pyrox.dev
1# This file defines the options that can be used both for the Apache
2# main server configuration, and for the virtual hosts. (The latter
3# has additional options that affect the web server as a whole, like
4# the user/group to run under.)
5
6{ config, lib }:
7
8with lib;
9{
10 options = {
11 serverName = mkOption {
12 type = types.nullOr types.str;
13 default = null;
14 description = ''
15 Name of this virtual host. Defaults to attribute name in virtualHosts.
16 '';
17 example = "example.org";
18 };
19
20 serverAliases = mkOption {
21 type = types.listOf types.str;
22 default = [];
23 example = ["www.example.org" "example.org"];
24 description = ''
25 Additional names of virtual hosts served by this virtual host configuration.
26 '';
27 };
28
29 listen = mkOption {
30 type = with types; listOf (submodule { options = {
31 addr = mkOption { type = str; description = "IP address."; };
32 port = mkOption { type = int; description = "Port number."; default = 80; };
33 ssl = mkOption { type = bool; description = "Enable SSL."; default = false; };
34 }; });
35 default = [];
36 example = [
37 { addr = "195.154.1.1"; port = 443; ssl = true;}
38 { addr = "192.154.1.1"; port = 80; }
39 ];
40 description = ''
41 Listen addresses and ports for this virtual host.
42 IPv6 addresses must be enclosed in square brackets.
43 Note: this option overrides <literal>addSSL</literal>
44 and <literal>onlySSL</literal>.
45 '';
46 };
47
48 enableACME = mkOption {
49 type = types.bool;
50 default = false;
51 description = ''
52 Whether to ask Let's Encrypt to sign a certificate for this vhost.
53 Alternately, you can use an existing certificate through <option>useACMEHost</option>.
54 '';
55 };
56
57 useACMEHost = mkOption {
58 type = types.nullOr types.str;
59 default = null;
60 description = ''
61 A host of an existing Let's Encrypt certificate to use.
62 This is useful if you have many subdomains and want to avoid hitting the
63 <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.
64 Alternately, you can generate a certificate through <option>enableACME</option>.
65 '';
66 };
67
68 acmeRoot = mkOption {
69 type = types.str;
70 default = "/var/lib/acme/acme-challenge";
71 description = "Directory to store certificates and keys managed by the ACME service.";
72 };
73
74 acmeFallbackHost = mkOption {
75 type = types.nullOr types.str;
76 default = null;
77 description = ''
78 Host which to proxy requests to if acme challenge is not found. Useful
79 if you want multiple hosts to be able to verify the same domain name.
80 '';
81 };
82
83 addSSL = mkOption {
84 type = types.bool;
85 default = false;
86 description = ''
87 Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
88 <literal>listen</literal> to listen on all interfaces on the respective default
89 ports (80, 443).
90 '';
91 };
92
93 onlySSL = mkOption {
94 type = types.bool;
95 default = false;
96 description = ''
97 Whether to enable HTTPS and reject plain HTTP connections. This will set
98 defaults for <literal>listen</literal> to listen on all interfaces on port 443.
99 '';
100 };
101
102 enableSSL = mkOption {
103 type = types.bool;
104 visible = false;
105 default = false;
106 };
107
108 forceSSL = mkOption {
109 type = types.bool;
110 default = false;
111 description = ''
112 Whether to add a separate nginx server block that permanently redirects (301)
113 all plain HTTP traffic to HTTPS. This will set defaults for
114 <literal>listen</literal> to listen on all interfaces on the respective default
115 ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
116 '';
117 };
118
119 sslCertificate = mkOption {
120 type = types.path;
121 example = "/var/host.cert";
122 description = "Path to server SSL certificate.";
123 };
124
125 sslCertificateKey = mkOption {
126 type = types.path;
127 example = "/var/host.key";
128 description = "Path to server SSL certificate key.";
129 };
130
131 http2 = mkOption {
132 type = types.bool;
133 default = true;
134 description = ''
135 Whether to enable HTTP 2.
136 Note that (as of writing) due to nginx's implementation, to disable
137 HTTP 2 you have to disable it on all vhosts that use a given
138 IP address / port.
139 If there is one server block configured to enable http2,then it is
140 enabled for all server blocks on this IP.
141 See https://stackoverflow.com/a/39466948/263061.
142 '';
143 };
144
145 root = mkOption {
146 type = types.nullOr types.path;
147 default = null;
148 example = "/data/webserver/docs";
149 description = ''
150 The path of the web root directory.
151 '';
152 };
153
154 default = mkOption {
155 type = types.bool;
156 default = false;
157 description = ''
158 Makes this vhost the default.
159 '';
160 };
161
162 extraConfig = mkOption {
163 type = types.lines;
164 default = "";
165 description = ''
166 These lines go to the end of the vhost verbatim.
167 '';
168 };
169
170 globalRedirect = mkOption {
171 type = types.nullOr types.str;
172 default = null;
173 example = "newserver.example.org";
174 description = ''
175 If set, all requests for this host are redirected permanently to
176 the given hostname.
177 '';
178 };
179
180 basicAuth = mkOption {
181 type = types.attrsOf types.str;
182 default = {};
183 example = literalExample ''
184 {
185 user = "password";
186 };
187 '';
188 description = ''
189 Basic Auth protection for a vhost.
190
191 WARNING: This is implemented to store the password in plain text in the
192 nix store.
193 '';
194 };
195
196 locations = mkOption {
197 type = types.attrsOf (types.submodule (import ./location-options.nix {
198 inherit lib;
199 }));
200 default = {};
201 example = literalExample ''
202 {
203 "/" = {
204 proxyPass = "http://localhost:3000";
205 };
206 };
207 '';
208 description = "Declarative location config";
209 };
210 };
211}