2020-04-24 23:36:52 +00:00
|
|
|
|
# This file defines the options that can be used both for the Nginx
|
|
|
|
|
# main server configuration, and for the virtual hosts. (The latter
|
|
|
|
|
# has additional options that affect the web server as a whole, like
|
|
|
|
|
# the user/group to run under.)
|
|
|
|
|
|
2021-12-30 13:39:12 +00:00
|
|
|
|
{ config, lib, ... }:
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
{
|
|
|
|
|
options = {
|
|
|
|
|
serverName = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Name of this virtual host. Defaults to attribute name in virtualHosts.
|
|
|
|
|
'';
|
|
|
|
|
example = "example.org";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
serverAliases = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [];
|
2022-04-15 01:41:22 +00:00
|
|
|
|
example = [ "www.example.org" "example.org" ];
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Additional names of virtual hosts served by this virtual host configuration.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
listen = mkOption {
|
|
|
|
|
type = with types; listOf (submodule { options = {
|
2022-08-21 13:32:41 +00:00
|
|
|
|
addr = mkOption { type = str; description = lib.mdDoc "IP address."; };
|
2022-12-17 10:02:37 +00:00
|
|
|
|
port = mkOption { type = port; description = lib.mdDoc "Port number."; default = 80; };
|
2022-08-21 13:32:41 +00:00
|
|
|
|
ssl = mkOption { type = bool; description = lib.mdDoc "Enable SSL."; default = false; };
|
|
|
|
|
extraParameters = mkOption { type = listOf str; description = lib.mdDoc "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; };
|
2020-04-24 23:36:52 +00:00
|
|
|
|
}; });
|
|
|
|
|
default = [];
|
|
|
|
|
example = [
|
2022-04-15 01:41:22 +00:00
|
|
|
|
{ addr = "195.154.1.1"; port = 443; ssl = true; }
|
2020-04-24 23:36:52 +00:00
|
|
|
|
{ addr = "192.154.1.1"; port = 80; }
|
|
|
|
|
];
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Listen addresses and ports for this virtual host.
|
|
|
|
|
IPv6 addresses must be enclosed in square brackets.
|
2022-08-21 13:32:41 +00:00
|
|
|
|
Note: this option overrides `addSSL`
|
|
|
|
|
and `onlySSL`.
|
2021-08-12 14:41:47 +00:00
|
|
|
|
|
|
|
|
|
If you only want to set the addresses manually and not
|
2022-08-21 13:32:41 +00:00
|
|
|
|
the ports, take a look at `listenAddresses`
|
2021-08-12 14:41:47 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
listenAddresses = mkOption {
|
|
|
|
|
type = with types; listOf str;
|
|
|
|
|
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2021-08-12 14:41:47 +00:00
|
|
|
|
Listen addresses for this virtual host.
|
2022-12-28 21:21:41 +00:00
|
|
|
|
Compared to `listen` this only sets the addresses
|
|
|
|
|
and the ports are chosen automatically.
|
2021-08-12 14:41:47 +00:00
|
|
|
|
|
2022-08-21 13:32:41 +00:00
|
|
|
|
Note: This option overrides `enableIPv6`
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
2021-08-12 14:41:47 +00:00
|
|
|
|
default = [];
|
2022-08-12 12:06:08 +00:00
|
|
|
|
example = [ "127.0.0.1" "[::1]" ];
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enableACME = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Whether to ask Let's Encrypt to sign a certificate for this vhost.
|
2022-08-21 13:32:41 +00:00
|
|
|
|
Alternately, you can use an existing certificate through {option}`useACMEHost`.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
useACMEHost = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
2022-09-09 14:08:57 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
A host of an existing Let's Encrypt certificate to use.
|
|
|
|
|
This is useful if you have many subdomains and want to avoid hitting the
|
2022-09-09 14:08:57 +00:00
|
|
|
|
[rate limit](https://letsencrypt.org/docs/rate-limits).
|
|
|
|
|
Alternately, you can generate a certificate through {option}`enableACME`.
|
|
|
|
|
*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using [](#opt-security.acme.certs).*
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
acmeRoot = mkOption {
|
2021-12-30 13:39:12 +00:00
|
|
|
|
type = types.nullOr types.str;
|
2020-04-24 23:36:52 +00:00
|
|
|
|
default = "/var/lib/acme/acme-challenge";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2022-11-21 17:40:18 +00:00
|
|
|
|
Directory for the ACME challenge, which is **public**. Don't put certs or keys in here.
|
2021-12-30 13:39:12 +00:00
|
|
|
|
Set to null to inherit from config.security.acme.
|
|
|
|
|
'';
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
acmeFallbackHost = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2022-11-21 17:40:18 +00:00
|
|
|
|
Host which to proxy requests to if ACME challenge is not found. Useful
|
2020-04-24 23:36:52 +00:00
|
|
|
|
if you want multiple hosts to be able to verify the same domain name.
|
2022-11-21 17:40:18 +00:00
|
|
|
|
|
|
|
|
|
With this option, you could request certificates for the present domain
|
|
|
|
|
with an ACME client that is running on another host, which you would
|
|
|
|
|
specify here.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
addSSL = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
|
2022-08-21 13:32:41 +00:00
|
|
|
|
`listen` to listen on all interfaces on the respective default
|
2020-04-24 23:36:52 +00:00
|
|
|
|
ports (80, 443).
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
onlySSL = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Whether to enable HTTPS and reject plain HTTP connections. This will set
|
2022-08-21 13:32:41 +00:00
|
|
|
|
defaults for `listen` to listen on all interfaces on port 443.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enableSSL = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
visible = false;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
forceSSL = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Whether to add a separate nginx server block that permanently redirects (301)
|
|
|
|
|
all plain HTTP traffic to HTTPS. This will set defaults for
|
2022-08-21 13:32:41 +00:00
|
|
|
|
`listen` to listen on all interfaces on the respective default
|
2020-04-24 23:36:52 +00:00
|
|
|
|
ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-05-28 09:39:13 +00:00
|
|
|
|
rejectSSL = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2021-05-28 09:39:13 +00:00
|
|
|
|
Whether to listen for and reject all HTTPS connections to this vhost. Useful in
|
2022-08-21 13:32:41 +00:00
|
|
|
|
[default](#opt-services.nginx.virtualHosts._name_.default)
|
2021-05-28 09:39:13 +00:00
|
|
|
|
server blocks to avoid serving the certificate for another vhost. Uses the
|
2022-08-21 13:32:41 +00:00
|
|
|
|
`ssl_reject_handshake` directive available in nginx versions
|
2021-05-28 09:39:13 +00:00
|
|
|
|
1.19.4 and above.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-12-25 05:07:40 +00:00
|
|
|
|
kTLS = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2021-12-25 05:07:40 +00:00
|
|
|
|
Whether to enable kTLS support.
|
|
|
|
|
Implementing TLS in the kernel (kTLS) improves performance by significantly
|
|
|
|
|
reducing the need for copying operations between user space and the kernel.
|
|
|
|
|
Required Nginx version 1.21.4 or later.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
|
sslCertificate = mkOption {
|
|
|
|
|
type = types.path;
|
|
|
|
|
example = "/var/host.cert";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc "Path to server SSL certificate.";
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sslCertificateKey = mkOption {
|
|
|
|
|
type = types.path;
|
|
|
|
|
example = "/var/host.key";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc "Path to server SSL certificate key.";
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sslTrustedCertificate = mkOption {
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
default = null;
|
2021-10-06 13:57:05 +00:00
|
|
|
|
example = literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"'';
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc "Path to root SSL certificate for stapling and client certificates.";
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
http2 = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2023-04-12 12:48:02 +00:00
|
|
|
|
Whether to enable the HTTP/2 protocol.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Note that (as of writing) due to nginx's implementation, to disable
|
2023-04-12 12:48:02 +00:00
|
|
|
|
HTTP/2 you have to disable it on all vhosts that use a given
|
2020-04-24 23:36:52 +00:00
|
|
|
|
IP address / port.
|
2023-04-12 12:48:02 +00:00
|
|
|
|
If there is one server block configured to enable http2, then it is
|
2020-04-24 23:36:52 +00:00
|
|
|
|
enabled for all server blocks on this IP.
|
|
|
|
|
See https://stackoverflow.com/a/39466948/263061.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-04-22 02:08:21 +00:00
|
|
|
|
http3 = mkOption {
|
2023-04-12 12:48:02 +00:00
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Whether to enable the HTTP/3 protocol.
|
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
|
|
|
|
|
and activate the QUIC transport protocol
|
|
|
|
|
`services.nginx.virtualHosts.<name>.quic = true;`.
|
|
|
|
|
Note that HTTP/3 support is experimental and
|
|
|
|
|
*not* yet recommended for production.
|
|
|
|
|
Read more at https://quic.nginx.org/
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
http3_hq = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
|
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
|
|
|
|
|
and activate the QUIC transport protocol
|
|
|
|
|
`services.nginx.virtualHosts.<name>.quic = true;`.
|
|
|
|
|
Note that special application protocol support is experimental and
|
|
|
|
|
*not* yet recommended for production.
|
|
|
|
|
Read more at https://quic.nginx.org/
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
quic = mkOption {
|
2021-04-22 02:08:21 +00:00
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2023-04-12 12:48:02 +00:00
|
|
|
|
Whether to enable the QUIC transport protocol.
|
2022-08-21 13:32:41 +00:00
|
|
|
|
This requires using `pkgs.nginxQuic` package
|
|
|
|
|
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
|
2023-04-12 12:48:02 +00:00
|
|
|
|
Note that QUIC support is experimental and
|
2021-04-22 02:08:21 +00:00
|
|
|
|
*not* yet recommended for production.
|
|
|
|
|
Read more at https://quic.nginx.org/
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2022-04-15 01:41:22 +00:00
|
|
|
|
reuseport = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2022-04-15 01:41:22 +00:00
|
|
|
|
Create an individual listening socket .
|
|
|
|
|
It is required to specify only once on one of the hosts.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
|
root = mkOption {
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "/data/webserver/docs";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
The path of the web root directory.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
default = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Makes this vhost the default.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
|
type = types.lines;
|
|
|
|
|
default = "";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
These lines go to the end of the vhost verbatim.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
globalRedirect = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "newserver.example.org";
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
If set, all requests for this host are redirected permanently to
|
|
|
|
|
the given hostname.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
basicAuth = mkOption {
|
|
|
|
|
type = types.attrsOf types.str;
|
|
|
|
|
default = {};
|
2021-10-06 13:57:05 +00:00
|
|
|
|
example = literalExpression ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
{
|
|
|
|
|
user = "password";
|
|
|
|
|
};
|
|
|
|
|
'';
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Basic Auth protection for a vhost.
|
|
|
|
|
|
|
|
|
|
WARNING: This is implemented to store the password in plain text in the
|
2020-11-03 02:18:15 +00:00
|
|
|
|
Nix store.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
basicAuthFile = mkOption {
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
default = null;
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
Basic Auth password file for a vhost.
|
2022-08-21 13:32:41 +00:00
|
|
|
|
Can be created via: {command}`htpasswd -c <filename> <username>`.
|
2020-11-03 02:18:15 +00:00
|
|
|
|
|
|
|
|
|
WARNING: The generate file contains the users' passwords in a
|
|
|
|
|
non-cryptographically-securely hashed way.
|
2020-04-24 23:36:52 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
locations = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule (import ./location-options.nix {
|
2022-06-26 10:26:21 +00:00
|
|
|
|
inherit lib config;
|
2020-04-24 23:36:52 +00:00
|
|
|
|
}));
|
|
|
|
|
default = {};
|
2021-10-06 13:57:05 +00:00
|
|
|
|
example = literalExpression ''
|
2020-04-24 23:36:52 +00:00
|
|
|
|
{
|
|
|
|
|
"/" = {
|
|
|
|
|
proxyPass = "http://localhost:3000";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
'';
|
2022-08-21 13:32:41 +00:00
|
|
|
|
description = lib.mdDoc "Declarative location config";
|
2020-04-24 23:36:52 +00:00
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|