diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index aec6f67a9191..14fd53b2f492 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -1760,6 +1760,11 @@ github = "tftio"; name = "James Felix Black"; }; + jflanglois = { + email = "yourstruly@julienlanglois.me"; + github = "jflanglois"; + name = "Julien Langlois"; + }; jfrankenau = { email = "johannes@frankenau.net"; github = "jfrankenau"; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b0889e62f7c5..38f961c0467a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -651,6 +651,7 @@ ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy.nix ./services/web-servers/fcgiwrap.nix + ./services/web-servers/hitch/default.nix ./services/web-servers/jboss/default.nix ./services/web-servers/lighttpd/cgit.nix ./services/web-servers/lighttpd/collectd.nix diff --git a/nixos/modules/services/web-servers/hitch/default.nix b/nixos/modules/services/web-servers/hitch/default.nix new file mode 100644 index 000000000000..895d02827f71 --- /dev/null +++ b/nixos/modules/services/web-servers/hitch/default.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, ...}: +let + cfg = config.services.hitch; + ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp"; + hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [ + ("backend = \"${cfg.backend}\"") + (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend) + (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files) + ("ciphers = \"${cfg.ciphers}\"") + ("ocsp-dir = \"${ocspDir}\"") + "user = \"${cfg.user}\"" + "group = \"${cfg.group}\"" + cfg.extraConfig + ]); +in +with lib; +{ + options = { + services.hitch = { + enable = mkEnableOption "Hitch Server"; + + backend = mkOption { + type = types.str; + description = '' + The host and port Hitch connects to when receiving + a connection in the form [HOST]:PORT + ''; + }; + + ciphers = mkOption { + type = types.str; + default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + description = "The list of ciphers to use"; + }; + + frontend = mkOption { + type = types.either types.str (types.listOf types.str); + default = "[127.0.0.1]:443"; + description = '' + The port and interface of the listen endpoint in the ++ form [HOST]:PORT[+CERT]. + ''; + apply = toList; + }; + + pem-files = mkOption { + type = types.listOf types.path; + default = []; + description = "PEM files to use"; + }; + + ocsp-stapling = { + enabled = mkOption { + type = types.bool; + default = true; + description = "Whether to enable OCSP Stapling"; + }; + }; + + user = mkOption { + type = types.str; + default = "hitch"; + description = "The user to run as"; + }; + + group = mkOption { + type = types.str; + default = "hitch"; + description = "The group to run as"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional configuration lines"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.hitch = { + description = "Hitch"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig} + '' + (optionalString cfg.ocsp-stapling.enabled '' + mkdir -p ${ocspDir} + chown -R hitch:hitch ${ocspDir} + ''); + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "5s"; + LimitNOFILE = 131072; + }; + }; + + environment.systemPackages = [ pkgs.hitch ]; + + users.extraUsers.hitch.group = "hitch"; + users.extraGroups.hitch = {}; + }; +} diff --git a/nixos/release.nix b/nixos/release.nix index 4ad947f11d10..5b6640f1d3cc 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -297,6 +297,7 @@ in rec { tests.graphite = callTest tests/graphite.nix {}; tests.hardened = callTest tests/hardened.nix { }; tests.hibernate = callTest tests/hibernate.nix {}; + tests.hitch = callTest tests/hitch {}; tests.home-assistant = callTest tests/home-assistant.nix { }; tests.hound = callTest tests/hound.nix {}; tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {}; diff --git a/nixos/tests/hitch/default.nix b/nixos/tests/hitch/default.nix new file mode 100644 index 000000000000..b024306cde56 --- /dev/null +++ b/nixos/tests/hitch/default.nix @@ -0,0 +1,33 @@ +import ../make-test.nix ({ pkgs, ... }: +{ + name = "hitch"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ jflanglois ]; + }; + machine = { config, pkgs, ... }: { + environment.systemPackages = [ pkgs.curl ]; + services.hitch = { + enable = true; + backend = "[127.0.0.1]:80"; + pem-files = [ + ./example.pem + ]; + }; + + services.httpd = { + enable = true; + documentRoot = ./example; + adminAddr = "noone@testing.nowhere"; + }; + }; + + testScript = + '' + startAll; + + $machine->waitForUnit('multi-user.target'); + $machine->waitForUnit('hitch.service'); + $machine->waitForOpenPort(443); + $machine->succeed('curl -k https://localhost:443/index.txt | grep "We are all good!"'); + ''; +}) diff --git a/nixos/tests/hitch/example.pem b/nixos/tests/hitch/example.pem new file mode 100644 index 000000000000..fde6f3cbd19a --- /dev/null +++ b/nixos/tests/hitch/example.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIJAIFAWQXSZ7lIMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMUmVkd29vZCBD +aXR5MRkwFwYDVQQKDBBUZXN0aW5nIDEyMyBJbmMuMRQwEgYDVQQLDAtJVCBTZXJ2 +aWNlczEYMBYGA1UEAwwPdGVzdGluZy5ub3doZXJlMSQwIgYJKoZIhvcNAQkBFhVu +b29uZUB0ZXN0aW5nLm5vd2hlcmUwHhcNMTgwNDIzMDcxMTI5WhcNMTkwNDIzMDcx +MTI5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNV +BAcMDFJlZHdvb2QgQ2l0eTEZMBcGA1UECgwQVGVzdGluZyAxMjMgSW5jLjEUMBIG +A1UECwwLSVQgU2VydmljZXMxGDAWBgNVBAMMD3Rlc3Rpbmcubm93aGVyZTEkMCIG +CSqGSIb3DQEJARYVbm9vbmVAdGVzdGluZy5ub3doZXJlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAxQq6AA9o/QErMbQwfgDF4mqXcvglRTwPr2zPE6Rv +1g0ncRBSMM8iKbPapHM6qHNfg2e1fU2SFqzD6HkyZqHHLCgLzkdzswEcEjsMqiUP +OR++5g4CWoQrdTi31itzYzCjnQ45BrAMrLEhBQgDTNwrEE+Tit0gpOGggtj/ktLk +OD8BKa640lkmWEUGF18fd3rYTUC4hwM5qhAVXTe21vj9ZWsgprpQKdN61v0dCUap +C5eAgvZ8Re+Cd0Id674hK4cJ4SekqfHKv/jLyIg3Vsdc9nkhmiC4O6KH5f1Zzq2i +E4Kd5mnJDFxfSzIErKWmbhriLWsj3KEJ983AGLJ9hxQTAwIDAQABo1AwTjAdBgNV +HQ4EFgQU76Mm6DP/BePJRQUNrJ9z038zjocwHwYDVR0jBBgwFoAU76Mm6DP/BePJ +RQUNrJ9z038zjocwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAZzt +VdPaUqrvDAh5rMYqzYMJ3tj6daNYoX6CbTFoevK5J5D4FESM0D/FMKgpNiVz39kB +8Cjaw5rPHMHY61rHz7JRDK1sWXsonwzCF21BK7Tx0G1CIfLpYHWYb/FfdWGROx+O +hPgKuoMRWQB+txozkZp5BqWJmk5MOyFCDEXhMOmrfsJq0IYU6QaH3Lsf1oJRy4yU +afFrT9o3DLOyYLG/j/HXijCu8DVjZVa4aboum79ecYzPjjGF1posrFUnvQiuAeYy +t7cuHNUB8gW9lWR5J7tP8fzFWtIcyT2oRL8u3H+fXf0i4bW73wtOBOoeULBzBNE7 +6rphcSrQunSZQIc+hg== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFCroAD2j9ASsx +tDB+AMXiapdy+CVFPA+vbM8TpG/WDSdxEFIwzyIps9qkczqoc1+DZ7V9TZIWrMPo +eTJmoccsKAvOR3OzARwSOwyqJQ85H77mDgJahCt1OLfWK3NjMKOdDjkGsAyssSEF +CANM3CsQT5OK3SCk4aCC2P+S0uQ4PwEprrjSWSZYRQYXXx93ethNQLiHAzmqEBVd +N7bW+P1layCmulAp03rW/R0JRqkLl4CC9nxF74J3Qh3rviErhwnhJ6Sp8cq/+MvI +iDdWx1z2eSGaILg7oofl/VnOraITgp3mackMXF9LMgSspaZuGuItayPcoQn3zcAY +sn2HFBMDAgMBAAECggEAcaR8HijFHpab+PC5vxJnDuz3KEHiDQpU6ZJR5DxEnCm+ +A8GsBaaRR4gJpCspO5o/DiS0Ue55QUanPt8XqIXJv7fhBznCiw0qyYDxDviMzR94 +FGskBFySS+tIa+dnh1+4HY7kaO0Egl0udB5o+N1KoP+kUsSyXSYcUxsgW+fx5FW9 +22Ya3HNWnWxMCSfSGGlTFXGj2whf25SkL25dM9iblO4ZOx4MX8kaXij7TaYy8hMM +Vf6/OMnXqtPKho+ctZZVKZkE9PxdS4f/pnp5EsdoOZwNBtfQ1WqVLWd3DlGWhnsH +7L8ZSP2HkoI4Pd1wtkpOKZc+yM2bFXWa8WY4TcmpUQKBgQD33HxGdtmtZehrexSA +/ZwWJlMslUsNz4Ivv6s7J4WCRhdh94+r9TWQP/yHdT9Ry5bvn84I5ZLUdp+aA962 +mvjz+GIglkCGpA7HU/hqurB1O63pj2cIDB8qhV21zjVIoqXcQ7IBJ+tqD79nF8vm +h3KfuHUhuu1rayGepbtIyNhLdwKBgQDLgw4TJBg/QB8RzYECk78QnfZpCExsQA/z +YJpc+dF2/nsid5R2u9jWzfmgHM2Jjo2/+ofRUaTqcFYU0K57CqmQkOLIzsbNQoYt +e2NOANNVHiZLuzTZC2r3BrrkNbo3YvQzhAesUA5lS6LfrxBLUKiwo2LU9NlmJs3b +UPVFYI0/1QKBgCswxIcS1sOcam+wNtZzWuuRKhUuvrFdY3YmlBPuwxj8Vb7AgMya +IgdM3xhLmgkKzPZchm6OcpOLSCxyWDDBuHfq5E6BYCUWGW0qeLNAbNdA2wFD99Qz +KIskSjwP/sD1dql3MmF5L1CABf5U6zb0i0jBv8ds50o8lNMsVgJM3UPpAoGBAL1+ +nzllb4pdi1CJWKnspoizfQCZsIdPM0r71V/jYY36MO+MBtpz2NlSWzAiAaQm74gl +oBdgfT2qMg0Zro11BSRONEykdOolGkj5TiMQk7b65s+3VeMPRZ8UTis2d9kgs5/Q +PVDODkl1nwfGu1ZVmW04BUujXVZHpYCkJm1eFMetAoGAImE7gWj+qRMhpbtCCGCg +z06gDKvMrF6S+GJsvUoSyM8oUtfdPodI6gWAC65NfYkIiqbpCaEVNzfui73f5Lnz +p5X1IbzhuH5UZs/k5A3OR2PPDbPs3lqEw7YJdBdLVRmO1o824uaXaJJwkL/1C+lq +8dh1wV3CnynNmZApkz4vpzQ= +-----END PRIVATE KEY----- diff --git a/nixos/tests/hitch/example/index.txt b/nixos/tests/hitch/example/index.txt new file mode 100644 index 000000000000..0478b1c26351 --- /dev/null +++ b/nixos/tests/hitch/example/index.txt @@ -0,0 +1 @@ +We are all good! diff --git a/pkgs/servers/hitch/default.nix b/pkgs/servers/hitch/default.nix new file mode 100644 index 000000000000..366934829b86 --- /dev/null +++ b/pkgs/servers/hitch/default.nix @@ -0,0 +1,23 @@ +{ stdenv, fetchurl, docutils, libev, openssl, pkgconfig }: +stdenv.mkDerivation rec { + version = "1.4.8"; + name = "hitch-${version}"; + + src = fetchurl { + url = "https://hitch-tls.org/source/${name}.tar.gz"; + sha256 = "1hqs5p69gr1lb3xldbrgq7d6d0vk4za0wpizlzybn98cv68acaym"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ docutils libev openssl ]; + + outputs = [ "out" "doc" "man" ]; + + meta = with stdenv.lib; { + description = "Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software"; + homepage = https://hitch-tls.org/; + license = licenses.bsd2; + maintainers = [ maintainers.jflanglois ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b20cf36a05fb..4f9644f9bd56 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5611,6 +5611,8 @@ with pkgs; varnishPackages = varnish5Packages; varnish = varnishPackages.varnish; + hitch = callPackage ../servers/hitch { }; + venus = callPackage ../tools/misc/venus { python = python27; };