stockholm/krebs/3modules/nginx.nix

191 lines
5.9 KiB
Nix
Raw Normal View History

2016-02-14 15:43:44 +00:00
{ config, lib, pkgs, ... }:
2015-07-11 14:55:22 +00:00
2016-10-20 18:54:38 +00:00
with import <stockholm/lib>;
2015-07-11 14:55:22 +00:00
let
2015-07-24 09:50:23 +00:00
cfg = config.krebs.nginx;
2015-07-11 14:55:22 +00:00
out = {
2015-07-24 09:50:23 +00:00
options.krebs.nginx = api;
2016-02-14 15:43:44 +00:00
config = lib.mkIf cfg.enable imp;
2015-07-11 14:55:22 +00:00
};
api = {
2015-07-24 09:50:23 +00:00
enable = mkEnableOption "krebs.nginx";
2015-07-11 14:55:22 +00:00
default404 = mkOption {
type = types.bool;
default = true;
description = ''
By default all requests not directed to an explicit hostname are
replied with a 404 error to avoid accidental exposition of nginx
services.
Set this value to `false` to disable this behavior - you will then be
able to configure a new `default_server` in the listen address entries
again.
'';
};
servers = mkOption {
2016-02-27 16:23:59 +00:00
type = types.attrsOf (types.submodule {
options = {
server-names = mkOption {
type = with types; listOf str;
default =
[config.krebs.build.host.name] ++
concatMap (getAttr "aliases")
(attrValues config.krebs.build.host.nets);
2016-02-27 16:23:59 +00:00
};
listen = mkOption {
type = with types; either str (listOf str);
default = "80";
apply = x:
if typeOf x != "list"
then [x]
else x;
};
locations = mkOption {
type = with types; listOf (attrsOf str);
default = [];
};
extraConfig = mkOption {
type = with types; string;
default = "";
};
2016-03-02 22:09:19 +00:00
ssl = mkOption {
2016-11-24 22:57:29 +00:00
type = with types; submodule ({ config, ... }: {
2016-03-02 22:09:19 +00:00
options = {
enable = mkEnableOption "ssl";
2016-11-24 22:57:29 +00:00
acmeEnable = mkOption {
type = bool;
apply = x:
if x && config.enable
#conflicts because of certificate/certificate_key location
then throw "can't use ssl.enable and ssl.acmeEnable together"
else x;
default = false;
description = ''
enables automatical generation of lets-encrypt certificates and setting them as certificate
conflicts with ssl.enable
'';
};
2016-03-02 22:09:19 +00:00
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
#TODO: check for valid cipher
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
prefer_server_ciphers = mkOption {
type = bool;
default = true;
};
2016-07-21 14:19:07 +00:00
force_encryption = mkOption {
type = bool;
default = false;
description = ''
redirect all `http` traffic to the same domain but with ssl
protocol.
'';
};
2016-03-02 22:09:19 +00:00
protocols = mkOption {
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
default = [ "TLSv1.1" "TLSv1.2" ];
};
};
});
default = {};
};
};
2016-02-27 16:23:59 +00:00
});
default = {};
2015-07-11 14:55:22 +00:00
};
};
imp = {
2016-11-24 22:57:29 +00:00
security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
${optionalString cfg.default404 ''
server {
listen 80 default_server;
server_name _;
return 404;
}''}
${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
'';
};
2015-07-11 14:55:22 +00:00
};
2016-11-24 22:57:29 +00:00
to-acme = { server-names, ssl, ... }:
optionalAttrs ssl.acmeEnable {
email = "lassulus@gmail.com";
webroot = "${config.security.acme.directory}/${head server-names}";
};
2015-07-11 14:55:22 +00:00
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
2016-11-24 22:57:29 +00:00
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
domain = head server-names;
acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
root ${config.security.acme.certs.${domain}.webroot};
'');
in ''
2016-04-07 18:48:07 +00:00
server {
server_name ${toString (unique server-names)};
2016-04-07 18:48:07 +00:00
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
2016-07-21 14:19:07 +00:00
${optionalString ssl.force_encryption ''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
''}
2016-04-07 18:48:07 +00:00
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
${optionalString ssl.prefer_server_ciphers ''
ssl_prefer_server_ciphers On;
''}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
2016-11-24 22:57:29 +00:00
${optionalString ssl.acmeEnable (indent ''
${optionalString ssl.force_encryption ''
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
''}
listen 443 ssl;
ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
${optionalString ssl.prefer_server_ciphers ''
ssl_prefer_server_ciphers On;
''}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
2016-04-07 18:48:07 +00:00
${indent extraConfig}
2016-11-24 22:57:29 +00:00
${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
2016-04-07 18:48:07 +00:00
${indent (concatMapStrings to-location locations)}
}
'';
2015-07-11 14:55:22 +00:00
in
out