193 lines
5.9 KiB
Nix
193 lines
5.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with import <stockholm/lib>;
|
|
let
|
|
cfg = config.krebs.nginx;
|
|
|
|
out = {
|
|
options.krebs.nginx = api;
|
|
config = lib.mkIf cfg.enable imp;
|
|
};
|
|
|
|
api = {
|
|
enable = mkEnableOption "krebs.nginx";
|
|
|
|
default404 = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
By default all requests not directed to an explicit hostname are
|
|
replied with a 404 error to avoid accidental exposition of nginx
|
|
services.
|
|
|
|
Set this value to `false` to disable this behavior - you will then be
|
|
able to configure a new `default_server` in the listen address entries
|
|
again.
|
|
'';
|
|
};
|
|
|
|
servers = mkOption {
|
|
type = types.attrsOf (types.submodule {
|
|
options = {
|
|
server-names = mkOption {
|
|
type = with types; listOf str;
|
|
default =
|
|
[config.krebs.build.host.name] ++
|
|
concatMap (getAttr "aliases")
|
|
(attrValues config.krebs.build.host.nets);
|
|
};
|
|
listen = mkOption {
|
|
type = with types; either str (listOf str);
|
|
default = "80";
|
|
apply = x:
|
|
if typeOf x != "list"
|
|
then [x]
|
|
else x;
|
|
};
|
|
locations = mkOption {
|
|
type = with types; listOf (attrsOf str);
|
|
default = [];
|
|
};
|
|
extraConfig = mkOption {
|
|
type = with types; string;
|
|
default = "";
|
|
};
|
|
ssl = mkOption {
|
|
type = with types; submodule ({ config, ... }: {
|
|
options = {
|
|
enable = mkEnableOption "ssl";
|
|
acmeEnable = mkOption {
|
|
type = bool;
|
|
apply = x:
|
|
if x && config.enable
|
|
#conflicts because of certificate/certificate_key location
|
|
then throw "can't use ssl.enable and ssl.acmeEnable together"
|
|
else x;
|
|
default = false;
|
|
description = ''
|
|
enables automatical generation of lets-encrypt certificates and setting them as certificate
|
|
conflicts with ssl.enable
|
|
'';
|
|
};
|
|
certificate = mkOption {
|
|
type = str;
|
|
};
|
|
certificate_key = mkOption {
|
|
type = str;
|
|
};
|
|
#TODO: check for valid cipher
|
|
ciphers = mkOption {
|
|
type = str;
|
|
default = "AES128+EECDH:AES128+EDH";
|
|
};
|
|
prefer_server_ciphers = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
};
|
|
force_encryption = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
redirect all `http` traffic to the same domain but with ssl
|
|
protocol.
|
|
'';
|
|
};
|
|
protocols = mkOption {
|
|
type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
|
|
default = [ "TLSv1.1" "TLSv1.2" ];
|
|
|
|
};
|
|
};
|
|
});
|
|
default = {};
|
|
};
|
|
};
|
|
});
|
|
default = {};
|
|
};
|
|
};
|
|
|
|
imp = {
|
|
security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
|
|
services.nginx = {
|
|
enable = true;
|
|
httpConfig = ''
|
|
default_type application/octet-stream;
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
gzip on;
|
|
|
|
${optionalString cfg.default404 ''
|
|
server {
|
|
listen 80 default_server;
|
|
server_name _;
|
|
return 404;
|
|
}''}
|
|
|
|
${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
|
|
'';
|
|
};
|
|
};
|
|
|
|
indent = replaceChars ["\n"] ["\n "];
|
|
|
|
to-acme = { server-names, ssl, ... }:
|
|
optionalAttrs ssl.acmeEnable {
|
|
email = "lassulus@gmail.com";
|
|
webroot = "${config.security.acme.directory}/${head server-names}";
|
|
};
|
|
|
|
to-location = { name, value }: ''
|
|
location ${name} {
|
|
${indent value}
|
|
}
|
|
'';
|
|
|
|
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
|
|
domain = head server-names;
|
|
acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
|
|
root ${config.security.acme.certs.${domain}.webroot};
|
|
'');
|
|
in ''
|
|
server {
|
|
server_name ${toString (unique server-names)};
|
|
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
|
${optionalString ssl.enable (indent ''
|
|
${optionalString ssl.force_encryption ''
|
|
if ($scheme = http){
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
''}
|
|
listen 443 ssl;
|
|
ssl_certificate ${ssl.certificate};
|
|
ssl_certificate_key ${ssl.certificate_key};
|
|
${optionalString ssl.prefer_server_ciphers ''
|
|
ssl_prefer_server_ciphers On;
|
|
''}
|
|
ssl_ciphers ${ssl.ciphers};
|
|
ssl_protocols ${toString ssl.protocols};
|
|
'')}
|
|
${optionalString ssl.acmeEnable (indent ''
|
|
${optionalString ssl.force_encryption ''
|
|
if ($scheme = http){
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
''}
|
|
listen 443 ssl;
|
|
ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
|
|
ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
|
|
${optionalString ssl.prefer_server_ciphers ''
|
|
ssl_prefer_server_ciphers On;
|
|
''}
|
|
ssl_ciphers ${ssl.ciphers};
|
|
ssl_protocols ${toString ssl.protocols};
|
|
'')}
|
|
${indent extraConfig}
|
|
${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
|
|
${indent (concatMapStrings to-location locations)}
|
|
}
|
|
'';
|
|
|
|
in
|
|
out
|