nixos/modules/services/web-servers/hitch/default.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-servers / hitch / default.nix
at 23.11-pre 3.0 kB view raw
  1{ config, lib, pkgs, ...}:
  2let
  3  cfg = config.services.hitch;
  4  ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp";
  5  hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [
  6    ("backend = \"${cfg.backend}\"")
  7    (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend)
  8    (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
  9    ("ciphers = \"${cfg.ciphers}\"")
 10    ("ocsp-dir = \"${ocspDir}\"")
 11    "user = \"${cfg.user}\""
 12    "group = \"${cfg.group}\""
 13    cfg.extraConfig
 14  ]);
 15in
 16with lib;
 17{
 18  options = {
 19    services.hitch = {
 20      enable = mkEnableOption (lib.mdDoc "Hitch Server");
 21
 22      backend = mkOption {
 23        type = types.str;
 24        description = lib.mdDoc ''
 25          The host and port Hitch connects to when receiving
 26          a connection in the form [HOST]:PORT
 27        '';
 28      };
 29
 30      ciphers = mkOption {
 31        type = types.str;
 32        default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 33        description = lib.mdDoc "The list of ciphers to use";
 34      };
 35
 36      frontend = mkOption {
 37        type = types.either types.str (types.listOf types.str);
 38        default = "[127.0.0.1]:443";
 39        description = lib.mdDoc ''
 40          The port and interface of the listen endpoint in the
 41          form [HOST]:PORT[+CERT].
 42        '';
 43        apply = toList;
 44      };
 45
 46      pem-files = mkOption {
 47        type = types.listOf types.path;
 48        default = [];
 49        description = lib.mdDoc "PEM files to use";
 50      };
 51
 52      ocsp-stapling = {
 53        enabled = mkOption {
 54          type = types.bool;
 55          default = true;
 56          description = lib.mdDoc "Whether to enable OCSP Stapling";
 57        };
 58      };
 59
 60      user = mkOption {
 61        type = types.str;
 62        default = "hitch";
 63        description = lib.mdDoc "The user to run as";
 64      };
 65
 66      group = mkOption {
 67        type = types.str;
 68        default = "hitch";
 69        description = lib.mdDoc "The group to run as";
 70      };
 71
 72      extraConfig = mkOption {
 73        type = types.lines;
 74        default = "";
 75        description = lib.mdDoc "Additional configuration lines";
 76      };
 77    };
 78
 79  };
 80
 81  config = mkIf cfg.enable {
 82
 83    systemd.services.hitch = {
 84      description = "Hitch";
 85      wantedBy = [ "multi-user.target" ];
 86      after = [ "network.target" ];
 87      preStart = ''
 88        ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
 89      '' + (optionalString cfg.ocsp-stapling.enabled ''
 90        mkdir -p ${ocspDir}
 91        chown -R hitch:hitch ${ocspDir}
 92      '');
 93      serviceConfig = {
 94        Type = "forking";
 95        ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
 96        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
 97        Restart = "always";
 98        RestartSec = "5s";
 99        LimitNOFILE = 131072;
100      };
101    };
102
103    environment.systemPackages = [ pkgs.hitch ];
104
105    users.users.hitch = {
106      group = "hitch";
107      isSystemUser = true;
108    };
109    users.groups.hitch = {};
110  };
111}