nixos/modules/services/web-servers/hitch/default.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-servers / hitch / default.nix
at 25.11-pre 3.0 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.hitch;
  9  ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp";
 10  hitchConfig =
 11    with lib;
 12    pkgs.writeText "hitch.conf" (
 13      concatStringsSep "\n" [
 14        ("backend = \"${cfg.backend}\"")
 15        (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend)
 16        (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
 17        ("ciphers = \"${cfg.ciphers}\"")
 18        ("ocsp-dir = \"${ocspDir}\"")
 19        "user = \"${cfg.user}\""
 20        "group = \"${cfg.group}\""
 21        cfg.extraConfig
 22      ]
 23    );
 24in
 25with lib;
 26{
 27  options = {
 28    services.hitch = {
 29      enable = mkEnableOption "Hitch Server";
 30
 31      backend = mkOption {
 32        type = types.str;
 33        description = ''
 34          The host and port Hitch connects to when receiving
 35          a connection in the form [HOST]:PORT
 36        '';
 37      };
 38
 39      ciphers = mkOption {
 40        type = types.str;
 41        default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 42        description = "The list of ciphers to use";
 43      };
 44
 45      frontend = mkOption {
 46        type = types.either types.str (types.listOf types.str);
 47        default = "[127.0.0.1]:443";
 48        description = ''
 49          The port and interface of the listen endpoint in the
 50          form [HOST]:PORT[+CERT].
 51        '';
 52        apply = toList;
 53      };
 54
 55      pem-files = mkOption {
 56        type = types.listOf types.path;
 57        default = [ ];
 58        description = "PEM files to use";
 59      };
 60
 61      ocsp-stapling = {
 62        enabled = mkOption {
 63          type = types.bool;
 64          default = true;
 65          description = "Whether to enable OCSP Stapling";
 66        };
 67      };
 68
 69      user = mkOption {
 70        type = types.str;
 71        default = "hitch";
 72        description = "The user to run as";
 73      };
 74
 75      group = mkOption {
 76        type = types.str;
 77        default = "hitch";
 78        description = "The group to run as";
 79      };
 80
 81      extraConfig = mkOption {
 82        type = types.lines;
 83        default = "";
 84        description = "Additional configuration lines";
 85      };
 86    };
 87
 88  };
 89
 90  config = mkIf cfg.enable {
 91
 92    systemd.services.hitch = {
 93      description = "Hitch";
 94      wantedBy = [ "multi-user.target" ];
 95      after = [ "network.target" ];
 96      preStart =
 97        ''
 98          ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
 99        ''
100        + (optionalString cfg.ocsp-stapling.enabled ''
101          mkdir -p ${ocspDir}
102          chown -R hitch:hitch ${ocspDir}
103        '');
104      serviceConfig = {
105        Type = "forking";
106        ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
107        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
108        Restart = "always";
109        RestartSec = "5s";
110        LimitNOFILE = 131072;
111      };
112    };
113
114    environment.systemPackages = [ pkgs.hitch ];
115
116    users.users.hitch = {
117      group = "hitch";
118      isSystemUser = true;
119    };
120    users.groups.hitch = { };
121  };
122}