commit 75545814743d6bc3c378f39bdb3e5fc7e512734e · pyrox.dev/nixpkgs

+19 -12

nixos/modules/services/web-servers/h2o/default.nix

···

       221
       221
        
                                   headerSet ++ [ hsts ];

     

       222
       222
        
                             }

     

       223
       223
        
                           );

     

       224
       224
       -
                     in

     

       225
       225
       -
                     value.settings

     

       226
       226
       -
                     // headerRecAttrs

     

       227
       227
       -
                     // {

     

       224
       224
       +
       

     

       228
       225
        
                       listen =

     

       229
       226
        
                         let

     

       230
       227
        
                           identity =

     
···

       233
       230
        
                               key-file = "${certs.${names.cert}.directory}/key.pem";

     

       234
       231
        
                               certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";

     

       235
       232
        
                             };

     

       233
       233
       +
       

     

       234
       234
       +
                           baseListen =

     

       235
       235
       +
                             {

     

       236
       236
       +
                               port = port.TLS;

     

       237
       237
       +
                               ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {

     

       238
       238
       +
                                 inherit identity;

     

       239
       239
       +
                               };

     

       240
       240
       +
                             }

     

       241
       241
       +
                             // lib.optionalAttrs (value.host != null) {

     

       242
       242
       +
                               host = value.host;

     

       243
       243
       +
                             };

     

       244
       244
       +
       

     

       245
       245
       +
                           # QUIC, if used, will duplicate the TLS over TCP directive, but

     

       246
       246
       +
                           # append some extra QUIC-related settings

     

       247
       247
       +
                           quicListen = lib.optional (value.tls.quic != null) (baseListen // { inherit (value.tls) quic; });

     

       236
       248
        
                         in

     

       237
       249
        
                         {

     

       238
       238
       -
                           port = port.TLS;

     

       239
       239
       -
                           ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {

     

       240
       240
       -
                             inherit identity;

     

       241
       241
       -
                           };

     

       242
       242
       -
                         }

     

       243
       243
       -
                         // lib.optionalAttrs (value.host != null) {

     

       244
       244
       -
                           host = value.host;

     

       250
       250
       +
                           listen = [ baseListen ] ++ quicListen;

     

       245
       251
        
                         };

     

       246
       246
       -
                     };

     

       252
       252
       +
                     in

     

       253
       253
       +
                     value.settings // headerRecAttrs // listen;

     

       247
       254
        
                 };

     

       248
       255
        
           in

     

       249
       256
        
           # With a high likelihood of HTTP & ACME challenges being on the same port,

+19

nixos/modules/services/web-servers/h2o/vhost-options.nix

···

       152
       152
        
                         '';

     

       153
       153
        
                   };

     

       154
       154
        
                   recommendations = tlsRecommendationsOption;

     

       155
       155
       +
                   quic = mkOption {

     

       156
       156
       +
                     type = types.nullOr types.attrs;

     

       157
       157
       +
                     default = null;

     

       158
       158
       +
                     description = ''

     

       159
       159
       +
                       Enables HTTP/3 over QUIC on the UDP port for TLS. The attrset

     

       160
       160
       +
                       provides fine-turning for QUIC behavior, but can be empty. See

     

       161
       161
       +
                       <https://h2o.examp1e.net/configure/http3_directives.html#quic-attributes>.

     

       162
       162
       +
                     '';

     

       163
       163
       +
                     example =

     

       164
       164
       +
                       literalExpression

     

       165
       165
       +
                         # nix

     

       166
       166
       +
                         ''

     

       167
       167
       +
                           {

     

       168
       168
       +
                             amp-limit = 2;

     

       169
       169
       +
                             handshake-timeout-rtt-multiplier = 300;

     

       170
       170
       +
                             retry = "ON";

     

       171
       171
       +
                           }

     

       172
       172
       +
                         '';

     

       173
       173
       +
                   };

     

       155
       174
        
                   extraSettings = mkOption {

     

       156
       175
        
                     type = types.attrs;

     

       157
       176
        
                     default = { };

+23 -4

nixos/tests/web-servers/h2o/basic.nix

···

       43
       43
        
           server =

     

       44
       44
        
             { pkgs, ... }:

     

       45
       45
        
             {

     

       46
       46
       +
               environment.systemPackages = [

     

       47
       47
       +
                 pkgs.curlHTTP3

     

       48
       48
       +
               ];

     

       49
       49
       +
       

     

       46
       50
        
               services.h2o = {

     

       47
       51
        
                 enable = true;

     

       48
       52
        
                 defaultHTTPListenPort = port.HTTP;

     
···

       60
       64
        
                   "${domain.TLS}" = {

     

       61
       65
        
                     tls = {

     

       62
       66
        
                       policy = "force";

     

       67
       67
       +
                       quic = {

     

       68
       68
       +
                         retry = "ON";

     

       69
       69
       +
                       };

     

       63
       70
        
                       identity = [

     

       64
       71
        
                         {

     

       65
       72
        
                           key-file = ../../common/acme/server/acme.test.key.pem;

     
···

       99
       106
        
               ];

     

       100
       107
        
       

     

       101
       108
        
               networking = {

     

       102
       102
       -
                 firewall.allowedTCPPorts = with port; [

     

       103
       103
       -
                   HTTP

     

       104
       104
       -
                   TLS

     

       105
       105
       -
                 ];

     

       109
       109
       +
                 firewall = {

     

       110
       110
       +
                   allowedTCPPorts = with port; [

     

       111
       111
       +
                     HTTP

     

       112
       112
       +
                     TLS

     

       113
       113
       +
                   ];

     

       114
       114
       +
                   allowedUDPPorts = with port; [

     

       115
       115
       +
                     TLS

     

       116
       116
       +
                   ];

     

       117
       117
       +
                 };

     

       106
       118
        
                 extraHosts = ''

     

       107
       119
        
                   127.0.0.1 ${domain.HTTP}

     

       108
       120
        
                   127.0.0.1 ${domain.TLS}

     
···

       129
       141
        
             assert "content-type: text/x-rst" in tls_hello_world_head

     

       130
       142
        
       

     

       131
       143
        
             assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

     

       144
       144
       +
       

     

       145
       145
       +
             quic_hello_world_head = server.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

     

       146
       146
       +
             assert "http/3 200" in quic_hello_world_head

     

       147
       147
       +
             assert "server: h2o" in quic_hello_world_head

     

       148
       148
       +
             assert "content-type: text/x-rst" in quic_hello_world_head

     

       149
       149
       +
       

     

       150
       150
       +
             assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

     

       132
       151
        
       

     

       133
       152
        
             assert "redirected" in server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()

     

       134
       153