stockholm/krebs/3modules/nginx.nix

{ config, lib, pkgs, ... }:

with import <stockholm/lib>;
let
  cfg = config.krebs.nginx;

  out = {
    options.krebs.nginx = api;
    config = lib.mkIf cfg.enable imp;
  };

  api = {
    enable = mkEnableOption "krebs.nginx";

    default404 = mkOption {
      type = types.bool;
      default = true;
      description = ''
        By default all requests not directed to an explicit hostname are
        replied with a 404 error to avoid accidental exposition of nginx
        services.

        Set this value to `false` to disable this behavior - you will then be
        able to configure a new `default_server` in the listen address entries
        again.
      '';
    };

    servers = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          server-names = mkOption {
            type = with types; listOf str;
            default =
              [config.krebs.build.host.name] ++
              concatMap (getAttr "aliases")
                        (attrValues config.krebs.build.host.nets);
          };
          listen = mkOption {
            type = with types; either str (listOf str);
            default = "80";
            apply = x:
              if typeOf x != "list"
                then [x]
                else x;
          };
          locations = mkOption {
            type = with types; listOf (attrsOf str);
            default = [];
          };
          extraConfig = mkOption {
            type = with types; string;
            default = "";
          };
          ssl = mkOption {
            type = with types; submodule ({ config, ... }: {
              options = {
                enable = mkEnableOption "ssl";
                acmeEnable = mkOption {
                  type = bool;
                  apply = x:
                    if x && config.enable
                      #conflicts because of certificate/certificate_key location
                      then throw "can't use ssl.enable and ssl.acmeEnable together"
                      else x;
                  default = false;
                  description = ''
                    enables automatical generation of lets-encrypt certificates and setting them as certificate
                    conflicts with ssl.enable
                  '';
                };
                certificate = mkOption {
                  type = str;
                };
                certificate_key = mkOption {
                  type = str;
                };
                #TODO: check for valid cipher
                ciphers = mkOption {
                  type = str;
                  default = "AES128+EECDH:AES128+EDH";
                };
                prefer_server_ciphers = mkOption {
                  type = bool;
                  default = true;
                };
                force_encryption = mkOption {
                  type = bool;
                  default = false;
                  description = ''
                    redirect all `http` traffic to the same domain but with ssl
                    protocol.
                  '';
                };
                protocols = mkOption {
                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
                  default = [ "TLSv1.1" "TLSv1.2" ];

                };
              };
            });
            default = {};
          };
        };
      });
      default = {};
    };
  };

  imp = {
    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
    services.nginx = {
      enable = true;
      httpConfig = ''
        default_type      application/octet-stream;
        sendfile          on;
        keepalive_timeout 65;
        gzip              on;

        ${optionalString cfg.default404 ''
          server {
            listen 80 default_server;
            server_name _;
            return 404;
          }''}

        ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
      '';
    };
  };

  indent = replaceChars ["\n"] ["\n  "];

  to-acme = { server-names, ssl, ... }:
    optionalAttrs ssl.acmeEnable {
      email = "lassulus@gmail.com";
      webroot = "${config.security.acme.directory}/${head server-names}";
    };

  to-location = { name, value }: ''
    location ${name} {
      ${indent value}
    }
  '';

  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
    domain = head server-names;
    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
      root ${config.security.acme.certs.${domain}.webroot};
    '');
  in ''
    server {
      server_name ${toString (unique server-names)};
      ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
      ${optionalString ssl.enable (indent ''
        ${optionalString ssl.force_encryption ''
          if ($scheme = http){
            return 301 https://$server_name$request_uri;
          }
        ''}
        listen 443 ssl;
        ssl_certificate ${ssl.certificate};
        ssl_certificate_key ${ssl.certificate_key};
        ${optionalString ssl.prefer_server_ciphers ''
          ssl_prefer_server_ciphers On;
        ''}
        ssl_ciphers ${ssl.ciphers};
        ssl_protocols ${toString ssl.protocols};
      '')}
      ${optionalString ssl.acmeEnable (indent ''
        ${optionalString ssl.force_encryption ''
          if ($scheme = http){
            return 301 https://$server_name$request_uri;
          }
        ''}
        listen 443 ssl;
        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
        ${optionalString ssl.prefer_server_ciphers ''
          ssl_prefer_server_ciphers On;
        ''}
        ssl_ciphers ${ssl.ciphers};
        ssl_protocols ${toString ssl.protocols};
      '')}
      ${indent extraConfig}
      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
      ${indent (concatMapStrings to-location locations)}
    }
  '';

in
out
RIP specialArgs.lib 2016-02-14 15:43:44 +00:00			`{ config, lib, pkgs, ... }:`
NWO 2015-07-11 14:55:22 +00:00
drop config.krebs.lib 2016-10-20 18:54:38 +00:00			`with import <stockholm/lib>;`
NWO 2015-07-11 14:55:22 +00:00			`let`
3 {tv -> krebs}.nginx 2015-07-24 09:50:23 +00:00			`cfg = config.krebs.nginx;`
NWO 2015-07-11 14:55:22 +00:00
			`out = {`
3 {tv -> krebs}.nginx 2015-07-24 09:50:23 +00:00			`options.krebs.nginx = api;`
RIP specialArgs.lib 2016-02-14 15:43:44 +00:00			`config = lib.mkIf cfg.enable imp;`
NWO 2015-07-11 14:55:22 +00:00			`};`

			`api = {`
3 {tv -> krebs}.nginx 2015-07-24 09:50:23 +00:00			`enable = mkEnableOption "krebs.nginx";`
NWO 2015-07-11 14:55:22 +00:00
k 3 nginx: add default404 option the default behavior is not changed but if the default does not apply to your use-case you now can change it 2016-03-15 22:54:53 +00:00			`default404 = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`By default all requests not directed to an explicit hostname are`
			`replied with a 404 error to avoid accidental exposition of nginx`
			`services.`

			Set this value to `false` to disable this behavior - you will then be
			able to configure a new `default_server` in the listen address entries
			`again.`
			`'';`
			`};`

3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00			`servers = mkOption {`
krebs.nginx: s/optionSet/submodule/ 2016-02-27 16:23:59 +00:00			`type = types.attrsOf (types.submodule {`
			`options = {`
			`server-names = mkOption {`
			`type = with types; listOf str;`
nginx: use host name and aliases as default server-names 2016-07-22 11:06:15 +00:00			`default =`
			`[config.krebs.build.host.name] ++`
			`concatMap (getAttr "aliases")`
			`(attrValues config.krebs.build.host.nets);`
krebs.nginx: s/optionSet/submodule/ 2016-02-27 16:23:59 +00:00			`};`
			`listen = mkOption {`
			`type = with types; either str (listOf str);`
			`default = "80";`
			`apply = x:`
			`if typeOf x != "list"`
			`then [x]`
			`else x;`
			`};`
			`locations = mkOption {`
			`type = with types; listOf (attrsOf str);`
			`default = [];`
			`};`
			`extraConfig = mkOption {`
			`type = with types; string;`
			`default = "";`
			`};`
k 3 nginx: add ssl options 2016-03-02 22:09:19 +00:00			`ssl = mkOption {`
k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`type = with types; submodule ({ config, ... }: {`
k 3 nginx: add ssl options 2016-03-02 22:09:19 +00:00			`options = {`
			`enable = mkEnableOption "ssl";`
k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`acmeEnable = mkOption {`
			`type = bool;`
			`apply = x:`
			`if x && config.enable`
			`#conflicts because of certificate/certificate_key location`
			`then throw "can't use ssl.enable and ssl.acmeEnable together"`
			`else x;`
			`default = false;`
			`description = ''`
			`enables automatical generation of lets-encrypt certificates and setting them as certificate`
			`conflicts with ssl.enable`
			`'';`
			`};`
k 3 nginx: add ssl options 2016-03-02 22:09:19 +00:00			`certificate = mkOption {`
			`type = str;`
			`};`
			`certificate_key = mkOption {`
			`type = str;`
			`};`
			`#TODO: check for valid cipher`
			`ciphers = mkOption {`
			`type = str;`
			`default = "AES128+EECDH:AES128+EDH";`
			`};`
			`prefer_server_ciphers = mkOption {`
			`type = bool;`
			`default = true;`
			`};`
k 3 nginx: add ssl.force_encryption 2016-07-21 14:19:07 +00:00			`force_encryption = mkOption {`
			`type = bool;`
			`default = false;`
			`description = ''`
			redirect all `http` traffic to the same domain but with ssl
			`protocol.`
			`'';`
			`};`
k 3 nginx: add ssl options 2016-03-02 22:09:19 +00:00			`protocols = mkOption {`
			`type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);`
			`default = [ "TLSv1.1" "TLSv1.2" ];`

			`};`
			`};`
			`});`
			`default = {};`
			`};`
3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00			`};`
krebs.nginx: s/optionSet/submodule/ 2016-02-27 16:23:59 +00:00			`});`
3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00			`default = {};`
NWO 2015-07-11 14:55:22 +00:00			`};`
			`};`

			`imp = {`
k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);`
3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00			`services.nginx = {`
			`enable = true;`
			`httpConfig = ''`
			`default_type application/octet-stream;`
			`sendfile on;`
			`keepalive_timeout 65;`
			`gzip on;`
k 3 nginx: add default404 option the default behavior is not changed but if the default does not apply to your use-case you now can change it 2016-03-15 22:54:53 +00:00
			`${optionalString cfg.default404 ''`
			`server {`
			`listen 80 default_server;`
			`server_name _;`
			`return 404;`
			`}''}`

3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00			`${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}`
			`'';`
			`};`
NWO 2015-07-11 14:55:22 +00:00			`};`

			`indent = replaceChars ["\n"] ["\n "];`

k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`to-acme = { server-names, ssl, ... }:`
			`optionalAttrs ssl.acmeEnable {`
			`email = "lassulus@gmail.com";`
			`webroot = "${config.security.acme.directory}/${head server-names}";`
			`};`

NWO 2015-07-11 14:55:22 +00:00			`to-location = { name, value }: ''`
			`location ${name} {`
			`${indent value}`
			`}`
			`'';`

k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let`
			`domain = head server-names;`
			`acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''`
			`root ${config.security.acme.certs.${domain}.webroot};`
			`'');`
			`in ''`
krebs.nginx: don't abuse extraConfig 2016-04-07 18:48:07 +00:00			`server {`
k 3 nginx: unique server-names to silence nginx 2016-05-31 22:07:14 +00:00			`server_name ${toString (unique server-names)};`
krebs.nginx: don't abuse extraConfig 2016-04-07 18:48:07 +00:00			`${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}`
			`${optionalString ssl.enable (indent ''`
k 3 nginx: add ssl.force_encryption 2016-07-21 14:19:07 +00:00			`${optionalString ssl.force_encryption ''`
			`if ($scheme = http){`
			`return 301 https://$server_name$request_uri;`
			`}`
			`''}`
krebs.nginx: don't abuse extraConfig 2016-04-07 18:48:07 +00:00			`listen 443 ssl;`
			`ssl_certificate ${ssl.certificate};`
			`ssl_certificate_key ${ssl.certificate_key};`
			`${optionalString ssl.prefer_server_ciphers ''`
			`ssl_prefer_server_ciphers On;`
			`''}`
			`ssl_ciphers ${ssl.ciphers};`
			`ssl_protocols ${toString ssl.protocols};`
			`'')}`
k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`${optionalString ssl.acmeEnable (indent ''`
			`${optionalString ssl.force_encryption ''`
			`if ($scheme = http){`
			`return 301 https://$server_name$request_uri;`
			`}`
			`''}`
			`listen 443 ssl;`
			`ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;`
			`ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;`
			`${optionalString ssl.prefer_server_ciphers ''`
			`ssl_prefer_server_ciphers On;`
			`''}`
			`ssl_ciphers ${ssl.ciphers};`
			`ssl_protocols ${toString ssl.protocols};`
			`'')}`
krebs.nginx: don't abuse extraConfig 2016-04-07 18:48:07 +00:00			`${indent extraConfig}`
k 3 nginx: add ssl.acmeEnable option 2016-11-24 22:57:29 +00:00			`${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}`
krebs.nginx: don't abuse extraConfig 2016-04-07 18:48:07 +00:00			`${indent (concatMapStrings to-location locations)}`
			`}`
			`'';`
3 tv.nginx: allow multiple server blocks 2015-07-16 16:07:20 +00:00
NWO 2015-07-11 14:55:22 +00:00			`in`
			`out`