Commit Graph

651 Commits

Author SHA1 Message Date
Sandro
fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
WORLDofPEACE
3eae73d862
Merge pull request #97618 from lf-/fix-bad-caddy-configs
nixos/caddy: fix overwriting of tls settings in config
2021-01-29 10:08:46 -05:00
rnhmjoj
f62d2652e2
nixos/uwsgi: set up the default runtime directory
Fix issue #110691
2021-01-25 14:05:39 +01:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
Fritz Otlinghaus
0a38f6da4f
nixos/tomcat: add extraGroups type (#110486) 2021-01-22 16:22:06 +01:00
Fritz Otlinghaus
c1efc32740
nixos/module/jboss: Add types to options (#110451) 2021-01-22 11:11:40 +01:00
Sandro Jäckel
7856011a30
nixos/apache-httpd: Suggest directory used security.acme.certs.<name>.webroot 2021-01-09 02:24:24 +01:00
rnhmjoj
c00240e41e
nixos/uwsgi: add support for POSIX capabilities 2021-01-07 23:17:07 +01:00
Kevin Cox
8455fa3bca
Merge pull request #105347 from Mic92/nginx
nixos/nginx: add streamConfig option
2021-01-07 08:46:29 -05:00
Alyssa Ross
178ec8974f nixos/nginx: allow overriding fastcgi params
By default in Nginx, if you want to override a single fastcgi_param,
you have to override all of them.  This is less of a big deal if
you're editing the Nginx configuration directly, but when you're
generating the Nginx configuration with Nix it can be very annoying to
bloat your configuration repeating the default values of FastCGI
parameters every time.

This patch adds a fastcgiParams option to Nginx locations.  If any
parameters are set through this, all the default values will be
included as well, so only the ones that are changing need to be
supplied.  There's no way to use fastcgiParams to actually override
all parameters if that's what you want, but I think that's a niche use
case and it's still possible using extraConfig, which up until now was
the only option

Nginx allows the fastcgi_param directive in http and server scopes as
well as location, but here I only support location.  It would be
possible to support the others, but I don't think it's worth it.  It
would be a possible future enhancement if somebody has a need for it.
2021-01-05 03:36:18 +00:00
Daniel Nagy
f2ca4c8f1d
nixos/httpd: set lua paths
We conditionally set the lua paths for the Apache mod_lua module. This
allows executing Lua script handlers to require modules, that have been
packaged with the supplied Lua derivation of Apache.

For more information, see:

  https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luapackagecpath
  https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luapackagepath
2020-12-25 22:54:05 +01:00
Maximilian Bosch
55ef9612a2
nixos/nginx: improve documentation for config
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.

To slightly improve the situation, I changed the documentation like
this:

* Added `types.str` as type since `config` is not mergeable on purpose.
  It must be a string as it's rendered verbatim into `nginx.conf` and if
  the type is `unspecified`, it can be confused with RFC42-like options.

* Mention which config options that don't generate config in
  `nginx.conf` are NOT mutually exclusive.
2020-12-06 17:26:13 +01:00
Jörg Thalheim
6f330ccedf
nixos/nginx: add streamConfig option 2020-11-29 10:55:01 +01:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
Graham Christensen
3361a037b9
nginx: add a warning that nginx's basic auth isn't very good. 2020-11-02 08:16:01 -05:00
Graham Christensen
c7bf3828f0
nginx: add basic auth support for locations 2020-11-02 08:16:00 -05:00
Graham Christensen
33cf4f0e8e
nginx: factor out the generation of basic auth generation 2020-11-02 08:16:00 -05:00
lf-
00d257c7c3 nixos/caddy: fix caddy configs with complicated jq 2020-10-31 01:53:50 -07:00
lf-
b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
WORLDofPEACE
214af51225
Merge pull request #101067 from deviant/remove-caddy-agree
nixos/caddy: remove services.caddy.agree
2020-10-30 16:02:44 -04:00
Aneesh Agrawal
924035bb97 nixos/nginx: Allow unsetting ssl_ciphers
When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
2020-10-26 00:35:29 -04:00
V
580f0faa75 nixos/caddy: remove services.caddy.agree
This option is no longer referenced anywhere as of #99371.
2020-10-19 14:29:48 +02:00
Dustin Frisch
762ca640c4
nixos/nginx: Do not remove headers while proxying
Removing the `Accept-Encoding` header breaks applications which may
produce already compressed content.

Removing this header is staded in the nginx docs but is ment as an
example, not as an recomendation.
2020-10-16 12:50:52 +02:00
Aaron Andersen
dedd67610a
Merge pull request #99251 from xfix/remove-unnecessary-sendmail-configuration
nixos/httpd: remove unnecessary sendmail configuration
2020-10-05 08:59:42 -04:00
zowoq
8f74e9e905 nixos/caddy: remove caddy1 2020-10-02 23:50:59 +10:00
Konrad Borowski
6fc06a1d3d nixos/phpfpm: remove unnecessary sendmail configuration 2020-10-02 09:11:14 +02:00
Konrad Borowski
05eb3496e6 nixos/httpd: remove unnecessary sendmail configuration
PHP now uses system-sendmail without special configuration.
2020-10-01 12:05:08 +02:00
Emery Hemingway
9fa50bea78 nixos/molly-brown: refactor module to use a TOML generator 2020-09-28 14:38:31 +02:00
Izorkin
535896671b
nixos/nginx: remove option enableSandbox 2020-09-10 08:19:20 +03:00
Oleksii Filonenko
45d7f59da8
Merge pull request #97217 from sephii/nixos-caddy-v2-migration 2020-09-08 11:17:55 +03:00
Sylvain Fankhauser
b8bfe941fa
caddy: address remaining MR comments for v2 2020-09-08 09:29:04 +02:00
Oleksii Filonenko
6322325a53
caddy: 1.0.5 -> 2.0.0
Rename legacy v1 to `caddy1`
2020-09-07 09:39:16 +02:00
Florian Klink
d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Oleksii Filonenko
d71cadacd9
nixos/caddy: use v2 by default 2020-09-05 14:09:17 +02:00
Oleksii Filonenko
8cc592abfa
nixos/caddy: add support for v2 2020-09-05 14:09:16 +02:00
Lucas Savva
61dbf4bf89
nixos/acme: Add proper nginx/httpd config reload checks
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
2020-09-02 19:25:30 +01:00
Lucas Savva
982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Peter Hoeg
07408cac94 nixos/phpfpm: always restart service on failure 2020-08-31 21:19:54 +08:00
Aaron Andersen
4df837063f
Merge pull request #95809 from aanderse/logrotate
nixos/logrotate: switch `paths` option type from listOf to attrsOf
2020-08-21 17:31:52 -04:00
Aaron Andersen
06d17caf92 nixos/httpd: configure log rotation 2020-08-21 17:04:07 -04:00
Jörg Thalheim
6f4141507b
meguca: remove (#95920) 2020-08-21 13:00:40 -07:00
Aaron Andersen
fd250d57bb
Merge pull request #79123 from aanderse/apachectl
nixos/httpd: remove impurity from /etc
2020-08-19 20:56:51 -04:00
Izorkin
26898b8518 nixos/unit: update sandboxing options 2020-08-15 11:21:09 +03:00
Florian Klink
300049ca51 nixos/nginx: move configuration testing script into reload command
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.

This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
2020-08-12 18:13:29 +02:00
zowoq
8fb410c0ad nixos/*: editorconfig fixes 2020-08-08 10:54:16 +10:00
Jörg Thalheim
ba930d8679
nixos/modules: remove trailing whitespace
This leads to ci failure otherwise if the file gets changed.
git-blame can ignore whitespace changes.
2020-08-07 14:45:39 +01:00
Emery Hemingway
76d60b0fcd nixos/molly-brown: init 2020-07-24 11:04:33 +02:00
Izorkin
8129816f98 nixos/unit: add 'tmp' directory 2020-07-17 19:46:56 +03:00
Arian van Putten
cfd672a94d nixos/acme: Also fix ordering for apache 2020-06-15 11:05:00 +02:00
Arian van Putten
681cc105ce nixos/acme: Make sure nginx is running before certs are requested
This fixes https://github.com/NixOS/nixpkgs/issues/81842

We should probably also fix this for Apache, which recently also learned
to use ACME.
2020-06-15 11:04:59 +02:00