mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-13 13:40:28 +03:00
nixos/httpd: limit serving web content to virtual hosts, convert virtualHosts option type from listOf to attrsOf, add ACME integration
This commit is contained in:
Aaron Andersen
parent
d5bbb86bcb
commit
79215f0df1
16 changed files with 709 additions and 631 deletions
|
|
@ -3,7 +3,7 @@
|
|||
let
|
||||
|
||||
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption;
|
||||
inherit (lib) mapAttrs optional optionalString types;
|
||||
inherit (lib) literalExample mapAttrs optional optionalString types;
|
||||
|
||||
cfg = config.services.limesurvey;
|
||||
fpm = config.services.phpfpm.pools.limesurvey;
|
||||
|
|
@ -100,19 +100,15 @@ in
|
|||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.submodule ({
|
||||
options = import ../web-servers/apache-httpd/per-server-options.nix {
|
||||
inherit lib;
|
||||
forMainServer = false;
|
||||
};
|
||||
});
|
||||
example = {
|
||||
hostName = "survey.example.org";
|
||||
enableSSL = true;
|
||||
adminAddr = "webmaster@example.org";
|
||||
sslServerCert = "/var/lib/acme/survey.example.org/full.pem";
|
||||
sslServerKey = "/var/lib/acme/survey.example.org/key.pem";
|
||||
};
|
||||
type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix);
|
||||
example = literalExample ''
|
||||
{
|
||||
hostName = "survey.example.org";
|
||||
adminAddr = "webmaster@example.org";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>.
|
||||
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
|
||||
|
|
@ -184,7 +180,7 @@ in
|
|||
config = {
|
||||
tempdir = "${stateDir}/tmp";
|
||||
uploaddir = "${stateDir}/upload";
|
||||
force_ssl = mkIf cfg.virtualHost.enableSSL "on";
|
||||
force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on";
|
||||
config.defaultlang = "en";
|
||||
};
|
||||
};
|
||||
|
|
@ -215,38 +211,36 @@ in
|
|||
enable = true;
|
||||
adminAddr = mkDefault cfg.virtualHost.adminAddr;
|
||||
extraModules = [ "proxy_fcgi" ];
|
||||
virtualHosts = [ (mkMerge [
|
||||
cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg}/share/limesurvey";
|
||||
extraConfig = ''
|
||||
Alias "/tmp" "${stateDir}/tmp"
|
||||
<Directory "${stateDir}">
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Options -Indexes +FollowSymlinks
|
||||
</Directory>
|
||||
virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg}/share/limesurvey";
|
||||
extraConfig = ''
|
||||
Alias "/tmp" "${stateDir}/tmp"
|
||||
<Directory "${stateDir}">
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Options -Indexes +FollowSymlinks
|
||||
</Directory>
|
||||
|
||||
Alias "/upload" "${stateDir}/upload"
|
||||
<Directory "${stateDir}/upload">
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Options -Indexes
|
||||
</Directory>
|
||||
Alias "/upload" "${stateDir}/upload"
|
||||
<Directory "${stateDir}/upload">
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Options -Indexes
|
||||
</Directory>
|
||||
|
||||
<Directory "${pkg}/share/limesurvey">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
<Directory "${pkg}/share/limesurvey">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
|
||||
AllowOverride all
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
}
|
||||
]) ];
|
||||
AllowOverride all
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ let
|
|||
$wgScriptPath = "";
|
||||
|
||||
## The protocol and server name to use in fully-qualified URLs
|
||||
$wgServer = "${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}";
|
||||
$wgServer = "${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}";
|
||||
|
||||
## The URL path to static resources (images, scripts, etc.)
|
||||
$wgResourceBasePath = $wgScriptPath;
|
||||
|
|
@ -290,19 +290,13 @@ in
|
|||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.submodule ({
|
||||
options = import ../web-servers/apache-httpd/per-server-options.nix {
|
||||
inherit lib;
|
||||
forMainServer = false;
|
||||
};
|
||||
});
|
||||
type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix);
|
||||
example = literalExample ''
|
||||
{
|
||||
hostName = "mediawiki.example.org";
|
||||
enableSSL = true;
|
||||
adminAddr = "webmaster@example.org";
|
||||
sslServerCert = "/var/lib/acme/mediawiki.example.org/full.pem";
|
||||
sslServerKey = "/var/lib/acme/mediawiki.example.org/key.pem";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
|
|
@ -389,31 +383,28 @@ in
|
|||
|
||||
services.httpd = {
|
||||
enable = true;
|
||||
adminAddr = mkDefault cfg.virtualHost.adminAddr;
|
||||
extraModules = [ "proxy_fcgi" ];
|
||||
virtualHosts = [ (mkMerge [
|
||||
cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg}/share/mediawiki";
|
||||
extraConfig = ''
|
||||
<Directory "${pkg}/share/mediawiki">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg}/share/mediawiki";
|
||||
extraConfig = ''
|
||||
<Directory "${pkg}/share/mediawiki">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
|
||||
Require all granted
|
||||
DirectoryIndex index.php
|
||||
AllowOverride All
|
||||
</Directory>
|
||||
'' + optionalString (cfg.uploadsDir != null) ''
|
||||
Alias "/images" "${cfg.uploadsDir}"
|
||||
<Directory "${cfg.uploadsDir}">
|
||||
Require all granted
|
||||
</Directory>
|
||||
'';
|
||||
}
|
||||
]) ];
|
||||
Require all granted
|
||||
DirectoryIndex index.php
|
||||
AllowOverride All
|
||||
</Directory>
|
||||
'' + optionalString (cfg.uploadsDir != null) ''
|
||||
Alias "/images" "${cfg.uploadsDir}"
|
||||
<Directory "${cfg.uploadsDir}">
|
||||
Require all granted
|
||||
</Directory>
|
||||
'';
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ let
|
|||
'dbcollation' => 'utf8mb4_unicode_ci',
|
||||
);
|
||||
|
||||
$CFG->wwwroot = '${if cfg.virtualHost.enableSSL then "https" else "http"}://${cfg.virtualHost.hostName}';
|
||||
$CFG->wwwroot = '${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}';
|
||||
$CFG->dataroot = '${stateDir}';
|
||||
$CFG->admin = 'admin';
|
||||
|
||||
|
|
@ -140,19 +140,15 @@ in
|
|||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.submodule ({
|
||||
options = import ../web-servers/apache-httpd/per-server-options.nix {
|
||||
inherit lib;
|
||||
forMainServer = false;
|
||||
};
|
||||
});
|
||||
example = {
|
||||
hostName = "moodle.example.org";
|
||||
enableSSL = true;
|
||||
adminAddr = "webmaster@example.org";
|
||||
sslServerCert = "/var/lib/acme/moodle.example.org/full.pem";
|
||||
sslServerKey = "/var/lib/acme/moodle.example.org/key.pem";
|
||||
};
|
||||
type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix);
|
||||
example = literalExample ''
|
||||
{
|
||||
hostName = "moodle.example.org";
|
||||
adminAddr = "webmaster@example.org";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>.
|
||||
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
|
||||
|
|
@ -241,22 +237,20 @@ in
|
|||
enable = true;
|
||||
adminAddr = mkDefault cfg.virtualHost.adminAddr;
|
||||
extraModules = [ "proxy_fcgi" ];
|
||||
virtualHosts = [ (mkMerge [
|
||||
cfg.virtualHost {
|
||||
documentRoot = mkForce "${cfg.package}/share/moodle";
|
||||
extraConfig = ''
|
||||
<Directory "${cfg.package}/share/moodle">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
}
|
||||
]) ];
|
||||
virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
|
||||
documentRoot = mkForce "${cfg.package}/share/moodle";
|
||||
extraConfig = ''
|
||||
<Directory "${cfg.package}/share/moodle">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
let
|
||||
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types;
|
||||
inherit (lib) any attrValues concatMapStringsSep flatten literalExample;
|
||||
inherit (lib) mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString;
|
||||
inherit (lib) mapAttrs mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString;
|
||||
|
||||
eachSite = config.services.wordpress;
|
||||
user = "wordpress";
|
||||
|
|
@ -209,18 +209,12 @@ let
|
|||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.submodule ({
|
||||
options = import ../web-servers/apache-httpd/per-server-options.nix {
|
||||
inherit lib;
|
||||
forMainServer = false;
|
||||
};
|
||||
});
|
||||
type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix);
|
||||
example = literalExample ''
|
||||
{
|
||||
enableSSL = true;
|
||||
adminAddr = "webmaster@example.org";
|
||||
sslServerCert = "/var/lib/acme/wordpress.example.org/full.pem";
|
||||
sslServerKey = "/var/lib/acme/wordpress.example.org/key.pem";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
|
|
@ -304,41 +298,37 @@ in
|
|||
services.httpd = {
|
||||
enable = true;
|
||||
extraModules = [ "proxy_fcgi" ];
|
||||
virtualHosts = mapAttrsToList (hostName: cfg:
|
||||
(mkMerge [
|
||||
cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg hostName cfg}/share/wordpress";
|
||||
extraConfig = ''
|
||||
<Directory "${pkg hostName cfg}/share/wordpress">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.virtualHost {
|
||||
documentRoot = mkForce "${pkg hostName cfg}/share/wordpress";
|
||||
extraConfig = ''
|
||||
<Directory "${pkg hostName cfg}/share/wordpress">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${config.services.phpfpm.pools."wordpress-${hostName}".socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
|
||||
# standard wordpress .htaccess contents
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
RewriteBase /
|
||||
RewriteRule ^index\.php$ - [L]
|
||||
RewriteCond %{REQUEST_FILENAME} !-f
|
||||
RewriteCond %{REQUEST_FILENAME} !-d
|
||||
RewriteRule . /index.php [L]
|
||||
</IfModule>
|
||||
# standard wordpress .htaccess contents
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
RewriteBase /
|
||||
RewriteRule ^index\.php$ - [L]
|
||||
RewriteCond %{REQUEST_FILENAME} !-f
|
||||
RewriteCond %{REQUEST_FILENAME} !-d
|
||||
RewriteRule . /index.php [L]
|
||||
</IfModule>
|
||||
|
||||
DirectoryIndex index.php
|
||||
Require all granted
|
||||
Options +FollowSymLinks
|
||||
</Directory>
|
||||
DirectoryIndex index.php
|
||||
Require all granted
|
||||
Options +FollowSymLinks
|
||||
</Directory>
|
||||
|
||||
# https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php
|
||||
<Files wp-config.php>
|
||||
Require all denied
|
||||
</Files>
|
||||
'';
|
||||
}
|
||||
])
|
||||
) eachSite;
|
||||
# https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php
|
||||
<Files wp-config.php>
|
||||
Require all denied
|
||||
</Files>
|
||||
'';
|
||||
} ]) eachSite;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [
|
||||
|
|
|
|||
|
|
@ -113,19 +113,15 @@ in
|
|||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
type = types.submodule ({
|
||||
options = import ../web-servers/apache-httpd/per-server-options.nix {
|
||||
inherit lib;
|
||||
forMainServer = false;
|
||||
};
|
||||
});
|
||||
example = {
|
||||
hostName = "zabbix.example.org";
|
||||
enableSSL = true;
|
||||
adminAddr = "webmaster@example.org";
|
||||
sslServerCert = "/var/lib/acme/zabbix.example.org/full.pem";
|
||||
sslServerKey = "/var/lib/acme/zabbix.example.org/key.pem";
|
||||
};
|
||||
type = types.submodule (import ../web-servers/apache-httpd/per-server-options.nix);
|
||||
example = literalExample ''
|
||||
{
|
||||
hostName = "zabbix.example.org";
|
||||
adminAddr = "webmaster@example.org";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Apache configuration can be done by adapting <literal>services.httpd.virtualHosts.<name></literal>.
|
||||
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
|
||||
|
|
@ -190,23 +186,21 @@ in
|
|||
enable = true;
|
||||
adminAddr = mkDefault cfg.virtualHost.adminAddr;
|
||||
extraModules = [ "proxy_fcgi" ];
|
||||
virtualHosts = [ (mkMerge [
|
||||
cfg.virtualHost {
|
||||
documentRoot = mkForce "${cfg.package}/share/zabbix";
|
||||
extraConfig = ''
|
||||
<Directory "${cfg.package}/share/zabbix">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
AllowOverride all
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
}
|
||||
]) ];
|
||||
virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
|
||||
documentRoot = mkForce "${cfg.package}/share/zabbix";
|
||||
extraConfig = ''
|
||||
<Directory "${cfg.package}/share/zabbix">
|
||||
<FilesMatch "\.php$">
|
||||
<If "-f %{REQUEST_FILENAME}">
|
||||
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
|
||||
</If>
|
||||
</FilesMatch>
|
||||
AllowOverride all
|
||||
Options -Indexes
|
||||
DirectoryIndex index.php
|
||||
</Directory>
|
||||
'';
|
||||
} ];
|
||||
};
|
||||
|
||||
users.users.${user} = mapAttrs (name: mkDefault) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue