pyrox.dev
1{
2 config,
3 lib,
4 ...
5}:
6
7let
8 inherit (lib)
9 literalExpression
10 mkOption
11 types
12 ;
13
14 inherit (import ./common.nix { inherit lib; }) tlsRecommendationsOption;
15in
16{
17 options = {
18 serverName = mkOption {
19 type = types.nullOr types.nonEmptyStr;
20 default = null;
21 description = ''
22 Server name to be used for this virtual host. Defaults to attribute
23 name in hosts.
24 '';
25 example = "example.org";
26 };
27
28 serverAliases = mkOption {
29 type = types.listOf types.nonEmptyStr;
30 default = [ ];
31 example = [
32 "www.example.org"
33 "example.org"
34 ];
35 description = ''
36 Additional names of virtual hosts served by this virtual host
37 configuration.
38 '';
39 };
40
41 host = mkOption {
42 type = types.nullOr types.nonEmptyStr;
43 default = null;
44 example = "127.0.0.1";
45 description = ''
46 Set the host address for this virtual host. If unset, the default is to
47 listen on all network interfaces.
48 '';
49 };
50
51 http = mkOption {
52 type = types.nullOr (
53 types.submodule {
54 options = {
55 port = mkOption {
56 type = types.port;
57 default = config.services.h2o.defaultHTTPListenPort;
58 defaultText = literalExpression ''
59 config.services.h2o.defaultHTTPListenPort
60 '';
61 description = ''
62 Override the default HTTP port for this virtual host.
63 '';
64 example = literalExpression "8080";
65 };
66 };
67 }
68 );
69 default = null;
70 description = "HTTP options for virtual host";
71 };
72
73 tls = mkOption {
74 type = types.nullOr (
75 types.submodule {
76 options = {
77 port = mkOption {
78 type = types.port;
79 default = config.services.h2o.defaultTLSListenPort;
80 defaultText = literalExpression ''
81 config.services.h2o.defaultTLSListenPort
82 '';
83 description = ''
84 Override the default TLS port for this virtual host.
85 '';
86 example = 8443;
87 };
88 policy = mkOption {
89 type = types.enum [
90 "add"
91 "only"
92 "force"
93 ];
94 description = ''
95 `add` will additionally listen for TLS connections. `only` will
96 disable TLS connections. `force` will redirect non-TLS traffic
97 to the TLS connection.
98 '';
99 example = "force";
100 };
101 redirectCode = mkOption {
102 type = types.ints.between 300 399;
103 default = 301;
104 example = 308;
105 description = ''
106 HTTP status used by `globalRedirect` & `forceSSL`. Possible
107 usecases include temporary (302, 307) redirects, keeping the
108 request method & body (307, 308), or explicitly resetting the
109 method to GET (303). See
110 <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>.
111 '';
112 };
113 identity = mkOption {
114 type = types.listOf (
115 types.submodule {
116 options = {
117 key-file = mkOption {
118 type = types.path;
119 description = ''
120 Path to key file. See
121 <https://h2o.examp1e.net/configure/base_directives.html#key-file>.
122 '';
123 };
124 certificate-file = mkOption {
125 type = types.path;
126 description = ''
127 Path to certificate file. See
128 <https://h2o.examp1e.net/configure/base_directives.html#certificate-file>.
129 '';
130 };
131 };
132 }
133 );
134 default = [ ];
135 description = ''
136 Key / certificate pairs for the virtual host.
137 '';
138 example =
139 literalExpression
140 # nix
141 ''
142 [
143 {
144 key-file = "/path/to/rsa.key";
145 certificate-file = "/path/to/rsa.crt";
146 }
147 {
148 key-file = "/path/to/ecdsa.key";
149 certificate-file = "/path/to/ecdsa.crt";
150 }
151 ]
152 '';
153 };
154 recommendations = tlsRecommendationsOption;
155 quic = mkOption {
156 type = types.nullOr types.attrs;
157 default = null;
158 description = ''
159 Enables HTTP/3 over QUIC on the UDP port for TLS. The attrset
160 provides fine-turning for QUIC behavior, but can be empty. See
161 <https://h2o.examp1e.net/configure/http3_directives.html#quic-attributes>.
162 '';
163 example =
164 literalExpression
165 # nix
166 ''
167 {
168 amp-limit = 2;
169 handshake-timeout-rtt-multiplier = 300;
170 retry = "ON";
171 }
172 '';
173 };
174 extraSettings = mkOption {
175 type = types.attrs;
176 default = { };
177 description = ''
178 Additional TLS/SSL-related configuration options. See
179 <https://h2o.examp1e.net/configure/base_directives.html#listen-ssl>.
180 '';
181 example =
182 literalExpression
183 # nix
184 ''
185 {
186 minimum-version = "TLSv1.3";
187 }
188 '';
189 };
190 };
191 }
192 );
193 default = null;
194 description = "TLS options for virtual host";
195 };
196
197 acme = mkOption {
198 type = types.nullOr (
199 types.addCheck (types.submodule {
200 options = {
201 enable = mkOption {
202 type = types.bool;
203 default = false;
204 description = ''
205 Whether to ask Let’s Encrypt to sign a certificate for this
206 virtual host. Alternatively, an existing host can be used thru
207 {option}`acme.useHost`.
208 '';
209 };
210 useHost = mkOption {
211 type = types.nullOr types.nonEmptyStr;
212 default = null;
213 description = ''
214 An existing Let’s Encrypt certificate to use for this virtual
215 host. This is useful if you have many subdomains and want to
216 avoid hitting the [rate
217 limit](https://letsencrypt.org/docs/rate-limits). Alternately,
218 you can generate a certificate through {option}`acme.enable`.
219 Note that this option neither creates any certificates nor does
220 it add subdomains to existing ones — you will need to create
221 them manually using [](#opt-security.acme.certs).
222 '';
223 };
224 root = mkOption {
225 type = types.nullOr types.path;
226 default = "/var/lib/acme/acme-challenge";
227 description = ''
228 Directory for the ACME challenge, which is **public**. Don’t put
229 certs or keys in here. Set to `null` to inherit from
230 config.security.acme.
231 '';
232 };
233 };
234 }) (a: (a.enable || a.useHost != null) && !(a.enable && a.useHost != null))
235 );
236 default = null;
237 description = "ACME options for virtual host.";
238 };
239
240 settings = mkOption {
241 type = types.attrs;
242 default = { };
243 description = ''
244 Attrset to be transformed into YAML for host config. Note that the HTTP
245 / TLS configurations will override these config values. See
246 <https://h2o.examp1e.net/configure/base_directives.html#hosts>.
247 '';
248 };
249 };
250}