nixos/modules/services/web-servers/nginx/vhost-options.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-servers / nginx / vhost-options.nix
at 17.09-beta 5.2 kB view raw
  1# This file defines the options that can be used both for the Apache
  2# main server configuration, and for the virtual hosts.  (The latter
  3# has additional options that affect the web server as a whole, like
  4# the user/group to run under.)
  5
  6{ config, lib }:
  7
  8with lib;
  9{
 10  options = {
 11    serverName = mkOption {
 12      type = types.nullOr types.str;
 13      default = null;
 14      description = ''
 15        Name of this virtual host. Defaults to attribute name in virtualHosts.
 16      '';
 17      example = "example.org";
 18    };
 19
 20    serverAliases = mkOption {
 21      type = types.listOf types.str;
 22      default = [];
 23      example = ["www.example.org" "example.org"];
 24      description = ''
 25        Additional names of virtual hosts served by this virtual host configuration.
 26      '';
 27    };
 28
 29    listen = mkOption {
 30      type = with types; listOf (submodule { options = {
 31        addr = mkOption { type = str;  description = "IP address.";  };
 32        port = mkOption { type = int;  description = "Port number."; default = 80; };
 33        ssl  = mkOption { type = bool; description = "Enable SSL.";  default = false; };
 34      }; });
 35      default = [];
 36      example = [
 37        { addr = "195.154.1.1"; port = 443; ssl = true;}
 38        { addr = "192.154.1.1"; port = 80; }
 39      ];
 40      description = ''
 41        Listen addresses and ports for this virtual host.
 42        IPv6 addresses must be enclosed in square brackets.
 43        Note: this option overrides <literal>addSSL</literal>
 44        and <literal>onlySSL</literal>.
 45      '';
 46    };
 47
 48    enableACME = mkOption {
 49      type = types.bool;
 50      default = false;
 51      description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
 52    };
 53
 54    acmeRoot = mkOption {
 55      type = types.str;
 56      default = "/var/lib/acme/acme-challenge";
 57      description = "Directory to store certificates and keys managed by the ACME service.";
 58    };
 59
 60    acmeFallbackHost = mkOption {
 61      type = types.nullOr types.str;
 62      default = null;
 63      description = ''
 64        Host which to proxy requests to if acme challenge is not found. Useful
 65        if you want multiple hosts to be able to verify the same domain name.
 66      '';
 67    };
 68
 69    addSSL = mkOption {
 70      type = types.bool;
 71      default = false;
 72      description = ''
 73        Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
 74        <literal>listen</literal> to listen on all interfaces on the respective default
 75        ports (80, 443).
 76      '';
 77    };
 78
 79    onlySSL = mkOption {
 80      type = types.bool;
 81      default = false;
 82      description = ''
 83        Whether to enable HTTPS and reject plain HTTP connections. This will set
 84        defaults for <literal>listen</literal> to listen on all interfaces on port 443.
 85      '';
 86    };
 87
 88    enableSSL = mkOption {
 89      type = types.bool;
 90      visible = false;
 91      default = false;
 92    };
 93
 94    forceSSL = mkOption {
 95      type = types.bool;
 96      default = false;
 97      description = ''
 98        Whether to add a separate nginx server block that permanently redirects (301)
 99        all plain HTTP traffic to HTTPS. This will set defaults for
100        <literal>listen</literal> to listen on all interfaces on the respective default
101        ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
102      '';
103    };
104
105    sslCertificate = mkOption {
106      type = types.path;
107      example = "/var/host.cert";
108      description = "Path to server SSL certificate.";
109    };
110
111    sslCertificateKey = mkOption {
112      type = types.path;
113      example = "/var/host.key";
114      description = "Path to server SSL certificate key.";
115    };
116
117    root = mkOption {
118      type = types.nullOr types.path;
119      default = null;
120      example = "/data/webserver/docs";
121      description = ''
122        The path of the web root directory.
123      '';
124    };
125
126    default = mkOption {
127      type = types.bool;
128      default = false;
129      description = ''
130        Makes this vhost the default.
131      '';
132    };
133
134    extraConfig = mkOption {
135      type = types.lines;
136      default = "";
137      description = ''
138        These lines go to the end of the vhost verbatim.
139      '';
140    };
141
142    globalRedirect = mkOption {
143      type = types.nullOr types.str;
144      default = null;
145      example = http://newserver.example.org/;
146      description = ''
147        If set, all requests for this host are redirected permanently to
148        the given URL.
149      '';
150    };
151
152    basicAuth = mkOption {
153      type = types.attrsOf types.str;
154      default = {};
155      example = literalExample ''
156        {
157          user = "password";
158        };
159      '';
160      description = ''
161        Basic Auth protection for a vhost.
162
163        WARNING: This is implemented to store the password in plain text in the
164        nix store.
165      '';
166    };
167
168    locations = mkOption {
169      type = types.attrsOf (types.submodule (import ./location-options.nix {
170        inherit lib;
171      }));
172      default = {};
173      example = literalExample ''
174        {
175          "/" = {
176            proxyPass = "http://localhost:3000";
177          };
178        };
179      '';
180      description = "Declarative location config";
181    };
182  };
183}