2019-11-18 23:25:17 +01:00
|
|
|
|
# This file defines the options that can be used both for the Nginx
|
2016-01-24 15:50:54 +00:00
|
|
|
|
# main server configuration, and for the virtual hosts. (The latter
|
|
|
|
|
|
# has additional options that affect the web server as a whole, like
|
|
|
|
|
|
# the user/group to run under.)
|
|
|
|
|
|
|
2021-11-28 17:03:31 +00:00
|
|
|
|
{ config, lib, ... }:
|
2016-01-24 15:50:54 +00:00
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
{
|
|
|
|
|
|
options = {
|
2017-01-16 16:46:43 +01:00
|
|
|
|
serverName = mkOption {
|
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Name of this virtual host. Defaults to attribute name in virtualHosts.
|
|
|
|
|
|
'';
|
|
|
|
|
|
example = "example.org";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
serverAliases = mkOption {
|
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
|
default = [ ];
|
2022-03-07 15:44:24 +03:00
|
|
|
|
example = [
|
|
|
|
|
|
"www.example.org"
|
|
|
|
|
|
"example.org"
|
|
|
|
|
|
];
|
2016-01-24 15:50:54 +00:00
|
|
|
|
description = ''
|
|
|
|
|
|
Additional names of virtual hosts served by this virtual host configuration.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2017-07-14 19:25:13 +02:00
|
|
|
|
listen = mkOption {
|
nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-03-05 18:13:27 +01:00
|
|
|
|
type =
|
|
|
|
|
|
with types;
|
|
|
|
|
|
listOf (submodule {
|
|
|
|
|
|
options = {
|
|
|
|
|
|
addr = mkOption {
|
|
|
|
|
|
type = str;
|
2023-07-07 11:52:37 -04:00
|
|
|
|
description = "Listen address.";
|
nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-03-05 18:13:27 +01:00
|
|
|
|
};
|
|
|
|
|
|
port = mkOption {
|
2023-07-07 11:52:37 -04:00
|
|
|
|
type = types.nullOr port;
|
2023-10-22 21:32:50 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
Port number to listen on.
|
|
|
|
|
|
If unset and the listen address is not a socket then nginx defaults to 80.
|
|
|
|
|
|
'';
|
2023-07-07 11:52:37 -04:00
|
|
|
|
default = null;
|
nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-03-05 18:13:27 +01:00
|
|
|
|
};
|
|
|
|
|
|
ssl = mkOption {
|
|
|
|
|
|
type = bool;
|
|
|
|
|
|
description = "Enable SSL.";
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
};
|
|
|
|
|
|
proxyProtocol = mkOption {
|
|
|
|
|
|
type = bool;
|
|
|
|
|
|
description = "Enable PROXY protocol.";
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
};
|
|
|
|
|
|
extraParameters = mkOption {
|
|
|
|
|
|
type = listOf str;
|
|
|
|
|
|
description = "Extra parameters of this listen directive.";
|
|
|
|
|
|
default = [ ];
|
|
|
|
|
|
example = [
|
|
|
|
|
|
"backlog=1024"
|
|
|
|
|
|
"deferred"
|
|
|
|
|
|
];
|
2025-04-01 20:10:43 +02:00
|
|
|
|
};
|
nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-03-05 18:13:27 +01:00
|
|
|
|
};
|
|
|
|
|
|
});
|
2017-07-16 18:20:27 +02:00
|
|
|
|
default = [ ];
|
2017-07-14 19:25:13 +02:00
|
|
|
|
example = [
|
2022-03-07 15:44:24 +03:00
|
|
|
|
{
|
|
|
|
|
|
addr = "195.154.1.1";
|
|
|
|
|
|
port = 443;
|
|
|
|
|
|
ssl = true;
|
2017-07-16 18:20:27 +02:00
|
|
|
|
}
|
|
|
|
|
|
{
|
|
|
|
|
|
addr = "192.154.1.1";
|
|
|
|
|
|
port = 80;
|
2025-04-01 20:10:43 +02:00
|
|
|
|
}
|
2023-07-07 11:52:37 -04:00
|
|
|
|
{ addr = "unix:/var/run/nginx.sock"; }
|
2017-07-14 19:25:13 +02:00
|
|
|
|
];
|
2016-01-24 15:50:54 +00:00
|
|
|
|
description = ''
|
2017-07-14 19:25:13 +02:00
|
|
|
|
Listen addresses and ports for this virtual host.
|
|
|
|
|
|
IPv6 addresses must be enclosed in square brackets.
|
2017-07-16 18:20:27 +02:00
|
|
|
|
Note: this option overrides `addSSL`
|
|
|
|
|
|
and `onlySSL`.
|
2021-07-29 16:33:10 +02:00
|
|
|
|
|
|
|
|
|
|
If you only want to set the addresses manually and not
|
nixos/nginx: first-class PROXY protocol support
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
2023-03-05 18:13:27 +01:00
|
|
|
|
the ports, take a look at `listenAddresses`.
|
2021-07-29 16:33:10 +02:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
listenAddresses = mkOption {
|
|
|
|
|
|
type = with types; listOf str;
|
|
|
|
|
|
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Listen addresses for this virtual host.
|
2022-12-17 19:31:14 -05:00
|
|
|
|
Compared to `listen` this only sets the addresses
|
|
|
|
|
|
and the ports are chosen automatically.
|
2021-07-29 16:33:10 +02:00
|
|
|
|
|
|
|
|
|
|
Note: This option overrides `enableIPv6`
|
2016-01-24 15:50:54 +00:00
|
|
|
|
'';
|
2021-07-29 16:33:10 +02:00
|
|
|
|
default = [ ];
|
2022-07-04 18:36:53 +02:00
|
|
|
|
example = [
|
|
|
|
|
|
"127.0.0.1"
|
|
|
|
|
|
"[::1]"
|
|
|
|
|
|
];
|
2016-01-24 15:50:54 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-25 19:36:21 +01:00
|
|
|
|
enableACME = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
2017-10-23 05:40:39 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to ask Let's Encrypt to sign a certificate for this vhost.
|
|
|
|
|
|
Alternately, you can use an existing certificate through {option}`useACMEHost`.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
useACMEHost = mkOption {
|
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
A host of an existing Let's Encrypt certificate to use.
|
|
|
|
|
|
This is useful if you have many subdomains and want to avoid hitting the
|
|
|
|
|
|
[rate limit](https://letsencrypt.org/docs/rate-limits).
|
|
|
|
|
|
Alternately, you can generate a certificate through {option}`enableACME`.
|
2018-05-17 20:28:12 +02:00
|
|
|
|
*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using [](#opt-security.acme.certs).*
|
2017-10-23 05:40:39 +02:00
|
|
|
|
'';
|
2016-01-25 19:36:21 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
acmeRoot = mkOption {
|
2021-11-28 17:03:31 +00:00
|
|
|
|
type = types.nullOr types.str;
|
2016-01-25 19:36:21 +01:00
|
|
|
|
default = "/var/lib/acme/acme-challenge";
|
2021-11-28 17:03:31 +00:00
|
|
|
|
description = ''
|
2022-11-14 12:17:12 +02:00
|
|
|
|
Directory for the ACME challenge, which is **public**. Don't put certs or keys in here.
|
2021-11-28 17:03:31 +00:00
|
|
|
|
Set to null to inherit from config.security.acme.
|
|
|
|
|
|
'';
|
2016-01-25 19:36:21 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
2016-02-17 04:01:50 +01:00
|
|
|
|
acmeFallbackHost = mkOption {
|
2016-09-06 17:45:57 +02:00
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
|
default = null;
|
2016-02-17 04:01:50 +01:00
|
|
|
|
description = ''
|
2022-11-14 12:17:12 +02:00
|
|
|
|
Host which to proxy requests to if ACME challenge is not found. Useful
|
2016-02-17 04:01:50 +01:00
|
|
|
|
if you want multiple hosts to be able to verify the same domain name.
|
2022-11-14 11:38:12 +02:00
|
|
|
|
|
2022-11-14 12:17:12 +02:00
|
|
|
|
With this option, you could request certificates for the present domain
|
|
|
|
|
|
with an ACME client that is running on another host, which you would
|
|
|
|
|
|
specify here.
|
2016-02-17 04:01:50 +01:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2017-07-16 18:20:27 +02:00
|
|
|
|
addSSL = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
|
|
|
|
|
|
`listen` to listen on all interfaces on the respective default
|
|
|
|
|
|
ports (80, 443).
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
onlySSL = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable HTTPS and reject plain HTTP connections. This will set
|
|
|
|
|
|
defaults for `listen` to listen on all interfaces on port 443.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
enableSSL = mkOption {
|
|
|
|
|
|
type = types.bool;
|
2017-07-16 18:20:27 +02:00
|
|
|
|
visible = false;
|
2016-01-24 15:50:54 +00:00
|
|
|
|
default = false;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
forceSSL = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
2017-07-16 18:20:27 +02:00
|
|
|
|
description = ''
|
2023-12-01 15:42:46 -03:00
|
|
|
|
Whether to add a separate nginx server block that redirects (defaults
|
|
|
|
|
|
to 301, configurable with `redirectCode`) all plain HTTP traffic to
|
|
|
|
|
|
HTTPS. This will set defaults for `listen` to listen on all interfaces
|
|
|
|
|
|
on the respective default ports (80, 443), where the non-SSL listens
|
|
|
|
|
|
are used for the redirect vhosts.
|
2017-07-16 18:20:27 +02:00
|
|
|
|
'';
|
2016-01-24 15:50:54 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
2021-04-11 19:43:39 +02:00
|
|
|
|
rejectSSL = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to listen for and reject all HTTPS connections to this vhost. Useful in
|
|
|
|
|
|
[default](#opt-services.nginx.virtualHosts._name_.default)
|
|
|
|
|
|
server blocks to avoid serving the certificate for another vhost. Uses the
|
|
|
|
|
|
`ssl_reject_handshake` directive available in nginx versions
|
|
|
|
|
|
1.19.4 and above.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2021-11-23 01:22:11 +03:00
|
|
|
|
kTLS = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable kTLS support.
|
|
|
|
|
|
Implementing TLS in the kernel (kTLS) improves performance by significantly
|
|
|
|
|
|
reducing the need for copying operations between user space and the kernel.
|
|
|
|
|
|
Required Nginx version 1.21.4 or later.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
sslCertificate = mkOption {
|
|
|
|
|
|
type = types.path;
|
|
|
|
|
|
example = "/var/host.cert";
|
|
|
|
|
|
description = "Path to server SSL certificate.";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-25 19:36:21 +01:00
|
|
|
|
sslCertificateKey = mkOption {
|
2016-01-24 15:50:54 +00:00
|
|
|
|
type = types.path;
|
|
|
|
|
|
example = "/var/host.key";
|
|
|
|
|
|
description = "Path to server SSL certificate key.";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2018-08-30 22:33:56 +02:00
|
|
|
|
sslTrustedCertificate = mkOption {
|
2018-09-02 01:35:59 +02:00
|
|
|
|
type = types.nullOr types.path;
|
2018-08-30 22:33:56 +02:00
|
|
|
|
default = null;
|
2021-10-03 18:06:03 +02:00
|
|
|
|
example = literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';
|
2018-08-30 22:33:56 +02:00
|
|
|
|
description = "Path to root SSL certificate for stapling and client certificates.";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2017-12-19 19:53:02 +01:00
|
|
|
|
http2 = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = true;
|
|
|
|
|
|
description = ''
|
2023-03-27 11:27:49 +03:00
|
|
|
|
Whether to enable the HTTP/2 protocol.
|
2017-12-19 19:53:02 +01:00
|
|
|
|
Note that (as of writing) due to nginx's implementation, to disable
|
2023-03-27 11:27:49 +03:00
|
|
|
|
HTTP/2 you have to disable it on all vhosts that use a given
|
2017-12-19 19:53:02 +01:00
|
|
|
|
IP address / port.
|
2023-03-27 11:27:49 +03:00
|
|
|
|
If there is one server block configured to enable http2, then it is
|
2017-12-19 19:53:02 +01:00
|
|
|
|
enabled for all server blocks on this IP.
|
|
|
|
|
|
See https://stackoverflow.com/a/39466948/263061.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2021-04-18 18:53:21 +02:00
|
|
|
|
http3 = mkOption {
|
2023-03-27 11:27:49 +03:00
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = true;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable the HTTP/3 protocol.
|
|
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
|
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
|
|
|
|
|
|
and activate the QUIC transport protocol
|
|
|
|
|
|
`services.nginx.virtualHosts.<name>.quic = true;`.
|
2023-12-19 22:31:46 +03:00
|
|
|
|
Note that HTTP/3 support is experimental and *not* yet recommended for production.
|
2023-03-27 11:27:49 +03:00
|
|
|
|
Read more at https://quic.nginx.org/
|
2023-12-19 22:31:46 +03:00
|
|
|
|
HTTP/3 availability must be manually advertised, preferably in each location block.
|
2023-03-27 11:27:49 +03:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
http3_hq = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
|
|
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
|
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
|
|
|
|
|
|
and activate the QUIC transport protocol
|
|
|
|
|
|
`services.nginx.virtualHosts.<name>.quic = true;`.
|
2023-12-19 22:31:46 +03:00
|
|
|
|
Note that special application protocol support is experimental and *not* yet recommended for production.
|
2023-03-27 11:27:49 +03:00
|
|
|
|
Read more at https://quic.nginx.org/
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
quic = mkOption {
|
2021-04-18 18:53:21 +02:00
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
2023-03-27 11:27:49 +03:00
|
|
|
|
Whether to enable the QUIC transport protocol.
|
2021-04-18 18:53:21 +02:00
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
2021-06-28 18:08:31 +02:00
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
|
2023-03-27 11:27:49 +03:00
|
|
|
|
Note that QUIC support is experimental and
|
2022-08-13 11:56:56 +02:00
|
|
|
|
*not* yet recommended for production.
|
2021-04-18 18:53:21 +02:00
|
|
|
|
Read more at https://quic.nginx.org/
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2022-03-07 15:44:24 +03:00
|
|
|
|
reuseport = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Create an individual listening socket .
|
|
|
|
|
|
It is required to specify only once on one of the hosts.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
root = mkOption {
|
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
example = "/data/webserver/docs";
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
The path of the web root directory.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-04-03 10:58:34 +00:00
|
|
|
|
default = mkOption {
|
|
|
|
|
|
type = types.bool;
|
|
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Makes this vhost the default.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
extraConfig = mkOption {
|
|
|
|
|
|
type = types.lines;
|
|
|
|
|
|
default = "";
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
These lines go to the end of the vhost verbatim.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
globalRedirect = mkOption {
|
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
|
default = null;
|
2017-10-22 06:13:09 +02:00
|
|
|
|
example = "newserver.example.org";
|
2016-01-24 15:50:54 +00:00
|
|
|
|
description = ''
|
2023-12-01 15:42:46 -03:00
|
|
|
|
If set, all requests for this host are redirected (defaults to 301,
|
|
|
|
|
|
configurable with `redirectCode`) to the given hostname.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
redirectCode = mkOption {
|
|
|
|
|
|
type = types.ints.between 300 399;
|
|
|
|
|
|
default = 301;
|
|
|
|
|
|
example = 308;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
HTTP status used by `globalRedirect` and `forceSSL`. Possible usecases
|
|
|
|
|
|
include temporary (302, 307) redirects, keeping the request method and
|
|
|
|
|
|
body (307, 308), or explicitly resetting the method to GET (303).
|
|
|
|
|
|
See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>.
|
2016-01-24 15:50:54 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
basicAuth = mkOption {
|
|
|
|
|
|
type = types.attrsOf types.str;
|
|
|
|
|
|
default = { };
|
2021-10-03 18:06:03 +02:00
|
|
|
|
example = literalExpression ''
|
2016-05-09 14:46:44 +00:00
|
|
|
|
{
|
|
|
|
|
|
user = "password";
|
|
|
|
|
|
};
|
|
|
|
|
|
'';
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Basic Auth protection for a vhost.
|
|
|
|
|
|
|
|
|
|
|
|
WARNING: This is implemented to store the password in plain text in the
|
2020-11-02 08:15:28 -05:00
|
|
|
|
Nix store.
|
2016-05-09 14:46:44 +00:00
|
|
|
|
'';
|
2016-01-24 15:50:54 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
2018-04-04 21:47:56 -04:00
|
|
|
|
basicAuthFile = mkOption {
|
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
|
default = null;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Basic Auth password file for a vhost.
|
2024-10-08 23:14:26 +13:00
|
|
|
|
Can be created by running {command}`nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'`.
|
2018-04-04 21:47:56 -04:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-01-24 15:50:54 +00:00
|
|
|
|
locations = mkOption {
|
|
|
|
|
|
type = types.attrsOf (
|
|
|
|
|
|
types.submodule (
|
|
|
|
|
|
import ./location-options.nix {
|
2022-06-08 22:28:41 -04:00
|
|
|
|
inherit lib config;
|
2016-01-24 15:50:54 +00:00
|
|
|
|
}
|
2025-04-01 20:10:43 +02:00
|
|
|
|
)
|
2016-01-24 15:50:54 +00:00
|
|
|
|
);
|
|
|
|
|
|
default = { };
|
2021-10-03 18:06:03 +02:00
|
|
|
|
example = literalExpression ''
|
2016-05-09 14:46:44 +00:00
|
|
|
|
{
|
|
|
|
|
|
"/" = {
|
|
|
|
|
|
proxyPass = "http://localhost:3000";
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
2016-01-24 15:50:54 +00:00
|
|
|
|
'';
|
2016-05-09 14:46:44 +00:00
|
|
|
|
description = "Declarative location config";
|
2016-01-24 15:50:54 +00:00
|
|
|
|
};
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|