2014-04-14 14:26:48 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2014-04-14 14:26:48 +00:00
|
|
|
with lib;
|
2009-03-06 12:26:41 +00:00
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
let
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
cfg = config.services.httpd;
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
certs = config.security.acme.certs;
|
|
|
|
|
2019-11-04 12:32:28 +00:00
|
|
|
runtimeDir = "/run/httpd";
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
pkg = cfg.package.out;
|
2012-07-23 19:48:21 +00:00
|
|
|
|
2020-02-02 13:38:57 +00:00
|
|
|
apachectl = pkgs.runCommand "apachectl" { meta.priority = -1; } ''
|
|
|
|
mkdir -p $out/bin
|
|
|
|
cp ${pkg}/bin/apachectl $out/bin/apachectl
|
2021-05-11 23:51:23 +00:00
|
|
|
sed -i $out/bin/apachectl -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|'
|
2020-02-02 13:38:57 +00:00
|
|
|
'';
|
|
|
|
|
2022-10-03 06:25:17 +00:00
|
|
|
php = cfg.phpPackage.override { apxs2Support = true; apacheHttpd = pkg; };
|
2016-06-22 12:24:25 +00:00
|
|
|
|
2021-02-27 20:40:00 +00:00
|
|
|
phpModuleName = let
|
|
|
|
majorVersion = lib.versions.major (lib.getVersion php);
|
|
|
|
in (if majorVersion == "8" then "php" else "php${majorVersion}");
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = pkg; };
|
2016-12-15 11:36:07 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
vhosts = attrValues cfg.virtualHosts;
|
2016-11-12 14:35:32 +00:00
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
# certName is used later on to determine systemd service names.
|
|
|
|
acmeEnabledVhosts = map (hostOpts: hostOpts // {
|
|
|
|
certName = if hostOpts.useACMEHost != null then hostOpts.useACMEHost else hostOpts.hostName;
|
|
|
|
}) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts);
|
|
|
|
|
2024-08-21 21:46:30 +00:00
|
|
|
vhostCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
|
|
|
|
dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server
|
|
|
|
independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server
|
2020-06-19 19:27:46 +00:00
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
mkListenInfo = hostOpts:
|
2021-08-14 12:35:30 +00:00
|
|
|
if hostOpts.listen != [] then
|
|
|
|
hostOpts.listen
|
|
|
|
else
|
|
|
|
optionals (hostOpts.onlySSL || hostOpts.addSSL || hostOpts.forceSSL) (map (addr: { ip = addr; port = 443; ssl = true; }) hostOpts.listenAddresses) ++
|
|
|
|
optionals (!hostOpts.onlySSL) (map (addr: { ip = addr; port = 80; ssl = false; }) hostOpts.listenAddresses)
|
|
|
|
;
|
2016-11-12 14:35:32 +00:00
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
listenInfo = unique (concatMap mkListenInfo vhosts);
|
2008-09-14 01:30:45 +00:00
|
|
|
|
2020-02-01 21:07:51 +00:00
|
|
|
enableHttp2 = any (vhost: vhost.http2) vhosts;
|
2019-11-04 21:24:55 +00:00
|
|
|
enableSSL = any (listen: listen.ssl) listenInfo;
|
|
|
|
enableUserDir = any (vhost: vhost.enableUserDir) vhosts;
|
2019-11-09 00:53:56 +00:00
|
|
|
|
2019-11-04 16:21:20 +00:00
|
|
|
# NOTE: generally speaking order of modules is very important
|
|
|
|
modules =
|
|
|
|
[ # required apache modules our httpd service cannot run without
|
|
|
|
"authn_core" "authz_core"
|
|
|
|
"log_config"
|
|
|
|
"mime" "autoindex" "negotiation" "dir"
|
|
|
|
"alias" "rewrite"
|
|
|
|
"unixd" "slotmem_shm" "socache_shmcb"
|
2020-04-12 00:03:33 +00:00
|
|
|
"mpm_${cfg.mpm}"
|
2012-10-17 13:21:32 +00:00
|
|
|
]
|
2020-04-12 00:03:33 +00:00
|
|
|
++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ])
|
2020-02-01 21:07:51 +00:00
|
|
|
++ optional enableHttp2 "http2"
|
2010-07-14 12:58:38 +00:00
|
|
|
++ optional enableSSL "ssl"
|
2019-11-09 00:53:56 +00:00
|
|
|
++ optional enableUserDir "userdir"
|
2020-01-25 01:36:48 +00:00
|
|
|
++ optional cfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
|
2021-02-27 20:40:00 +00:00
|
|
|
++ optional cfg.enablePHP { name = phpModuleName; path = "${php}/modules/lib${phpModuleName}.so"; }
|
2020-01-25 01:36:48 +00:00
|
|
|
++ optional cfg.enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
|
|
|
|
++ cfg.extraModules;
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
loggingConf = (if cfg.logFormat != "none" then ''
|
|
|
|
ErrorLog ${cfg.logDir}/error.log
|
2007-12-12 13:58:15 +00:00
|
|
|
|
|
|
|
LogLevel notice
|
|
|
|
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
|
|
LogFormat "%{Referer}i -> %U" referer
|
|
|
|
LogFormat "%{User-agent}i" agent
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
CustomLog ${cfg.logDir}/access.log ${cfg.logFormat}
|
2014-07-10 12:32:08 +00:00
|
|
|
'' else ''
|
|
|
|
ErrorLog /dev/null
|
|
|
|
'');
|
2007-12-12 13:58:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
browserHacks = ''
|
2019-11-04 16:21:20 +00:00
|
|
|
<IfModule mod_setenvif.c>
|
|
|
|
BrowserMatch "Mozilla/2" nokeepalive
|
|
|
|
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
|
|
|
|
BrowserMatch "RealPlayer 4\.0" force-response-1.0
|
|
|
|
BrowserMatch "Java/1\.0" force-response-1.0
|
|
|
|
BrowserMatch "JDK/1\.0" force-response-1.0
|
|
|
|
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
|
|
|
|
BrowserMatch "^WebDrive" redirect-carefully
|
|
|
|
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
|
|
|
|
BrowserMatch "^gnome-vfs" redirect-carefully
|
|
|
|
</IfModule>
|
2007-12-12 13:58:15 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
sslConf = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
<IfModule mod_ssl.c>
|
|
|
|
SSLSessionCache shmcb:${runtimeDir}/ssl_scache(512000)
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
Mutex posixsem
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
SSLRandomSeed startup builtin
|
|
|
|
SSLRandomSeed connect builtin
|
2015-03-09 13:09:43 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
SSLProtocol ${cfg.sslProtocols}
|
|
|
|
SSLCipherSuite ${cfg.sslCiphers}
|
|
|
|
SSLHonorCipherOrder on
|
|
|
|
</IfModule>
|
2007-12-12 13:58:15 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
mimeConf = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
TypesConfig ${pkg}/conf/mime.types
|
2007-12-12 13:58:15 +00:00
|
|
|
|
|
|
|
AddType application/x-x509-ca-cert .crt
|
|
|
|
AddType application/x-pkcs7-crl .crl
|
2008-02-05 16:25:07 +00:00
|
|
|
AddType application/x-httpd-php .php .phtml
|
2007-12-12 13:58:15 +00:00
|
|
|
|
|
|
|
<IfModule mod_mime_magic.c>
|
2020-01-25 01:36:48 +00:00
|
|
|
MIMEMagicFile ${pkg}/conf/magic
|
2007-12-12 13:58:15 +00:00
|
|
|
</IfModule>
|
|
|
|
'';
|
|
|
|
|
2021-01-05 20:04:57 +00:00
|
|
|
luaSetPaths = let
|
|
|
|
# support both lua and lua.withPackages derivations
|
|
|
|
luaversion = cfg.package.lua5.lua.luaversion or cfg.package.lua5.luaversion;
|
|
|
|
in
|
|
|
|
''
|
2020-12-25 21:54:05 +00:00
|
|
|
<IfModule mod_lua.c>
|
2021-01-05 20:04:57 +00:00
|
|
|
LuaPackageCPath ${cfg.package.lua5}/lib/lua/${luaversion}/?.so
|
|
|
|
LuaPackagePath ${cfg.package.lua5}/share/lua/${luaversion}/?.lua
|
2020-12-25 21:54:05 +00:00
|
|
|
</IfModule>
|
|
|
|
'';
|
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
mkVHostConf = hostOpts:
|
|
|
|
let
|
2020-01-25 01:36:48 +00:00
|
|
|
adminAddr = if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr;
|
2019-11-04 21:24:55 +00:00
|
|
|
listen = filter (listen: !listen.ssl) (mkListenInfo hostOpts);
|
|
|
|
listenSSL = filter (listen: listen.ssl) (mkListenInfo hostOpts);
|
|
|
|
|
|
|
|
useACME = hostOpts.enableACME || hostOpts.useACMEHost != null;
|
|
|
|
sslCertDir =
|
2020-06-19 19:27:46 +00:00
|
|
|
if hostOpts.enableACME then certs.${hostOpts.hostName}.directory
|
|
|
|
else if hostOpts.useACMEHost != null then certs.${hostOpts.useACMEHost}.directory
|
2019-11-04 21:24:55 +00:00
|
|
|
else abort "This case should never happen.";
|
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
sslServerCert = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerCert;
|
2019-11-04 21:24:55 +00:00
|
|
|
sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;
|
2020-06-19 19:27:46 +00:00
|
|
|
sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;
|
2019-11-04 21:24:55 +00:00
|
|
|
|
2021-11-28 17:03:31 +00:00
|
|
|
acmeChallenge = optionalString (useACME && hostOpts.acmeRoot != null) ''
|
2019-11-04 21:24:55 +00:00
|
|
|
Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"
|
|
|
|
<Directory "${hostOpts.acmeRoot}">
|
|
|
|
AllowOverride None
|
|
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
|
|
Require method GET POST OPTIONS
|
|
|
|
Require all granted
|
|
|
|
</Directory>
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
optionalString (listen != []) ''
|
|
|
|
<VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listen}>
|
|
|
|
ServerName ${hostOpts.hostName}
|
|
|
|
${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases}
|
2022-10-18 14:08:10 +00:00
|
|
|
${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"}
|
2019-11-04 21:24:55 +00:00
|
|
|
<IfModule mod_ssl.c>
|
|
|
|
SSLEngine off
|
|
|
|
</IfModule>
|
|
|
|
${acmeChallenge}
|
|
|
|
${if hostOpts.forceSSL then ''
|
|
|
|
<IfModule mod_rewrite.c>
|
|
|
|
RewriteEngine on
|
|
|
|
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
|
|
|
|
RewriteCond %{HTTPS} off
|
|
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
|
|
</IfModule>
|
|
|
|
'' else mkVHostCommonConf hostOpts}
|
|
|
|
</VirtualHost>
|
|
|
|
'' +
|
|
|
|
optionalString (listenSSL != []) ''
|
|
|
|
<VirtualHost ${concatMapStringsSep " " (listen: "${listen.ip}:${toString listen.port}") listenSSL}>
|
|
|
|
ServerName ${hostOpts.hostName}
|
|
|
|
${concatMapStrings (alias: "ServerAlias ${alias}\n") hostOpts.serverAliases}
|
2022-10-18 14:08:10 +00:00
|
|
|
${optionalString (adminAddr != null) "ServerAdmin ${adminAddr}"}
|
2019-11-04 21:24:55 +00:00
|
|
|
SSLEngine on
|
|
|
|
SSLCertificateFile ${sslServerCert}
|
|
|
|
SSLCertificateKeyFile ${sslServerKey}
|
|
|
|
${optionalString (sslServerChain != null) "SSLCertificateChainFile ${sslServerChain}"}
|
2020-02-01 21:07:51 +00:00
|
|
|
${optionalString hostOpts.http2 "Protocols h2 h2c http/1.1"}
|
2019-11-04 21:24:55 +00:00
|
|
|
${acmeChallenge}
|
|
|
|
${mkVHostCommonConf hostOpts}
|
|
|
|
</VirtualHost>
|
|
|
|
''
|
|
|
|
;
|
|
|
|
|
|
|
|
mkVHostCommonConf = hostOpts:
|
|
|
|
let
|
|
|
|
documentRoot = if hostOpts.documentRoot != null
|
|
|
|
then hostOpts.documentRoot
|
2021-06-12 15:28:42 +00:00
|
|
|
else pkgs.emptyDirectory
|
2019-11-04 21:24:55 +00:00
|
|
|
;
|
2019-12-26 15:04:12 +00:00
|
|
|
|
|
|
|
mkLocations = locations: concatStringsSep "\n" (map (config: ''
|
|
|
|
<Location ${config.location}>
|
|
|
|
${optionalString (config.proxyPass != null) ''
|
|
|
|
<IfModule mod_proxy.c>
|
|
|
|
ProxyPass ${config.proxyPass}
|
|
|
|
ProxyPassReverse ${config.proxyPass}
|
|
|
|
</IfModule>
|
|
|
|
''}
|
|
|
|
${optionalString (config.index != null) ''
|
|
|
|
<IfModule mod_dir.c>
|
|
|
|
DirectoryIndex ${config.index}
|
|
|
|
</IfModule>
|
|
|
|
''}
|
|
|
|
${optionalString (config.alias != null) ''
|
|
|
|
<IfModule mod_alias.c>
|
|
|
|
Alias "${config.alias}"
|
|
|
|
</IfModule>
|
|
|
|
''}
|
|
|
|
${config.extraConfig}
|
|
|
|
</Location>
|
|
|
|
'') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations)));
|
2019-11-04 21:24:55 +00:00
|
|
|
in
|
|
|
|
''
|
2020-01-25 01:36:48 +00:00
|
|
|
${optionalString cfg.logPerVirtualHost ''
|
|
|
|
ErrorLog ${cfg.logDir}/error-${hostOpts.hostName}.log
|
|
|
|
CustomLog ${cfg.logDir}/access-${hostOpts.hostName}.log ${hostOpts.logFormat}
|
2019-11-04 21:24:55 +00:00
|
|
|
''}
|
|
|
|
|
|
|
|
${optionalString (hostOpts.robotsEntries != "") ''
|
|
|
|
Alias /robots.txt ${pkgs.writeText "robots.txt" hostOpts.robotsEntries}
|
|
|
|
''}
|
|
|
|
|
|
|
|
DocumentRoot "${documentRoot}"
|
|
|
|
|
|
|
|
<Directory "${documentRoot}">
|
|
|
|
Options Indexes FollowSymLinks
|
|
|
|
AllowOverride None
|
2020-01-25 01:36:48 +00:00
|
|
|
Require all granted
|
2019-11-04 21:24:55 +00:00
|
|
|
</Directory>
|
|
|
|
|
|
|
|
${optionalString hostOpts.enableUserDir ''
|
|
|
|
UserDir public_html
|
|
|
|
UserDir disabled root
|
|
|
|
<Directory "/home/*/public_html">
|
|
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
|
|
<Limit GET POST OPTIONS>
|
|
|
|
Require all granted
|
|
|
|
</Limit>
|
|
|
|
<LimitExcept GET POST OPTIONS>
|
|
|
|
Require all denied
|
|
|
|
</LimitExcept>
|
|
|
|
</Directory>
|
|
|
|
''}
|
|
|
|
|
|
|
|
${optionalString (hostOpts.globalRedirect != null && hostOpts.globalRedirect != "") ''
|
|
|
|
RedirectPermanent / ${hostOpts.globalRedirect}
|
|
|
|
''}
|
|
|
|
|
|
|
|
${
|
|
|
|
let makeDirConf = elem: ''
|
|
|
|
Alias ${elem.urlPath} ${elem.dir}/
|
|
|
|
<Directory ${elem.dir}>
|
|
|
|
Options +Indexes
|
2020-01-25 01:36:48 +00:00
|
|
|
Require all granted
|
2019-11-04 21:24:55 +00:00
|
|
|
AllowOverride All
|
|
|
|
</Directory>
|
|
|
|
'';
|
|
|
|
in concatMapStrings makeDirConf hostOpts.servedDirs
|
|
|
|
}
|
|
|
|
|
2019-12-26 15:04:12 +00:00
|
|
|
${mkLocations hostOpts.locations}
|
2019-11-04 21:24:55 +00:00
|
|
|
${hostOpts.extraConfig}
|
|
|
|
''
|
|
|
|
;
|
2008-02-05 16:25:07 +00:00
|
|
|
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2012-07-23 19:48:21 +00:00
|
|
|
confFile = pkgs.writeText "httpd.conf" ''
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
ServerRoot ${pkg}
|
2019-11-04 21:24:55 +00:00
|
|
|
ServerName ${config.networking.hostName}
|
2019-11-04 12:32:28 +00:00
|
|
|
DefaultRuntimeDir ${runtimeDir}/runtime
|
2012-10-17 15:38:43 +00:00
|
|
|
|
2019-11-04 12:32:28 +00:00
|
|
|
PidFile ${runtimeDir}/httpd.pid
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-04-12 00:03:33 +00:00
|
|
|
${optionalString (cfg.mpm != "prefork") ''
|
2012-07-06 18:23:55 +00:00
|
|
|
# mod_cgid requires this.
|
2019-11-04 12:32:28 +00:00
|
|
|
ScriptSock ${runtimeDir}/cgisock
|
2012-07-06 18:23:55 +00:00
|
|
|
''}
|
|
|
|
|
2007-12-12 13:58:15 +00:00
|
|
|
<IfModule prefork.c>
|
2020-01-25 01:36:48 +00:00
|
|
|
MaxClients ${toString cfg.maxClients}
|
|
|
|
MaxRequestsPerChild ${toString cfg.maxRequestsPerChild}
|
2007-12-12 13:58:15 +00:00
|
|
|
</IfModule>
|
|
|
|
|
2008-04-19 10:21:42 +00:00
|
|
|
${let
|
2019-11-04 21:24:55 +00:00
|
|
|
toStr = listen: "Listen ${listen.ip}:${toString listen.port} ${if listen.ssl then "https" else "http"}";
|
|
|
|
uniqueListen = uniqList {inputList = map toStr listenInfo;};
|
|
|
|
in concatStringsSep "\n" uniqueListen
|
2008-04-19 10:21:42 +00:00
|
|
|
}
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
User ${cfg.user}
|
|
|
|
Group ${cfg.group}
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2008-02-05 16:25:07 +00:00
|
|
|
${let
|
2019-11-04 16:21:20 +00:00
|
|
|
mkModule = module:
|
2020-01-25 01:36:48 +00:00
|
|
|
if isString module then { name = module; path = "${pkg}/modules/mod_${module}.so"; }
|
2019-11-04 16:21:20 +00:00
|
|
|
else if isAttrs module then { inherit (module) name path; }
|
|
|
|
else throw "Expecting either a string or attribute set including a name and path.";
|
|
|
|
in
|
|
|
|
concatMapStringsSep "\n" (module: "LoadModule ${module.name}_module ${module.path}") (unique (map mkModule modules))
|
2007-12-12 13:58:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
AddHandler type-map var
|
|
|
|
|
|
|
|
<Files ~ "^\.ht">
|
2020-01-25 01:36:48 +00:00
|
|
|
Require all denied
|
2007-12-12 13:58:15 +00:00
|
|
|
</Files>
|
|
|
|
|
|
|
|
${mimeConf}
|
|
|
|
${loggingConf}
|
|
|
|
${browserHacks}
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
Include ${pkg}/conf/extra/httpd-default.conf
|
|
|
|
Include ${pkg}/conf/extra/httpd-autoindex.conf
|
|
|
|
Include ${pkg}/conf/extra/httpd-multilang-errordoc.conf
|
|
|
|
Include ${pkg}/conf/extra/httpd-languages.conf
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2019-02-07 19:13:45 +00:00
|
|
|
TraceEnable off
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
${sslConf}
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2021-01-05 20:04:57 +00:00
|
|
|
${optionalString cfg.package.luaSupport luaSetPaths}
|
2020-12-25 21:54:05 +00:00
|
|
|
|
2008-02-05 16:25:07 +00:00
|
|
|
# Fascist default - deny access to everything.
|
2007-12-12 13:58:15 +00:00
|
|
|
<Directory />
|
|
|
|
Options FollowSymLinks
|
|
|
|
AllowOverride None
|
2020-01-25 01:36:48 +00:00
|
|
|
Require all denied
|
2008-02-14 07:42:52 +00:00
|
|
|
</Directory>
|
|
|
|
|
|
|
|
# But do allow access to files in the store so that we don't have
|
|
|
|
# to generate <Directory> clauses for every generated file that we
|
|
|
|
# want to serve.
|
2011-10-30 15:19:58 +00:00
|
|
|
<Directory /nix/store>
|
2020-01-25 01:36:48 +00:00
|
|
|
Require all granted
|
2007-12-12 13:58:15 +00:00
|
|
|
</Directory>
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
${cfg.extraConfig}
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
${concatMapStringsSep "\n" mkVHostConf vhosts}
|
2007-12-12 13:58:15 +00:00
|
|
|
'';
|
|
|
|
|
2010-02-15 19:02:42 +00:00
|
|
|
# Generate the PHP configuration file. Should probably be factored
|
|
|
|
# out into a separate module.
|
|
|
|
phpIni = pkgs.runCommand "php.ini"
|
2020-01-25 01:36:48 +00:00
|
|
|
{ options = cfg.phpOptions;
|
2018-11-08 10:59:03 +00:00
|
|
|
preferLocalBuild = true;
|
2010-02-15 19:02:42 +00:00
|
|
|
}
|
|
|
|
''
|
2016-04-29 06:26:20 +00:00
|
|
|
cat ${php}/etc/php.ini > $out
|
2020-04-24 17:34:34 +00:00
|
|
|
cat ${php.phpIni} > $out
|
2010-02-15 19:02:42 +00:00
|
|
|
echo "$options" >> $out
|
|
|
|
'';
|
2022-01-08 20:05:34 +00:00
|
|
|
|
2024-08-24 23:18:07 +00:00
|
|
|
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
|
2007-12-12 13:58:15 +00:00
|
|
|
in
|
|
|
|
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
{
|
|
|
|
|
2019-09-18 01:14:50 +00:00
|
|
|
imports = [
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.")
|
2019-11-04 12:32:28 +00:00
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.")
|
2020-04-12 00:03:33 +00:00
|
|
|
(mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ])
|
2019-11-04 21:24:55 +00:00
|
|
|
|
|
|
|
# virtualHosts options
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "enableSSL" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "enableUserDir" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "globalRedirect" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "hostName" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "listen" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "robotsEntries" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "servedDirs" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "servedFiles" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "serverAliases" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "sslServerCert" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "sslServerChain" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
|
|
|
(mkRemovedOptionModule [ "services" "httpd" "sslServerKey" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
|
2019-09-18 01:14:50 +00:00
|
|
|
];
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
# interface
|
2009-07-15 11:19:11 +00:00
|
|
|
|
|
|
|
options = {
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
services.httpd = {
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2024-04-13 12:54:15 +00:00
|
|
|
enable = mkEnableOption "the Apache HTTP Server";
|
2009-07-15 11:19:11 +00:00
|
|
|
|
2023-11-27 00:19:27 +00:00
|
|
|
package = mkPackageOption pkgs "apacheHttpd" { };
|
2012-07-23 19:48:21 +00:00
|
|
|
|
|
|
|
configFile = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.path;
|
2012-07-23 19:48:21 +00:00
|
|
|
default = confFile;
|
2021-10-03 16:06:03 +00:00
|
|
|
defaultText = literalExpression "confFile";
|
|
|
|
example = literalExpression ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2013-10-29 13:03:39 +00:00
|
|
|
Override the configuration file used by Apache. By default,
|
|
|
|
NixOS generates one automatically.
|
|
|
|
'';
|
2012-07-23 19:48:21 +00:00
|
|
|
};
|
|
|
|
|
2009-11-06 16:23:25 +00:00
|
|
|
extraConfig = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.lines;
|
2009-11-06 16:23:25 +00:00
|
|
|
default = "";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2019-12-06 18:47:15 +00:00
|
|
|
Configuration lines appended to the generated Apache
|
2020-01-25 01:36:48 +00:00
|
|
|
configuration file. Note that this mechanism will not work
|
2022-08-05 17:39:00 +00:00
|
|
|
when {option}`configFile` is overridden.
|
2013-10-29 13:03:39 +00:00
|
|
|
'';
|
2009-11-06 16:23:25 +00:00
|
|
|
};
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
extraModules = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.listOf types.unspecified;
|
2009-07-15 11:19:11 +00:00
|
|
|
default = [];
|
2021-10-03 16:06:03 +00:00
|
|
|
example = literalExpression ''
|
2019-11-04 16:21:20 +00:00
|
|
|
[
|
|
|
|
"proxy_connect"
|
2024-03-21 20:31:51 +00:00
|
|
|
{ name = "jk"; path = "''${pkgs.apacheHttpdPackages.mod_jk}/modules/mod_jk.so"; }
|
2019-11-04 16:21:20 +00:00
|
|
|
]
|
|
|
|
'';
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
Additional Apache modules to be used. These can be
|
2013-10-29 13:03:39 +00:00
|
|
|
specified as a string in the case of modules distributed
|
|
|
|
with Apache, or as an attribute set specifying the
|
2022-08-28 19:18:44 +00:00
|
|
|
{var}`name` and {var}`path` of the
|
2009-07-15 11:19:11 +00:00
|
|
|
module.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
adminAddr = mkOption {
|
2022-10-18 14:08:10 +00:00
|
|
|
type = types.nullOr types.str;
|
2019-11-04 21:24:55 +00:00
|
|
|
example = "admin@example.org";
|
2022-10-18 14:08:10 +00:00
|
|
|
default = null;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "E-mail address of the server administrator.";
|
2019-11-04 21:24:55 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
logFormat = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "common";
|
|
|
|
example = "combined";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2021-08-22 08:17:28 +00:00
|
|
|
Log format for log files. Possible values are: combined, common, referer, agent, none.
|
2022-08-05 17:39:00 +00:00
|
|
|
See <https://httpd.apache.org/docs/2.4/logs.html> for more details.
|
2019-11-04 21:24:55 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2009-07-15 11:19:11 +00:00
|
|
|
logPerVirtualHost = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.bool;
|
2019-11-04 21:24:55 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-07-15 11:19:11 +00:00
|
|
|
If enabled, each virtual host gets its own
|
2022-08-05 17:39:00 +00:00
|
|
|
{file}`access.log` and
|
|
|
|
{file}`error.log`, namely suffixed by the
|
|
|
|
{option}`hostName` of the virtual host.
|
2013-10-29 13:03:39 +00:00
|
|
|
'';
|
2009-07-15 11:19:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
user = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.str;
|
2009-07-15 11:19:11 +00:00
|
|
|
default = "wwwrun";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-04-11 23:58:24 +00:00
|
|
|
User account under which httpd children processes run.
|
|
|
|
|
|
|
|
If you require the main httpd process to run as
|
2022-08-30 00:30:04 +00:00
|
|
|
`root` add the following configuration:
|
|
|
|
```
|
2020-04-11 23:58:24 +00:00
|
|
|
systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
|
2022-08-30 00:30:04 +00:00
|
|
|
```
|
2013-10-29 13:03:39 +00:00
|
|
|
'';
|
2009-07-15 11:19:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
group = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.str;
|
2009-07-15 11:19:11 +00:00
|
|
|
default = "wwwrun";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-04-11 23:58:24 +00:00
|
|
|
Group under which httpd children processes run.
|
2013-10-29 13:03:39 +00:00
|
|
|
'';
|
2009-07-15 11:19:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
logDir = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.path;
|
2009-07-15 11:19:11 +00:00
|
|
|
default = "/var/log/httpd";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
Directory for Apache's log files. It is created automatically.
|
2013-10-29 13:03:39 +00:00
|
|
|
'';
|
2009-07-15 11:19:11 +00:00
|
|
|
};
|
|
|
|
|
2009-11-06 16:23:25 +00:00
|
|
|
virtualHosts = mkOption {
|
2020-01-25 01:36:48 +00:00
|
|
|
type = with types; attrsOf (submodule (import ./vhost-options.nix));
|
2019-11-04 21:24:55 +00:00
|
|
|
default = {
|
|
|
|
localhost = {
|
2020-01-25 01:36:48 +00:00
|
|
|
documentRoot = "${pkg}/htdocs";
|
2019-11-04 21:24:55 +00:00
|
|
|
};
|
|
|
|
};
|
2021-10-03 16:06:03 +00:00
|
|
|
defaultText = literalExpression ''
|
|
|
|
{
|
|
|
|
localhost = {
|
|
|
|
documentRoot = "''${package.out}/htdocs";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
example = literalExpression ''
|
2019-11-04 21:24:55 +00:00
|
|
|
{
|
|
|
|
"foo.example.com" = {
|
|
|
|
forceSSL = true;
|
|
|
|
documentRoot = "/var/www/foo.example.com"
|
|
|
|
};
|
|
|
|
"bar.example.com" = {
|
|
|
|
addSSL = true;
|
|
|
|
documentRoot = "/var/www/bar.example.com";
|
2013-10-28 20:58:32 +00:00
|
|
|
};
|
2009-11-06 16:23:25 +00:00
|
|
|
}
|
2019-11-04 21:24:55 +00:00
|
|
|
'';
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2019-11-04 21:24:55 +00:00
|
|
|
Specification of the virtual hosts served by Apache. Each
|
2009-11-06 16:23:25 +00:00
|
|
|
element should be an attribute set specifying the
|
2019-11-04 21:24:55 +00:00
|
|
|
configuration of the virtual host.
|
2009-11-06 16:23:25 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2024-07-04 13:44:24 +00:00
|
|
|
enableMellon = mkEnableOption "the mod_auth_mellon module";
|
2016-02-06 21:27:48 +00:00
|
|
|
|
2024-07-04 13:44:24 +00:00
|
|
|
enablePHP = mkEnableOption "the PHP module";
|
2014-05-20 09:50:39 +00:00
|
|
|
|
2023-11-27 00:19:27 +00:00
|
|
|
phpPackage = mkPackageOption pkgs "php" { };
|
2016-06-22 12:24:25 +00:00
|
|
|
|
2024-07-04 13:44:24 +00:00
|
|
|
enablePerl = mkEnableOption "the Perl module (mod_perl)";
|
2016-12-15 11:36:07 +00:00
|
|
|
|
2010-02-15 19:02:42 +00:00
|
|
|
phpOptions = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.lines;
|
2010-02-15 19:02:42 +00:00
|
|
|
default = "";
|
|
|
|
example =
|
|
|
|
''
|
|
|
|
date.timezone = "CET"
|
|
|
|
'';
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2022-08-05 17:39:00 +00:00
|
|
|
Options appended to the PHP configuration file {file}`php.ini`.
|
2020-01-25 01:36:48 +00:00
|
|
|
'';
|
2010-01-07 09:01:40 +00:00
|
|
|
};
|
|
|
|
|
2020-04-12 00:03:33 +00:00
|
|
|
mpm = mkOption {
|
2020-01-25 01:36:48 +00:00
|
|
|
type = types.enum [ "event" "prefork" "worker" ];
|
2020-04-12 00:03:33 +00:00
|
|
|
default = "event";
|
2012-07-06 18:23:55 +00:00
|
|
|
example = "worker";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
Multi-processing module to be used by Apache. Available
|
2022-08-05 17:39:00 +00:00
|
|
|
modules are `prefork` (handles each
|
|
|
|
request in a separate child process), `worker`
|
2020-04-12 00:03:33 +00:00
|
|
|
(hybrid approach that starts a number of child processes
|
2022-08-05 17:39:00 +00:00
|
|
|
each running a number of threads) and `event`
|
|
|
|
(the default; a recent variant of `worker`
|
2020-04-12 00:03:33 +00:00
|
|
|
that handles persistent connections more efficiently).
|
2012-07-06 18:23:55 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2010-04-21 20:55:57 +00:00
|
|
|
maxClients = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.int;
|
2010-04-21 20:55:57 +00:00
|
|
|
default = 150;
|
|
|
|
example = 8;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Maximum number of httpd processes (prefork)";
|
2010-04-21 20:55:57 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
maxRequestsPerChild = mkOption {
|
2013-10-29 13:03:39 +00:00
|
|
|
type = types.int;
|
2010-04-21 20:55:57 +00:00
|
|
|
default = 0;
|
|
|
|
example = 500;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2020-01-25 01:36:48 +00:00
|
|
|
Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited.
|
|
|
|
'';
|
2010-04-21 20:55:57 +00:00
|
|
|
};
|
2019-01-09 16:30:19 +00:00
|
|
|
|
|
|
|
sslCiphers = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "HIGH:!aNULL:!MD5:!EXP";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Cipher Suite available for negotiation in SSL proxy handshake.";
|
2019-01-09 16:30:19 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
sslProtocols = mkOption {
|
|
|
|
type = types.str;
|
2019-12-30 16:24:11 +00:00
|
|
|
default = "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1";
|
2019-02-07 19:05:44 +00:00
|
|
|
example = "All -SSLv2 -SSLv3";
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Allowed SSL/TLS protocol versions.";
|
2019-01-09 16:30:19 +00:00
|
|
|
};
|
2019-11-04 21:24:55 +00:00
|
|
|
};
|
2009-07-15 11:19:11 +00:00
|
|
|
|
|
|
|
};
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
# implementation
|
2009-07-15 11:19:11 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
config = mkIf cfg.enable {
|
2014-11-06 13:27:02 +00:00
|
|
|
|
2019-11-04 21:24:55 +00:00
|
|
|
assertions = [
|
|
|
|
{
|
|
|
|
assertion = all (hostOpts: !hostOpts.enableSSL) vhosts;
|
|
|
|
message = ''
|
|
|
|
The option `services.httpd.virtualHosts.<name>.enableSSL` no longer has any effect; please remove it.
|
|
|
|
Select one of `services.httpd.virtualHosts.<name>.addSSL`, `services.httpd.virtualHosts.<name>.forceSSL`,
|
|
|
|
or `services.httpd.virtualHosts.<name>.onlySSL`.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = all (hostOpts: with hostOpts; !(addSSL && onlySSL) && !(forceSSL && onlySSL) && !(addSSL && forceSSL)) vhosts;
|
|
|
|
message = ''
|
|
|
|
Options `services.httpd.virtualHosts.<name>.addSSL`,
|
|
|
|
`services.httpd.virtualHosts.<name>.onlySSL` and `services.httpd.virtualHosts.<name>.forceSSL`
|
|
|
|
are mutually exclusive.
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = all (hostOpts: !(hostOpts.enableACME && hostOpts.useACMEHost != null)) vhosts;
|
|
|
|
message = ''
|
|
|
|
Options `services.httpd.virtualHosts.<name>.enableACME` and
|
|
|
|
`services.httpd.virtualHosts.<name>.useACMEHost` are mutually exclusive.
|
|
|
|
'';
|
2022-10-03 06:25:17 +00:00
|
|
|
}
|
|
|
|
{
|
|
|
|
assertion = cfg.enablePHP -> php.ztsSupport;
|
|
|
|
message = ''
|
|
|
|
The php package provided by `services.httpd.phpPackage` is not built with zts support. Please
|
|
|
|
ensure the php has zts support by settings `services.httpd.phpPackage = php.override { ztsSupport = true; }`
|
|
|
|
'';
|
2019-11-04 21:24:55 +00:00
|
|
|
}
|
2022-01-08 20:05:34 +00:00
|
|
|
] ++ map (name: mkCertOwnershipAssertion {
|
|
|
|
cert = config.security.acme.certs.${name};
|
|
|
|
groups = config.users.groups;
|
2024-08-24 23:18:07 +00:00
|
|
|
services = [ config.systemd.services.httpd ] ++ lib.optional (vhostCertNames != []) config.systemd.services.httpd-config-reload;
|
2024-08-21 21:46:30 +00:00
|
|
|
}) vhostCertNames;
|
2009-07-15 11:19:11 +00:00
|
|
|
|
2019-12-26 15:04:12 +00:00
|
|
|
warnings =
|
|
|
|
mapAttrsToList (name: hostOpts: ''
|
|
|
|
Using config.services.httpd.virtualHosts."${name}".servedFiles is deprecated and will become unsupported in a future release. Your configuration will continue to work as is but please migrate your configuration to config.services.httpd.virtualHosts."${name}".locations before the 20.09 release of NixOS.
|
2020-01-25 01:36:48 +00:00
|
|
|
'') (filterAttrs (name: hostOpts: hostOpts.servedFiles != []) cfg.virtualHosts);
|
2019-12-26 15:04:12 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
users.users = optionalAttrs (cfg.user == "wwwrun") {
|
2019-09-14 17:51:29 +00:00
|
|
|
wwwrun = {
|
2020-01-25 01:36:48 +00:00
|
|
|
group = cfg.group;
|
2009-03-06 12:26:41 +00:00
|
|
|
description = "Apache httpd user";
|
2012-08-03 15:05:25 +00:00
|
|
|
uid = config.ids.uids.wwwrun;
|
2019-09-14 17:51:29 +00:00
|
|
|
};
|
|
|
|
};
|
2009-07-15 11:19:11 +00:00
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
users.groups = optionalAttrs (cfg.group == "wwwrun") {
|
2019-09-14 17:51:29 +00:00
|
|
|
wwwrun.gid = config.ids.gids.wwwrun;
|
|
|
|
};
|
2007-12-12 13:58:15 +00:00
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
security.acme.certs = let
|
2021-11-28 17:03:31 +00:00
|
|
|
acmePairs = map (hostOpts: let
|
|
|
|
hasRoot = hostOpts.acmeRoot != null;
|
|
|
|
in nameValuePair hostOpts.hostName {
|
2020-06-19 19:27:46 +00:00
|
|
|
group = mkDefault cfg.group;
|
2021-11-28 17:03:31 +00:00
|
|
|
# if acmeRoot is null inherit config.security.acme
|
|
|
|
# Since config.security.acme.certs.<cert>.webroot's own default value
|
|
|
|
# should take precedence set priority higher than mkOptionDefault
|
|
|
|
webroot = mkOverride (if hasRoot then 1000 else 2000) hostOpts.acmeRoot;
|
|
|
|
# Also nudge dnsProvider to null in case it is inherited
|
|
|
|
dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
|
2020-06-19 19:27:46 +00:00
|
|
|
extraDomainNames = hostOpts.serverAliases;
|
|
|
|
# Use the vhost-specific email address if provided, otherwise let
|
|
|
|
# security.acme.email or security.acme.certs.<cert>.email be used.
|
|
|
|
email = mkOverride 2000 (if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr);
|
|
|
|
# Filter for enableACME-only vhosts. Don't want to create dud certs
|
|
|
|
}) (filter (hostOpts: hostOpts.useACMEHost == null) acmeEnabledVhosts);
|
|
|
|
in listToAttrs acmePairs;
|
2019-11-04 21:24:55 +00:00
|
|
|
|
2021-05-11 23:51:23 +00:00
|
|
|
# httpd requires a stable path to the configuration file for reloads
|
|
|
|
environment.etc."httpd/httpd.conf".source = cfg.configFile;
|
2020-02-02 13:38:57 +00:00
|
|
|
environment.systemPackages = [
|
|
|
|
apachectl
|
|
|
|
pkg
|
|
|
|
];
|
2020-01-08 15:37:46 +00:00
|
|
|
|
2020-08-19 16:38:20 +00:00
|
|
|
services.logrotate = optionalAttrs (cfg.logFormat != "none") {
|
|
|
|
enable = mkDefault true;
|
2022-02-28 21:54:12 +00:00
|
|
|
settings.httpd = {
|
|
|
|
files = "${cfg.logDir}/*.log";
|
|
|
|
su = "${cfg.user} ${cfg.group}";
|
2020-08-19 16:38:20 +00:00
|
|
|
frequency = "daily";
|
2022-02-28 21:54:12 +00:00
|
|
|
rotate = 28;
|
|
|
|
sharedscripts = true;
|
|
|
|
compress = true;
|
|
|
|
delaycompress = true;
|
|
|
|
postrotate = "systemctl reload httpd.service > /dev/null 2>/dev/null || true";
|
2020-08-19 16:38:20 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2010-02-15 19:02:42 +00:00
|
|
|
services.httpd.phpOptions =
|
|
|
|
''
|
2019-02-07 19:25:55 +00:00
|
|
|
; Don't advertise PHP
|
|
|
|
expose_php = off
|
2019-04-24 03:48:22 +00:00
|
|
|
'' + optionalString (config.time.timeZone != null) ''
|
2010-02-15 19:02:42 +00:00
|
|
|
|
|
|
|
; Apparently PHP doesn't use $TZ.
|
|
|
|
date.timezone = "${config.time.timeZone}"
|
|
|
|
'';
|
|
|
|
|
2019-11-04 16:21:20 +00:00
|
|
|
services.httpd.extraModules = mkBefore [
|
|
|
|
# HTTP authentication mechanisms: basic and digest.
|
|
|
|
"auth_basic" "auth_digest"
|
|
|
|
|
|
|
|
# Authentication: is the user who he claims to be?
|
|
|
|
"authn_file" "authn_dbm" "authn_anon"
|
|
|
|
|
|
|
|
# Authorization: is the user allowed access?
|
|
|
|
"authz_user" "authz_groupfile" "authz_host"
|
|
|
|
|
|
|
|
# Other modules.
|
|
|
|
"ext_filter" "include" "env" "mime_magic"
|
|
|
|
"cern_meta" "expires" "headers" "usertrack" "setenvif"
|
|
|
|
"dav" "status" "asis" "info" "dav_fs"
|
|
|
|
"vhost_alias" "imagemap" "actions" "speling"
|
|
|
|
"proxy" "proxy_http"
|
|
|
|
"cache" "cache_disk"
|
|
|
|
|
|
|
|
# For compatibility with old configurations, the new module mod_access_compat is provided.
|
|
|
|
"access_compat"
|
|
|
|
];
|
|
|
|
|
2020-01-29 00:29:14 +00:00
|
|
|
systemd.tmpfiles.rules =
|
|
|
|
let
|
|
|
|
svc = config.systemd.services.httpd.serviceConfig;
|
|
|
|
in
|
|
|
|
[
|
|
|
|
"d '${cfg.logDir}' 0700 ${svc.User} ${svc.Group}"
|
|
|
|
"Z '${cfg.logDir}' - ${svc.User} ${svc.Group}"
|
|
|
|
];
|
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
systemd.services.httpd = {
|
|
|
|
description = "Apache HTTPD";
|
2012-08-14 22:15:37 +00:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2024-08-21 21:46:30 +00:00
|
|
|
wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) vhostCertNames);
|
|
|
|
after = [ "network.target" ]
|
|
|
|
++ map (certName: "acme-selfsigned-${certName}.service") vhostCertNames
|
|
|
|
++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa
|
2020-06-19 19:27:46 +00:00
|
|
|
before = map (certName: "acme-${certName}.service") dependentCertNames;
|
2021-05-11 23:51:23 +00:00
|
|
|
restartTriggers = [ cfg.configFile ];
|
2009-10-12 17:09:38 +00:00
|
|
|
|
2020-04-12 00:06:24 +00:00
|
|
|
path = [ pkg pkgs.coreutils pkgs.gnugrep ];
|
2011-08-09 14:07:44 +00:00
|
|
|
|
2011-11-25 16:32:54 +00:00
|
|
|
environment =
|
2020-01-25 01:36:48 +00:00
|
|
|
optionalAttrs cfg.enablePHP { PHPRC = phpIni; }
|
|
|
|
// optionalAttrs cfg.enableMellon { LD_LIBRARY_PATH = "${pkgs.xmlsec}/lib"; };
|
2009-10-12 17:09:38 +00:00
|
|
|
|
|
|
|
preStart =
|
|
|
|
''
|
|
|
|
# Get rid of old semaphores. These tend to accumulate across
|
|
|
|
# server restarts, eventually preventing it from restarting
|
2013-08-10 21:07:13 +00:00
|
|
|
# successfully.
|
2020-11-24 15:29:28 +00:00
|
|
|
for i in $(${pkgs.util-linux}/bin/ipcs -s | grep ' ${cfg.user} ' | cut -f2 -d ' '); do
|
|
|
|
${pkgs.util-linux}/bin/ipcrm -s $i
|
2009-10-12 17:09:38 +00:00
|
|
|
done
|
|
|
|
'';
|
|
|
|
|
2020-01-25 01:36:48 +00:00
|
|
|
serviceConfig = {
|
2021-05-11 23:51:23 +00:00
|
|
|
ExecStart = "@${pkg}/bin/httpd httpd -f /etc/httpd/httpd.conf";
|
|
|
|
ExecStop = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful-stop";
|
|
|
|
ExecReload = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
|
2020-04-11 23:58:24 +00:00
|
|
|
User = cfg.user;
|
2020-01-25 01:36:48 +00:00
|
|
|
Group = cfg.group;
|
|
|
|
Type = "forking";
|
|
|
|
PIDFile = "${runtimeDir}/httpd.pid";
|
|
|
|
Restart = "always";
|
|
|
|
RestartSec = "5s";
|
|
|
|
RuntimeDirectory = "httpd httpd/runtime";
|
|
|
|
RuntimeDirectoryMode = "0750";
|
2020-04-11 23:58:24 +00:00
|
|
|
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
2020-01-25 01:36:48 +00:00
|
|
|
};
|
2009-10-12 17:09:38 +00:00
|
|
|
};
|
|
|
|
|
2020-06-19 19:27:46 +00:00
|
|
|
# postRun hooks on cert renew can't be used to restart Apache since renewal
|
|
|
|
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
|
|
|
|
# which allows the acme-finished-$cert.target to signify the successful updating
|
|
|
|
# of certs end-to-end.
|
|
|
|
systemd.services.httpd-config-reload = let
|
2024-08-21 21:46:30 +00:00
|
|
|
sslServices = map (certName: "acme-${certName}.service") vhostCertNames;
|
|
|
|
sslTargets = map (certName: "acme-finished-${certName}.target") vhostCertNames;
|
2024-08-24 23:18:07 +00:00
|
|
|
in mkIf (vhostCertNames != []) {
|
2020-06-19 19:27:46 +00:00
|
|
|
wantedBy = sslServices ++ [ "multi-user.target" ];
|
|
|
|
# Before the finished targets, after the renew services.
|
|
|
|
# This service might be needed for HTTP-01 challenges, but we only want to confirm
|
|
|
|
# certs are updated _after_ config has been reloaded.
|
|
|
|
before = sslTargets;
|
|
|
|
after = sslServices;
|
2021-05-11 23:51:23 +00:00
|
|
|
restartTriggers = [ cfg.configFile ];
|
2020-06-19 19:27:46 +00:00
|
|
|
# Block reloading if not all certs exist yet.
|
|
|
|
# Happens when config changes add new vhosts/certs.
|
2024-08-21 21:46:30 +00:00
|
|
|
unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") vhostCertNames;
|
2020-06-19 19:27:46 +00:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
TimeoutSec = 60;
|
|
|
|
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active httpd.service";
|
2021-05-11 23:51:23 +00:00
|
|
|
ExecStartPre = "${pkg}/bin/httpd -f /etc/httpd/httpd.conf -t";
|
2020-06-19 19:27:46 +00:00
|
|
|
ExecStart = "/run/current-system/systemd/bin/systemctl reload httpd.service";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2009-03-06 12:26:41 +00:00
|
|
|
};
|
2007-12-12 13:58:15 +00:00
|
|
|
}
|