diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/web-servers')
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix | 13 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix | 21 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/caddy/default.nix (renamed from nixpkgs/nixos/modules/services/web-servers/caddy.nix) | 93 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix | 28 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/minio.nix | 10 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/nginx/default.nix | 43 | ||||
| -rw-r--r-- | nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix | 19 |
7 files changed, 186 insertions, 41 deletions
diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix index df7035c03cc2..ceb199870975 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -36,11 +36,12 @@ let dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts); mkListenInfo = hostOpts: - if hostOpts.listen != [] then hostOpts.listen - else ( - optional (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) { ip = "*"; port = 443; ssl = true; } ++ - optional (!hostOpts.onlySSL) { ip = "*"; port = 80; ssl = false; } - ); + if hostOpts.listen != [] then + hostOpts.listen + else + optionals (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) (map (addr: { ip = addr; port = 443; ssl = true; }) hostOpts.listenAddresses) ++ + optionals (!hostOpts.onlySSL) (map (addr: { ip = addr; port = 80; ssl = false; }) hostOpts.listenAddresses) + ; listenInfo = unique (concatMap mkListenInfo vhosts); @@ -462,7 +463,7 @@ in default = "common"; example = "combined"; description = '' - Log format for log files. Possible values are: combined, common, referer, agent. + Log format for log files. Possible values are: combined, common, referer, agent, none. See <link xlink:href="https://httpd.apache.org/docs/2.4/logs.html"/> for more details. ''; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 394f9a305546..3f732a5c9f33 100644 --- a/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -47,10 +47,27 @@ in ]; description = '' Listen addresses and ports for this virtual host. - <note><para> + <note> + <para> This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>. - </para></note> + </para> + <para> + If you only want to set the addresses manually and not the ports, take a look at <literal>listenAddresses</literal>. + </para> + </note> + ''; + }; + + listenAddresses = mkOption { + type = with types; nonEmptyListOf str; + + description = '' + Listen addresses for this virtual host. + Compared to <literal>listen</literal> this only sets the addreses + and the ports are chosen automatically. ''; + default = [ "*" ]; + example = [ "127.0.0.1" ]; }; enableSSL = mkOption { diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix index 955b9756406d..fd7102096343 100644 --- a/nixpkgs/nixos/modules/services/web-servers/caddy.nix +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -4,42 +4,57 @@ with lib; let cfg = config.services.caddy; - configFile = pkgs.writeText "Caddyfile" cfg.config; + vhostToConfig = vhostName: vhostAttrs: '' + ${vhostName} ${builtins.concatStringsSep " " vhostAttrs.serverAliases} { + ${vhostAttrs.extraConfig} + } + ''; + configFile = pkgs.writeText "Caddyfile" (builtins.concatStringsSep "\n" + ([ cfg.config ] ++ (mapAttrsToList vhostToConfig cfg.virtualHosts))); + + formattedConfig = pkgs.runCommand "formattedCaddyFile" { } '' + ${cfg.package}/bin/caddy fmt ${configFile} > $out + ''; tlsConfig = { apps.tls.automation.policies = [{ - issuer = { + issuers = [{ inherit (cfg) ca email; module = "acme"; - }; + }]; }]; }; adaptedConfig = pkgs.runCommand "caddy-config-adapted.json" { } '' ${cfg.package}/bin/caddy adapt \ - --config ${configFile} --adapter ${cfg.adapter} > $out + --config ${formattedConfig} --adapter ${cfg.adapter} > $out ''; tlsJSON = pkgs.writeText "tls.json" (builtins.toJSON tlsConfig); # merge the TLS config options we expose with the ones originating in the Caddyfile configJSON = - let tlsConfigMerge = '' - {"apps": - {"tls": - {"automation": - {"policies": - (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies - then .[0].apps.tls.automation.policies - else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies) - end) + if cfg.ca != null then + let tlsConfigMerge = '' + {"apps": + {"tls": + {"automation": + {"policies": + (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies + then .[0].apps.tls.automation.policies + else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies) + end) + } } } - } - }''; - in pkgs.runCommand "caddy-config.json" { } '' - ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out - ''; -in { + }''; + in + pkgs.runCommand "caddy-config.json" { } '' + ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out + '' + else + adaptedConfig; +in +{ imports = [ (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2") ]; @@ -63,6 +78,27 @@ in { ''; }; + virtualHosts = mkOption { + type = types.attrsOf (types.submodule (import ./vhost-options.nix { + inherit config lib; + })); + default = { }; + example = literalExample '' + { + "hydra.example.com" = { + serverAliases = [ "www.hydra.example.com" ]; + extraConfig = '''''' + encode gzip + log + root /srv/http + ''''''; + }; + }; + ''; + description = "Declarative vhost config"; + }; + + user = mkOption { default = "caddy"; type = types.str; @@ -85,11 +121,24 @@ in { ''; }; + resume = mkOption { + default = false; + type = types.bool; + description = '' + Use saved config, if any (and prefer over configuration passed with <option>services.caddy.config</option>). + ''; + }; + ca = mkOption { default = "https://acme-v02.api.letsencrypt.org/directory"; example = "https://acme-staging-v02.api.letsencrypt.org/directory"; - type = types.str; - description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people."; + type = types.nullOr types.str; + description = '' + Certificate authority ACME server. The default (Let's Encrypt + production server) should be fine for most people. Set it to null if + you don't want to include any authority (or if you want to write a more + fine-graned configuration manually) + ''; }; email = mkOption { @@ -132,7 +181,7 @@ in { startLimitIntervalSec = 14400; startLimitBurst = 10; serviceConfig = { - ExecStart = "${cfg.package}/bin/caddy run --config ${configJSON}"; + ExecStart = "${cfg.package}/bin/caddy run ${optionalString cfg.resume "--resume"} --config ${configJSON}"; ExecReload = "${cfg.package}/bin/caddy reload --config ${configJSON}"; Type = "simple"; User = cfg.user; diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix new file mode 100644 index 000000000000..1f74295fc9a2 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/vhost-options.nix @@ -0,0 +1,28 @@ +# This file defines the options that can be used both for the Nginx +# main server configuration, and for the virtual hosts. (The latter +# has additional options that affect the web server as a whole, like +# the user/group to run under.) + +{ lib, ... }: + +with lib; +{ + options = { + serverAliases = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "www.example.org" "example.org" ]; + description = '' + Additional names of virtual hosts served by this virtual host configuration. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + These lines go into the vhost verbatim + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/minio.nix b/nixpkgs/nixos/modules/services/web-servers/minio.nix index d075449012f7..6b10afad4991 100644 --- a/nixpkgs/nixos/modules/services/web-servers/minio.nix +++ b/nixpkgs/nixos/modules/services/web-servers/minio.nix @@ -19,7 +19,13 @@ in listenAddress = mkOption { default = ":9000"; type = types.str; - description = "Listen on a specific IP address and port."; + description = "IP address and port of the server."; + }; + + consoleAddress = mkOption { + default = ":9001"; + type = types.str; + description = "IP address and port of the web UI (console)."; }; dataDir = mkOption { @@ -99,7 +105,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; + ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} ${toString cfg.dataDir}"; Type = "simple"; User = "minio"; Group = "minio"; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index ebb3c38d6c25..6682472fdb8e 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -22,7 +22,9 @@ let } // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) { sslCertificate = "${certs.${certName}.directory}/fullchain.pem"; sslCertificateKey = "${certs.${certName}.directory}/key.pem"; - sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem"; + sslTrustedCertificate = if vhostConfig.sslTrustedCertificate != null + then vhostConfig.sslTrustedCertificate + else "${certs.${certName}.directory}/chain.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -169,6 +171,14 @@ let map_hash_max_size ${toString cfg.mapHashMaxSize}; ''} + ${optionalString (cfg.serverNamesHashBucketSize != null) '' + server_names_hash_bucket_size ${toString cfg.serverNamesHashBucketSize}; + ''} + + ${optionalString (cfg.serverNamesHashMaxSize != null) '' + server_names_hash_max_size ${toString cfg.serverNamesHashMaxSize}; + ''} + # $connection_upgrade is used for websocket proxying map $http_upgrade $connection_upgrade { default upgrade; @@ -230,13 +240,13 @@ let defaultListen = if vhost.listen != [] then vhost.listen - else optionals (hasSSL || vhost.rejectSSL) ( - singleton { addr = "0.0.0.0"; port = 443; ssl = true; } - ++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; } - ) ++ optionals (!onlySSL) ( - singleton { addr = "0.0.0.0"; port = 80; ssl = false; } - ++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; } - ); + else + let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else ( + [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]" + ); + in + optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = 443; ssl = true; }) addrs) + ++ optionals (!onlySSL) (map (addr: { inherit addr; port = 80; ssl = false; }) addrs); hostListen = if vhost.forceSSL @@ -641,6 +651,23 @@ in ''; }; + serverNamesHashBucketSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = '' + Sets the bucket size for the server names hash tables. Default + value depends on the processor’s cache line size. + ''; + }; + + serverNamesHashMaxSize = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = '' + Sets the maximum size of the server names hash tables. + ''; + }; + resolver = mkOption { type = types.submodule { options = { diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix index bc18bcaa7b34..94645e927f86 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -43,7 +43,24 @@ with lib; IPv6 addresses must be enclosed in square brackets. Note: this option overrides <literal>addSSL</literal> and <literal>onlySSL</literal>. + + If you only want to set the addresses manually and not + the ports, take a look at <literal>listenAddresses</literal> + ''; + }; + + listenAddresses = mkOption { + type = with types; listOf str; + + description = '' + Listen addresses for this virtual host. + Compared to <literal>listen</literal> this only sets the addreses + and the ports are choosen automatically. + + Note: This option overrides <literal>enableIPv6</literal> ''; + default = []; + example = [ "127.0.0.1" "::1" ]; }; enableACME = mkOption { @@ -145,7 +162,7 @@ with lib; sslTrustedCertificate = mkOption { type = types.nullOr types.path; default = null; - example = "/var/root.cert"; + example = "\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; description = "Path to root SSL certificate for stapling and client certificates."; }; |