JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nginx module: Add ACME support for ssl sites

Browse Source
This commit is contained in:
Tristan Helmich 2016-01-25 19:36:21 +01:00 committed by Robin Gloster
parent f298be9ef4
commit 4676983990
2 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -4,7 +4,13 @@ with lib;
let
cfg = config.services.nginx;
nginx = cfg.package;
virtualHosts = mapAttrs (vhostName: vhostConfig:
vhostConfig // (optionalAttrs vhostConfig.enableACME {
sslCertificate = "/var/lib/acme/${vhostName}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${vhostName}/key.pem";
})
) cfg.virtualHosts;
configFile = pkgs.writeText "nginx.conf" ''
user ${cfg.user} ${cfg.group};
error_log stderr;
@ -72,21 +78,23 @@ let
port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
listenString = toString port + optionalString ssl " ssl spdy";
in ''
${if vhost.forceSSL then ''
${optionalString vhost.forceSSL ''
server {
listen 80;
listen [::]:80;
server_name ${serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"}
return 301 https://$host${optionalString (port != 443) ":${port}"}$request_uri;
}
'' else ""}
''}
server {
listen ${listenString};
listen [::]:${listenString};
server_name ${serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME "location /.well-known/acme-challenge { root ${vhost.acmeRoot}; }"}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
return 301 https://${vhost.globalRedirect}$request_uri;
@ -101,7 +109,7 @@ let
${vhost.extraConfig}
}
''
) cfg.virtualHosts);
) virtualHosts);
genLocations = locations: concatStringsSep "\n" (mapAttrsToList (location: config: ''
location ${location} {
${optionalString (config.proxyPass != null) "proxy_pass ${config.proxyPass};"}
@ -202,7 +210,6 @@ in
description = "Nginx Web Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ nginx ];
preStart =
''
mkdir -p ${cfg.stateDir}/logs
@ -210,7 +217,7 @@ in
chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
'';
serviceConfig = {
ExecStart = "${nginx}/bin/nginx -c ${configFile} -p ${cfg.stateDir}";
ExecStart = "${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "10s";
@ -218,6 +225,14 @@ in
};
};
security.acme.certs = mapAttrs (vhostName: vhostConfig: {
webroot = vhostConfig.acmeRoot;
extraDomains = genAttrs vhostConfig.serverAliases (alias: {
"${alias}" = null;
});
}) virtualHosts;
users.extraUsers = optionalAttrs (cfg.user == "nginx") (singleton
{ name = "nginx";
group = cfg.group;

14
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -26,6 +26,18 @@ with lib;
'';
};
enableACME = mkOption {
type = types.bool;
default = false;
description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
};
acmeRoot = mkOption {
type = types.str;
default = "/var/lib/acme/acme-challenge";
description = "Directory to store certificates and keys managed by the ACME service.";
};
enableSSL = mkOption {
type = types.bool;
default = false;
@ -44,7 +56,7 @@ with lib;
description = "Path to server SSL certificate.";
};
sslCertificateKey= mkOption {
sslCertificateKey = mkOption {
type = types.path;
example = "/var/host.key";
description = "Path to server SSL certificate key.";