diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a9d20adc63fd..585cef9b42ec 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -886,6 +886,7 @@ ./services/web-servers/meguca.nix ./services/web-servers/mighttpd2.nix ./services/web-servers/minio.nix + ./services/web-servers/molly-brown.nix ./services/web-servers/nginx/default.nix ./services/web-servers/nginx/gitweb.nix ./services/web-servers/phpfpm/default.nix diff --git a/nixos/modules/services/web-servers/molly-brown.nix b/nixos/modules/services/web-servers/molly-brown.nix new file mode 100644 index 000000000000..e9052a184b2d --- /dev/null +++ b/nixos/modules/services/web-servers/molly-brown.nix @@ -0,0 +1,117 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.molly-brown; + + settingsType = with types; + attrsOf (oneOf [ + int + str + (listOf str) + (attrsOf (oneOf [ int str (listOf str) (attrsOf str) ])) + ]) // { + description = "primitive expression convertable to TOML"; + }; + + configFile = pkgs.runCommand "molly-brown.toml" { + buildInputs = [ pkgs.remarshal ]; + preferLocalBuild = true; + passAsFile = [ "settings" ]; + settings = builtins.toJSON cfg.settings; + } "remarshal -if json -of toml < $settingsPath > $out"; +in { + + options.services.molly-brown = { + + enable = mkEnableOption "Molly-Brown Gemini server"; + + port = mkOption { + default = 1965; + type = types.port; + description = '' + TCP port for molly-brown to bind to. + ''; + }; + + hostName = mkOption { + type = types.str; + example = literalExample "config.networking.hostName"; + default = config.networking.hostName; + description = '' + The hostname to respond to requests for. Requests for URLs with + other hosts will result in a status 53 (PROXY REQUEST REFUSED) + response. + ''; + }; + + certPath = mkOption { + type = types.path; + example = "/var/lib/acme/example.com/cert.pem"; + description = '' + Path to TLS certificate. An ACME certificate and key may be + shared with an HTTP server, but only if molly-brown has + permissions allowing it to read such keys. + + As an example: + + security.acme.certs."example.com".allowKeysForGroup = true; + systemd.services.molly-brown.serviceConfig.SupplementaryGroups = + [ config.security.acme.certs."example.com".group ]; + + ''; + }; + + keyPath = mkOption { + type = types.path; + example = "/var/lib/acme/example.com/key.pem"; + description = "Path to TLS key. See ."; + }; + + docBase = mkOption { + type = types.path; + example = "/var/lib/molly-brown"; + description = "Base directory for Gemini content."; + }; + + settings = mkOption { + type = settingsType; + default = { }; + description = '' + molly-brown configuration. Refer to + + for details on supported values. + ''; + }; + + }; + + config = mkIf cfg.enable { + + services.molly-brown.settings = let logDir = "/var/log/molly-brown"; + in { + Port = cfg.port; + Hostname = cfg.hostName; + CertPath = cfg.certPath; + KeyPath = cfg.keyPath; + DocBase = cfg.docBase; + AccessLog = "${logDir}/access.log"; + ErrorLog = "${logDir}/error.log"; + }; + + systemd.services.molly-brown = { + description = "Molly Brown gemini server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + LogsDirectory = "molly-brown"; + ExecStart = "${pkgs.molly-brown}/bin/molly-brown -c ${configFile}"; + Restart = "always"; + }; + }; + + }; + +} diff --git a/nixos/tests/molly-brown.nix b/nixos/tests/molly-brown.nix new file mode 100644 index 000000000000..09ce42726ca9 --- /dev/null +++ b/nixos/tests/molly-brown.nix @@ -0,0 +1,71 @@ +import ./make-test-python.nix ({ pkgs, ... }: + + let testString = "NixOS Gemini test successful"; + in { + + name = "molly-brown"; + meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ehmry ]; }; + + nodes = { + + geminiServer = { config, pkgs, ... }: + let + inherit (config.networking) hostName; + cfg = config.services.molly-brown; + in { + + environment.systemPackages = [ + (pkgs.writeScriptBin "test-gemini" '' + #!${pkgs.python3}/bin/python + + import socket + import ssl + import tempfile + import textwrap + import urllib.parse + + url = "gemini://geminiServer/init.gmi" + parsed_url = urllib.parse.urlparse(url) + + s = socket.create_connection((parsed_url.netloc, 1965)) + context = ssl.SSLContext() + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + s = context.wrap_socket(s, server_hostname=parsed_url.netloc) + s.sendall((url + "\r\n").encode("UTF-8")) + fp = s.makefile("rb") + print(fp.readline().strip()) + print(fp.readline().strip()) + print(fp.readline().strip()) + '') + ]; + + networking.firewall.allowedTCPPorts = [ cfg.settings.Port ]; + + services.molly-brown = { + enable = true; + docBase = "/tmp/docs"; + certPath = "/tmp/cert.pem"; + keyPath = "/tmp/key.pem"; + }; + + systemd.services.molly-brown.preStart = '' + ${pkgs.openssl}/bin/openssl genrsa -out "/tmp/key.pem" + ${pkgs.openssl}/bin/openssl req -new \ + -subj "/CN=${config.networking.hostName}" \ + -key "/tmp/key.pem" -out /tmp/request.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 3650 \ + -in /tmp/request.pem -signkey "/tmp/key.pem" -out "/tmp/cert.pem" + + mkdir -p "${cfg.settings.DocBase}" + echo "${testString}" > "${cfg.settings.DocBase}/test.gmi" + ''; + }; + }; + testScript = '' + geminiServer.wait_for_unit("molly-brown") + geminiServer.wait_for_open_port(1965) + geminiServer.succeed("test-gemini") + ''; + + }) diff --git a/pkgs/servers/gemini/molly-brown/default.nix b/pkgs/servers/gemini/molly-brown/default.nix index eb5b85784dcd..216a4015ef95 100644 --- a/pkgs/servers/gemini/molly-brown/default.nix +++ b/pkgs/servers/gemini/molly-brown/default.nix @@ -1,4 +1,4 @@ -{ lib, buildGoPackage, fetchgit }: +{ lib, buildGoPackage, fetchgit, nixosTests }: buildGoPackage rec { pname = "molly-brown"; @@ -15,6 +15,8 @@ buildGoPackage rec { goDeps = ./deps.nix; + passthru.tests.basic = nixosTests.molly-brown; + meta = with lib; { description = "Full-featured Gemini server"; homepage = "https://tildegit.org/solderpunk/molly-brown";