackages = self: with self; [ moinmoin ]; + socket = "''${config.services.uwsgi.runDir}/uwsgi.sock"; + }; + }; + } + ''; + description = lib.mdDoc '' + uWSGI configuration. It awaits an attribute `type` inside which can be either + `normal` or `emperor`. + + For `normal` mode you can specify `pythonPackages` as a function + from libraries set into a list of libraries. `pythonpath` will be set accordingly. + + For `emperor` mode, you should use `vassals` attribute + which should be either a set of names and configurations or a path to a directory. + + Other attributes will be used in configuration file as-is. Notice that you can redefine + `plugins` setting here. + ''; + }; + + plugins = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc "Plugins used with uWSGI"; + }; + + user = mkOption { + type = types.str; + default = "uwsgi"; + description = lib.mdDoc "User account under which uWSGI runs."; + }; + + group = mkOption { + type = types.str; + default = "uwsgi"; + description = lib.mdDoc "Group account under which uWSGI runs."; + }; + + capabilities = mkOption { + type = types.listOf types.str; + apply = caps: caps ++ optionals isEmperor imperialPowers; + default = [ ]; + example = literalExpression '' + [ + "CAP_NET_BIND_SERVICE" # bind on ports <1024 + "CAP_NET_RAW" # open raw sockets + ] + ''; + description = lib.mdDoc '' + Grant capabilities to the uWSGI instance. See the + `capabilities(7)` for available values. + + ::: {.note} + uWSGI runs as an unprivileged user (even as Emperor) with the minimal + capabilities required. This option can be used to add fine-grained + permissions without running the service as root. + + When in Emperor mode, any capability to be inherited by a vassal must + be specified again in the vassal configuration using `cap`. + See the uWSGI [docs](https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html) + for more information. + ::: + ''; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--chmod-socket=664" ]; + description = lib.mdDoc "Extra command line arguments for uwsgi."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.rules = optional (cfg.runDir != "/run/uwsgi") '' + d ${cfg.runDir} 775 ${cfg.user} ${cfg.group} + ''; + + systemd.services.uwsgi = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "notify"; + ExecStart = "${cfg.package}/bin/uwsgi ${escapeShellArgs cfg.extraArgs} --json ${buildCfg "server" cfg.instance}/server.json"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + NotifyAccess = "main"; + KillSignal = "SIGQUIT"; + AmbientCapabilities = cfg.capabilities; + CapabilityBoundingSet = cfg.capabilities; + RuntimeDirectory = mkIf (cfg.runDir == "/run/uwsgi") "uwsgi"; + }; + }; + + users.users = optionalAttrs (cfg.user == "uwsgi") { + uwsgi = { + group = cfg.group; + uid = config.ids.uids.uwsgi; + }; + }; + + users.groups = optionalAttrs (cfg.group == "uwsgi") { + uwsgi.gid = config.ids.gids.uwsgi; + }; + + services.uwsgi.package = pkgs.uwsgi.override { + plugins = unique cfg.plugins; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix new file mode 100644 index 000000000000..857dd64c01be --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/varnish/default.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, ...}: + +with lib; + +let + cfg = config.services.varnish; + + commandLine = "-f ${pkgs.writeText "default.vcl" cfg.config}" + + optionalString (cfg.extraModules != []) " -p vmod_path='${makeSearchPathOutput "lib" "lib/varnish/vmods" ([cfg.package] ++ cfg.extraModules)}' -r vmod_path"; +in +{ + options = { + services.varnish = { + enable = mkEnableOption (lib.mdDoc "Varnish Server"); + + enableConfigCheck = mkEnableOption (lib.mdDoc "checking the config during build time") // { default = true; }; + + package = mkPackageOption pkgs "varnish" { }; + + http_address = mkOption { + type = types.str; + default = "*:6081"; + description = lib.mdDoc '' + HTTP listen address and port. + ''; + }; + + config = mkOption { + type = types.lines; + description = lib.mdDoc '' + Verbatim default.vcl configuration. + ''; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/spool/varnish/${config.networking.hostName}"; + defaultText = literalExpression ''"/var/spool/varnish/''${config.networking.hostName}"''; + description = lib.mdDoc '' + Directory holding all state for Varnish to run. + ''; + }; + + extraModules = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression "[ pkgs.varnishPackages.geoip ]"; + description = lib.mdDoc '' + Varnish modules (except 'std'). + ''; + }; + + extraCommandLine = mkOption { + type = types.str; + default = ""; + example = "-s malloc,256M"; + description = lib.mdDoc '' + Command line switches for varnishd (run 'varnishd -?' to get list of options) + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.varnish = { + description = "Varnish"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + mkdir -p ${cfg.stateDir} + chown -R varnish:varnish ${cfg.stateDir} + ''; + postStop = '' + rm -rf ${cfg.stateDir} + ''; + serviceConfig = { + Type = "simple"; + PermissionsStartOnly = true; + ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; + Restart = "always"; + RestartSec = "5s"; + User = "varnish"; + Group = "varnish"; + AmbientCapabilities = "cap_net_bind_service"; + NoNewPrivileges = true; + LimitNOFILE = 131072; + }; + }; + + environment.systemPackages = [ cfg.package ]; + + # check .vcl syntax at compile time (e.g. before nixops deployment) + system.checks = mkIf cfg.enableConfigCheck [ + (pkgs.runCommand "check-varnish-syntax" {} '' + ${cfg.package}/bin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1) + '') + ]; + + users.users.varnish = { + group = "varnish"; + uid = config.ids.uids.varnish; + }; + + users.groups.varnish.gid = config.ids.uids.varnish; + }; +} |