Merge pull request #85043 from aanderse/httpd-2020

nixos/httpd: modernize module standards
2020-04-25 20:04:05 -04:00
parent a96dc47dd8 7bc9f24fb6
commit 16ab83760f
3 changed files with 44 additions and 20 deletions
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -41,9 +41,9 @@ let
      "mime" "autoindex" "negotiation" "dir"
      "alias" "rewrite"
      "unixd" "slotmem_shm" "socache_shmcb"
-      "mpm_${cfg.multiProcessingModule}"
+      "mpm_${cfg.mpm}"
    ]
-    ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
+    ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ])
    ++ optional enableHttp2 "http2"
    ++ optional enableSSL "ssl"
    ++ optional enableUserDir "userdir"
@@ -264,7 +264,7 @@ let

    PidFile ${runtimeDir}/httpd.pid

-    ${optionalString (cfg.multiProcessingModule != "prefork") ''
+    ${optionalString (cfg.mpm != "prefork") ''
      # mod_cgid requires this.
      ScriptSock ${runtimeDir}/cgisock
    ''}
@@ -350,6 +350,7 @@ in
  imports = [
    (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.")
    (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.")
+    (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ])

    # virtualHosts options
    (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
@@ -454,7 +455,13 @@ in
        type = types.str;
        default = "wwwrun";
        description = ''
-          User account under which httpd runs.
+          User account under which httpd children processes run.
+
+          If you require the main httpd process to run as
+          <literal>root</literal> add the following configuration:
+          <programlisting>
+          systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
+          </programlisting>
        '';
      };

@@ -462,7 +469,7 @@ in
        type = types.str;
        default = "wwwrun";
        description = ''
-          Group under which httpd runs.
+          Group under which httpd children processes run.
        '';
      };

@@ -539,20 +546,19 @@ in
        '';
      };

-      multiProcessingModule = mkOption {
+      mpm = mkOption {
        type = types.enum [ "event" "prefork" "worker" ];
-        default = "prefork";
+        default = "event";
        example = "worker";
        description =
          ''
            Multi-processing module to be used by Apache. Available
-            modules are <literal>prefork</literal> (the default;
-            handles each request in a separate child process),
-            <literal>worker</literal> (hybrid approach that starts a
-            number of child processes each running a number of
-            threads) and <literal>event</literal> (a recent variant of
-            <literal>worker</literal> that handles persistent
-            connections more efficiently).
+            modules are <literal>prefork</literal> (handles each
+            request in a separate child process), <literal>worker</literal>
+            (hybrid approach that starts a number of child processes
+            each running a number of threads) and <literal>event</literal>
+            (the default; a recent variant of <literal>worker</literal>
+            that handles persistent connections more efficiently).
          '';
      };

@@ -652,7 +658,7 @@ in
    services.httpd.phpOptions =
      ''
        ; Needed for PHP's mail() function.
-        sendmail_path = sendmail -t -i
+        sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i

        ; Don't advertise PHP
        expose_php = off
@@ -703,9 +709,7 @@ in
        wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);
        after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;

-        path =
-          [ pkg pkgs.coreutils pkgs.gnugrep ]
-          ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function.
+        path = [ pkg pkgs.coreutils pkgs.gnugrep ];

        environment =
          optionalAttrs cfg.enablePHP { PHPRC = phpIni; }
@@ -725,7 +729,7 @@ in
          ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}";
          ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop";
          ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful";
-          User = "root";
+          User = cfg.user;
          Group = cfg.group;
          Type = "forking";
          PIDFile = "${runtimeDir}/httpd.pid";
@@ -733,6 +737,7 @@ in
          RestartSec = "5s";
          RuntimeDirectory = "httpd httpd/runtime";
          RuntimeDirectoryMode = "0750";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        };
      };

--- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
@@ -137,7 +137,7 @@ in

    http2 = mkOption {
      type = types.bool;
-      default = false;
+      default = true;
      description = ''
        Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
        be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.