summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/nginx.nix
blob: 933c2e5131263122964d59f2828d2e0f55527a9f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
{ config, lib, pkgs, ... }:

with import <stockholm/lib>;
let
  cfg = config.krebs.nginx;

  out = {
    options.krebs.nginx = api;
    config = lib.mkIf cfg.enable imp;
  };

  api = {
    enable = mkEnableOption "krebs.nginx";

    default404 = mkOption {
      type = types.bool;
      default = true;
      description = ''
        By default all requests not directed to an explicit hostname are
        replied with a 404 error to avoid accidental exposition of nginx
        services.

        Set this value to `false` to disable this behavior - you will then be
        able to configure a new `default_server` in the listen address entries
        again.
      '';
    };

    servers = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          server-names = mkOption {
            type = with types; listOf str;
            default =
              [config.krebs.build.host.name] ++
              concatMap (getAttr "aliases")
                        (attrValues config.krebs.build.host.nets);
          };
          listen = mkOption {
            type = with types; either str (listOf str);
            default = "80";
            apply = x:
              if typeOf x != "list"
                then [x]
                else x;
          };
          locations = mkOption {
            type = with types; listOf (attrsOf str);
            default = [];
          };
          extraConfig = mkOption {
            type = with types; string;
            default = "";
          };
          ssl = mkOption {
            type = with types; submodule ({ config, ... }: {
              options = {
                enable = mkEnableOption "ssl";
                acmeEnable = mkOption {
                  type = bool;
                  apply = x:
                    if x && config.enable
                      #conflicts because of certificate/certificate_key location
                      then throw "can't use ssl.enable and ssl.acmeEnable together"
                      else x;
                  default = false;
                  description = ''
                    enables automatical generation of lets-encrypt certificates and setting them as certificate
                    conflicts with ssl.enable
                  '';
                };
                certificate = mkOption {
                  type = str;
                };
                certificate_key = mkOption {
                  type = str;
                };
                #TODO: check for valid cipher
                ciphers = mkOption {
                  type = str;
                  default = "AES128+EECDH:AES128+EDH";
                };
                prefer_server_ciphers = mkOption {
                  type = bool;
                  default = true;
                };
                force_encryption = mkOption {
                  type = bool;
                  default = false;
                  description = ''
                    redirect all `http` traffic to the same domain but with ssl
                    protocol.
                  '';
                };
                protocols = mkOption {
                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
                  default = [ "TLSv1.1" "TLSv1.2" ];

                };
              };
            });
            default = {};
          };
        };
      });
      default = {};
    };
  };

  imp = {
    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
    services.nginx = {
      enable = true;
      httpConfig = ''
        default_type      application/octet-stream;
        sendfile          on;
        keepalive_timeout 65;
        gzip              on;

        ${optionalString cfg.default404 ''
          server {
            listen 80 default_server;
            server_name _;
            return 404;
          }''}

        ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
      '';
    };
  };

  indent = replaceChars ["\n"] ["\n  "];

  to-acme = { server-names, ssl, ... }:
    optionalAttrs ssl.acmeEnable {
      email = "lassulus@gmail.com";
      webroot = "${config.security.acme.directory}/${head server-names}";
    };

  to-location = { name, value }: ''
    location ${name} {
      ${indent value}
    }
  '';

  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
    domain = head server-names;
    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
      root ${config.security.acme.certs.${domain}.webroot};
    '');
  in ''
    server {
      server_name ${toString (unique server-names)};
      ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
      ${optionalString ssl.enable (indent ''
        ${optionalString ssl.force_encryption ''
          if ($scheme = http){
            return 301 https://$server_name$request_uri;
          }
        ''}
        listen 443 ssl;
        ssl_certificate ${ssl.certificate};
        ssl_certificate_key ${ssl.certificate_key};
        ${optionalString ssl.prefer_server_ciphers ''
          ssl_prefer_server_ciphers On;
        ''}
        ssl_ciphers ${ssl.ciphers};
        ssl_protocols ${toString ssl.protocols};
      '')}
      ${optionalString ssl.acmeEnable (indent ''
        ${optionalString ssl.force_encryption ''
          if ($scheme = http){
            return 301 https://$server_name$request_uri;
          }
        ''}
        listen 443 ssl;
        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
        ${optionalString ssl.prefer_server_ciphers ''
          ssl_prefer_server_ciphers On;
        ''}
        ssl_ciphers ${ssl.ciphers};
        ssl_protocols ${toString ssl.protocols};
      '')}
      ${indent extraConfig}
      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
      ${indent (concatMapStrings to-location locations)}
    }
  '';

in
out