Commit graph

661 commits

Author SHA1 Message Date
Aaron Andersen
9798ed1a3d
Merge pull request #111011 from waldheinz/nginx-mem-write-exec
nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
2021-03-03 07:19:35 -05:00
Elis Hirwing
1216baaee1
nixos/httpd: Fix httpd module for php8 2021-03-02 09:22:32 +01:00
Daniel Nagy
7c121e60c5
nixos/httpd: fix lua paths
Account for the fact that, when creating a lua package without the
"withPackages" helper, we dont get an extra "lua" attribute in the
package.

Therefore we need to distinguish between the "withPackages" case and the
direct ( or "empty" ) lua package.

For example with this nixos config:

```nix
{
  services.httpd = {
      enable = true;
      package = pkgs.apacheHttpd.override {
        luaSupport = true;
        lua5 = pkgs.lua5_3.withPackages (ps: with ps; [ luafilesystem ] );
      };
    };
}
```

Here we say that we want to have apache to use a lua, packaged with the
`luafilesystem` module so that we can `require` that in scripts to
render http responses. There, the set that gets assigned to `lua5 ` does
not have a `luaversion` attribute, rather it has a `lua` attribute
wherein lies a `luaversion` attribute. If we dont package additional
modules, then we dont have that `lua` attribute in between and rather
directly have to use `luaversion` directly.
2021-02-11 11:56:06 +01:00
Martin Weinelt
47901b544c
Merge pull request #111302 from fooker/pr/nginx-default-type
nixos/nginx: serve unknown MIME-Types as binary
2021-02-09 01:44:47 +01:00
Luflosi
e31dc1c5f6
nginx module: fix typo in proxyWebsockets description 2021-01-31 18:09:41 +01:00
Sandro
2c748ee8a4
Merge pull request #111439 from helsinki-systems/unit
nixos/unit: add stateDir and logDir types
2021-01-31 15:18:08 +01:00
Fritz Otlinghaus
4e353723d6
nixos/unit: add stateDir and logDir types 2021-01-31 13:41:53 +01:00
Fritz Otlinghaus
a55d0b80ff
nixos/nginx: add logError type 2021-01-31 11:37:38 +01:00
Sandro
fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
Dustin Frisch
891d1aa885
nixos/nginx: serve unknown MIME-Types as binary
The built-in default for unknown MIME-Types is `text/plain` whereas the
upstream default config changes it to `application/octet-stream`. By
changing the default tpye, unknown files will be downloaded by browsers
instead of being displayed.
2021-01-30 12:52:02 +01:00
WORLDofPEACE
3eae73d862
Merge pull request #97618 from lf-/fix-bad-caddy-configs
nixos/caddy: fix overwriting of tls settings in config
2021-01-29 10:08:46 -05:00
Matthias Treydte
7d2829c0a0 nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).

Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
2021-01-28 13:13:31 +01:00
rnhmjoj
f62d2652e2
nixos/uwsgi: set up the default runtime directory
Fix issue #110691
2021-01-25 14:05:39 +01:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
Fritz Otlinghaus
0a38f6da4f
nixos/tomcat: add extraGroups type (#110486) 2021-01-22 16:22:06 +01:00
Fritz Otlinghaus
c1efc32740
nixos/module/jboss: Add types to options (#110451) 2021-01-22 11:11:40 +01:00
Sandro Jäckel
7856011a30
nixos/apache-httpd: Suggest directory used security.acme.certs.<name>.webroot 2021-01-09 02:24:24 +01:00
rnhmjoj
c00240e41e
nixos/uwsgi: add support for POSIX capabilities 2021-01-07 23:17:07 +01:00
Kevin Cox
8455fa3bca
Merge pull request #105347 from Mic92/nginx
nixos/nginx: add streamConfig option
2021-01-07 08:46:29 -05:00
Alyssa Ross
178ec8974f nixos/nginx: allow overriding fastcgi params
By default in Nginx, if you want to override a single fastcgi_param,
you have to override all of them.  This is less of a big deal if
you're editing the Nginx configuration directly, but when you're
generating the Nginx configuration with Nix it can be very annoying to
bloat your configuration repeating the default values of FastCGI
parameters every time.

This patch adds a fastcgiParams option to Nginx locations.  If any
parameters are set through this, all the default values will be
included as well, so only the ones that are changing need to be
supplied.  There's no way to use fastcgiParams to actually override
all parameters if that's what you want, but I think that's a niche use
case and it's still possible using extraConfig, which up until now was
the only option

Nginx allows the fastcgi_param directive in http and server scopes as
well as location, but here I only support location.  It would be
possible to support the others, but I don't think it's worth it.  It
would be a possible future enhancement if somebody has a need for it.
2021-01-05 03:36:18 +00:00
Daniel Nagy
f2ca4c8f1d
nixos/httpd: set lua paths
We conditionally set the lua paths for the Apache mod_lua module. This
allows executing Lua script handlers to require modules, that have been
packaged with the supplied Lua derivation of Apache.

For more information, see:

  https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luapackagecpath
  https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luapackagepath
2020-12-25 22:54:05 +01:00
Maximilian Bosch
55ef9612a2
nixos/nginx: improve documentation for config
Unfortunately, I had a use-case where `services.nginx.config` was
necessary quite recently. While working on that config I had to look up
the module's code to understand which options can be used and which
don't.

To slightly improve the situation, I changed the documentation like
this:

* Added `types.str` as type since `config` is not mergeable on purpose.
  It must be a string as it's rendered verbatim into `nginx.conf` and if
  the type is `unspecified`, it can be confused with RFC42-like options.

* Mention which config options that don't generate config in
  `nginx.conf` are NOT mutually exclusive.
2020-12-06 17:26:13 +01:00
Jörg Thalheim
6f330ccedf
nixos/nginx: add streamConfig option 2020-11-29 10:55:01 +01:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
Graham Christensen
3361a037b9
nginx: add a warning that nginx's basic auth isn't very good. 2020-11-02 08:16:01 -05:00
Graham Christensen
c7bf3828f0
nginx: add basic auth support for locations 2020-11-02 08:16:00 -05:00
Graham Christensen
33cf4f0e8e
nginx: factor out the generation of basic auth generation 2020-11-02 08:16:00 -05:00
lf-
00d257c7c3 nixos/caddy: fix caddy configs with complicated jq 2020-10-31 01:53:50 -07:00
lf-
b37bbca521 nixos/modules: fix systemd start rate-limits
These were broken since 2016:
f0367da7d1
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.

NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.

I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(ad16158c10/src/basic/ratelimit.c (L16))
2020-10-31 01:35:56 -07:00
WORLDofPEACE
214af51225
Merge pull request #101067 from deviant/remove-caddy-agree
nixos/caddy: remove services.caddy.agree
2020-10-30 16:02:44 -04:00
Aneesh Agrawal
924035bb97 nixos/nginx: Allow unsetting ssl_ciphers
When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
2020-10-26 00:35:29 -04:00
V
580f0faa75 nixos/caddy: remove services.caddy.agree
This option is no longer referenced anywhere as of #99371.
2020-10-19 14:29:48 +02:00
Dustin Frisch
762ca640c4
nixos/nginx: Do not remove headers while proxying
Removing the `Accept-Encoding` header breaks applications which may
produce already compressed content.

Removing this header is staded in the nginx docs but is ment as an
example, not as an recomendation.
2020-10-16 12:50:52 +02:00
Aaron Andersen
dedd67610a
Merge pull request #99251 from xfix/remove-unnecessary-sendmail-configuration
nixos/httpd: remove unnecessary sendmail configuration
2020-10-05 08:59:42 -04:00
zowoq
8f74e9e905 nixos/caddy: remove caddy1 2020-10-02 23:50:59 +10:00
Konrad Borowski
6fc06a1d3d nixos/phpfpm: remove unnecessary sendmail configuration 2020-10-02 09:11:14 +02:00
Konrad Borowski
05eb3496e6 nixos/httpd: remove unnecessary sendmail configuration
PHP now uses system-sendmail without special configuration.
2020-10-01 12:05:08 +02:00
Emery Hemingway
9fa50bea78 nixos/molly-brown: refactor module to use a TOML generator 2020-09-28 14:38:31 +02:00
Izorkin
535896671b
nixos/nginx: remove option enableSandbox 2020-09-10 08:19:20 +03:00
Oleksii Filonenko
45d7f59da8
Merge pull request #97217 from sephii/nixos-caddy-v2-migration 2020-09-08 11:17:55 +03:00
Sylvain Fankhauser
b8bfe941fa
caddy: address remaining MR comments for v2 2020-09-08 09:29:04 +02:00
Oleksii Filonenko
6322325a53
caddy: 1.0.5 -> 2.0.0
Rename legacy v1 to `caddy1`
2020-09-07 09:39:16 +02:00
Florian Klink
d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Oleksii Filonenko
d71cadacd9
nixos/caddy: use v2 by default 2020-09-05 14:09:17 +02:00
Oleksii Filonenko
8cc592abfa
nixos/caddy: add support for v2 2020-09-05 14:09:16 +02:00
Lucas Savva
61dbf4bf89
nixos/acme: Add proper nginx/httpd config reload checks
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
2020-09-02 19:25:30 +01:00
Lucas Savva
982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
Peter Hoeg
07408cac94 nixos/phpfpm: always restart service on failure 2020-08-31 21:19:54 +08:00
Aaron Andersen
4df837063f
Merge pull request #95809 from aanderse/logrotate
nixos/logrotate: switch `paths` option type from listOf to attrsOf
2020-08-21 17:31:52 -04:00
Aaron Andersen
06d17caf92 nixos/httpd: configure log rotation 2020-08-21 17:04:07 -04:00