gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

treewide: Format all Nix files

Browse Source 
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:

  nix-build ci -A fmt.check

This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).

This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).

Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).

If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This commit is contained in:
Silvan Mosberger
2025-04-01 20:10:43 +02:00
parent 2140bf39e4
commit 374e6bcc40
1523 changed files with 986047 additions and 513621 deletions
Download Patch File Download Diff File Expand all files Collapse all files

839
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

File diff suppressed because it is too large Load Diff

37
nixos/modules/services/web-servers/darkhttpd.nix
View File

@@ -1,19 +1,34 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkOption optional;
inherit (lib.types) path bool listOf str port;
inherit (lib.types)
path
bool
listOf
str
port
;
cfg = config.services.darkhttpd;
args = lib.concatStringsSep " " ([
cfg.rootDir
"--port ${toString cfg.port}"
"--addr ${cfg.address}"
] ++ cfg.extraArgs
++ optional cfg.hideServerId "--no-server-id"
++ optional config.networking.enableIPv6 "--ipv6");
args = lib.concatStringsSep " " (
[
cfg.rootDir
"--port ${toString cfg.port}"
"--addr ${cfg.address}"
]
++ cfg.extraArgs
++ optional cfg.hideServerId "--no-server-id"
++ optional config.networking.enableIPv6 "--ipv6"
);
in {
in
{
options.services.darkhttpd = {
enable = lib.mkEnableOption "DarkHTTPd web server";
@@ -52,7 +67,7 @@ in {
extraArgs = mkOption {
type = listOf str;
default = [];
default = [ ];
description = ''
Additional configuration passed to the executable.
'';

80
nixos/modules/services/web-servers/minio.nix
View File

@@ -1,14 +1,21 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.minio;
legacyCredentials = cfg: pkgs.writeText "minio-legacy-credentials" ''
MINIO_ROOT_USER=${cfg.accessKey}
MINIO_ROOT_PASSWORD=${cfg.secretKey}
'';
legacyCredentials =
cfg:
pkgs.writeText "minio-legacy-credentials" ''
MINIO_ROOT_USER=${cfg.accessKey}
MINIO_ROOT_PASSWORD=${cfg.secretKey}
'';
in
{
meta.maintainers = [ maintainers.bachp ];
@@ -95,35 +102,43 @@ in
};
config = mkIf cfg.enable {
warnings = optional ((cfg.accessKey != "") || (cfg.secretKey != "")) "services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead.";
warnings =
optional ((cfg.accessKey != "") || (cfg.secretKey != ""))
"services.minio.`accessKey` and services.minio.`secretKey` are deprecated, please use services.minio.`rootCredentialsFile` instead.";
systemd = lib.mkMerge [{
tmpfiles.rules = [
"d '${cfg.configDir}' - minio minio - -"
] ++ (map (x: "d '" + x + "' - minio minio - - ") (builtins.filter lib.types.path.check cfg.dataDir));
systemd = lib.mkMerge [
{
tmpfiles.rules =
[
"d '${cfg.configDir}' - minio minio - -"
]
++ (map (x: "d '" + x + "' - minio minio - - ") (builtins.filter lib.types.path.check cfg.dataDir));
services.minio = {
description = "Minio Object Storage";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} --certs-dir=${cfg.certificatesDir} ${toString cfg.dataDir}";
Type = "simple";
User = "minio";
Group = "minio";
LimitNOFILE = 65536;
EnvironmentFile =
if (cfg.rootCredentialsFile != null) then cfg.rootCredentialsFile
else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then (legacyCredentials cfg)
else null;
services.minio = {
description = "Minio Object Storage";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --console-address ${cfg.consoleAddress} --config-dir=${cfg.configDir} --certs-dir=${cfg.certificatesDir} ${toString cfg.dataDir}";
Type = "simple";
User = "minio";
Group = "minio";
LimitNOFILE = 65536;
EnvironmentFile =
if (cfg.rootCredentialsFile != null) then
cfg.rootCredentialsFile
else if ((cfg.accessKey != "") || (cfg.secretKey != "")) then
(legacyCredentials cfg)
else
null;
};
environment = {
MINIO_REGION = "${cfg.region}";
MINIO_BROWSER = "${if cfg.browser then "on" else "off"}";
};
};
environment = {
MINIO_REGION = "${cfg.region}";
MINIO_BROWSER = "${if cfg.browser then "on" else "off"}";
};
};
}
}
(lib.mkIf (cfg.rootCredentialsFile != null) {
# The service will fail if the credentials file is missing
@@ -153,7 +168,8 @@ in
RestartSec = 5;
};
};
})];
})
];
users.users.minio = {
group = "minio";

1424
nixos/modules/services/web-servers/nginx/default.nix
View File

File diff suppressed because it is too large Load Diff

11
nixos/modules/services/web-servers/nginx/location-options.nix
View File

@@ -11,7 +11,7 @@ with lib;
options = {
basicAuth = mkOption {
type = types.attrsOf types.str;
default = {};
default = { };
example = literalExpression ''
{
user = "password";
@@ -100,7 +100,12 @@ with lib;
};
return = mkOption {
type = with types; nullOr (oneOf [ str int ]);
type =
with types;
nullOr (oneOf [
str
int
]);
default = null;
example = "301 http://example.com$request_uri";
description = ''
@@ -110,7 +115,7 @@ with lib;
fastcgiParams = mkOption {
type = types.attrsOf (types.either types.str types.path);
default = {};
default = { };
description = ''
FastCGI parameters to override. Unlike in the Nginx
configuration file, overriding only some default parameters

108
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@@ -19,50 +19,65 @@ with lib;
serverAliases = mkOption {
type = types.listOf types.str;
default = [];
example = [ "www.example.org" "example.org" ];
default = [ ];
example = [
"www.example.org"
"example.org"
];
description = ''
Additional names of virtual hosts served by this virtual host configuration.
'';
};
listen = mkOption {
type = with types; listOf (submodule {
options = {
addr = mkOption {
type = str;
description = "Listen address.";
type =
with types;
listOf (submodule {
options = {
addr = mkOption {
type = str;
description = "Listen address.";
};
port = mkOption {
type = types.nullOr port;
description = ''
Port number to listen on.
If unset and the listen address is not a socket then nginx defaults to 80.
'';
default = null;
};
ssl = mkOption {
type = bool;
description = "Enable SSL.";
default = false;
};
proxyProtocol = mkOption {
type = bool;
description = "Enable PROXY protocol.";
default = false;
};
extraParameters = mkOption {
type = listOf str;
description = "Extra parameters of this listen directive.";
default = [ ];
example = [
"backlog=1024"
"deferred"
];
};
};
port = mkOption {
type = types.nullOr port;
description = ''
Port number to listen on.
If unset and the listen address is not a socket then nginx defaults to 80.
'';
default = null;
};
ssl = mkOption {
type = bool;
description = "Enable SSL.";
default = false;
};
proxyProtocol = mkOption {
type = bool;
description = "Enable PROXY protocol.";
default = false;
};
extraParameters = mkOption {
type = listOf str;
description = "Extra parameters of this listen directive.";
default = [ ];
example = [ "backlog=1024" "deferred" ];
};
};
});
default = [];
});
default = [ ];
example = [
{ addr = "195.154.1.1"; port = 443; ssl = true; }
{ addr = "192.154.1.1"; port = 80; }
{
addr = "195.154.1.1";
port = 443;
ssl = true;
}
{
addr = "192.154.1.1";
port = 80;
}
{ addr = "unix:/var/run/nginx.sock"; }
];
description = ''
@@ -86,8 +101,11 @@ with lib;
Note: This option overrides `enableIPv6`
'';
default = [];
example = [ "127.0.0.1" "[::1]" ];
default = [ ];
example = [
"127.0.0.1"
"[::1]"
];
};
enableACME = mkOption {
@@ -326,7 +344,7 @@ with lib;
basicAuth = mkOption {
type = types.attrsOf types.str;
default = {};
default = { };
example = literalExpression ''
{
user = "password";
@@ -350,10 +368,14 @@ with lib;
};
locations = mkOption {
type = types.attrsOf (types.submodule (import ./location-options.nix {
inherit lib config;
}));
default = {};
type = types.attrsOf (
types.submodule (
import ./location-options.nix {
inherit lib config;
}
)
);
default = { };
example = literalExpression ''
{
"/" = {

180
nixos/modules/services/web-servers/phpfpm/default.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
@@ -7,31 +12,42 @@ let
runtimeDir = "/run/phpfpm";
toStr = value:
if true == value then "yes"
else if false == value then "no"
else toString value;
toStr =
value:
if true == value then
"yes"
else if false == value then
"no"
else
toString value;
fpmCfgFile = pool: poolOpts: pkgs.writeText "phpfpm-${pool}.conf" ''
[global]
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") cfg.settings)}
${optionalString (cfg.extraConfig != null) cfg.extraConfig}
fpmCfgFile =
pool: poolOpts:
pkgs.writeText "phpfpm-${pool}.conf" ''
[global]
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") cfg.settings)}
${optionalString (cfg.extraConfig != null) cfg.extraConfig}
[${pool}]
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") poolOpts.settings)}
${concatStringsSep "\n" (mapAttrsToList (n: v: "env[${n}] = ${toStr v}") poolOpts.phpEnv)}
${optionalString (poolOpts.extraConfig != null) poolOpts.extraConfig}
'';
[${pool}]
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n} = ${toStr v}") poolOpts.settings)}
${concatStringsSep "\n" (mapAttrsToList (n: v: "env[${n}] = ${toStr v}") poolOpts.phpEnv)}
${optionalString (poolOpts.extraConfig != null) poolOpts.extraConfig}
'';
phpIni = poolOpts: pkgs.runCommand "php.ini" {
inherit (poolOpts) phpPackage phpOptions;
preferLocalBuild = true;
passAsFile = [ "phpOptions" ];
} ''
cat ${poolOpts.phpPackage}/etc/php.ini $phpOptionsPath > $out
'';
phpIni =
poolOpts:
pkgs.runCommand "php.ini"
{
inherit (poolOpts) phpPackage phpOptions;
preferLocalBuild = true;
passAsFile = [ "phpOptions" ];
}
''
cat ${poolOpts.phpPackage}/etc/php.ini $phpOptionsPath > $out
'';
poolOpts = { name, ... }:
poolOpts =
{ name, ... }:
let
poolOpts = cfg.pools.${name};
in
@@ -77,7 +93,7 @@ let
phpEnv = lib.mkOption {
type = with types; attrsOf str;
default = {};
default = { };
description = ''
Environment variables used for this PHP-FPM pool.
'';
@@ -102,8 +118,14 @@ let
};
settings = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = { };
description = ''
PHP-FPM pool directives. Refer to the "List of pool directives" section of
<https://www.php.net/manual/en/install.fpm.configuration.php>
@@ -138,7 +160,7 @@ let
group = mkDefault poolOpts.user;
phpOptions = mkBefore cfg.phpOptions;
settings = mapAttrs (name: mkDefault){
settings = mapAttrs (name: mkDefault) {
listen = poolOpts.socket;
user = poolOpts.user;
group = poolOpts.group;
@@ -146,7 +168,8 @@ let
};
};
in {
in
{
imports = [
(mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
@@ -155,8 +178,14 @@ in {
options = {
services.phpfpm = {
settings = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = { };
description = ''
PHP-FPM global directives. Refer to the "List of global php-fpm.conf directives" section of
<https://www.php.net/manual/en/install.fpm.configuration.php>
@@ -184,10 +213,9 @@ in {
phpOptions = mkOption {
type = types.lines;
default = "";
example =
''
date.timezone = "CET"
'';
example = ''
date.timezone = "CET"
'';
description = ''
Options appended to the PHP configuration file {file}`php.ini`.
'';
@@ -195,23 +223,23 @@ in {
pools = mkOption {
type = types.attrsOf (types.submodule poolOpts);
default = {};
default = { };
example = literalExpression ''
{
mypool = {
user = "php";
group = "php";
phpPackage = pkgs.php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
}
}'';
{
mypool = {
user = "php";
group = "php";
phpPackage = pkgs.php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
}
}'';
description = ''
PHP-FPM pools. If no pools are defined, the PHP-FPM
service is disabled.
@@ -220,19 +248,18 @@ in {
};
};
config = mkIf (cfg.pools != {}) {
config = mkIf (cfg.pools != { }) {
warnings =
mapAttrsToList (pool: poolOpts: ''
Using config.services.phpfpm.pools.${pool}.listen is deprecated and will become unsupported in a future release. Please reference the read-only option config.services.phpfpm.pools.${pool}.socket to access the path of your socket.
'') (filterAttrs (pool: poolOpts: poolOpts.listen != "") cfg.pools) ++
mapAttrsToList (pool: poolOpts: ''
'') (filterAttrs (pool: poolOpts: poolOpts.listen != "") cfg.pools)
++ mapAttrsToList (pool: poolOpts: ''
Using config.services.phpfpm.pools.${pool}.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.pools.${pool}.settings.
'') (filterAttrs (pool: poolOpts: poolOpts.extraConfig != null) cfg.pools) ++
optional (cfg.extraConfig != null) ''
'') (filterAttrs (pool: poolOpts: poolOpts.extraConfig != null) cfg.pools)
++ optional (cfg.extraConfig != null) ''
Using config.services.phpfpm.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.settings.
''
;
'';
services.phpfpm.settings = {
error_log = "syslog";
@@ -248,31 +275,34 @@ in {
wantedBy = [ "multi-user.target" ];
};
systemd.services = mapAttrs' (pool: poolOpts:
systemd.services = mapAttrs' (
pool: poolOpts:
nameValuePair "phpfpm-${pool}" {
description = "PHP FastCGI Process Manager service for pool ${pool}";
after = [ "network.target" ];
wantedBy = [ "phpfpm.target" ];
partOf = [ "phpfpm.target" ];
documentation = [ "man:php-fpm(8)" ];
serviceConfig = let
cfgFile = fpmCfgFile pool poolOpts;
iniFile = phpIni poolOpts;
in {
Slice = "system-phpfpm.slice";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = true;
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
Type = "notify";
ExecStart = "${poolOpts.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
RuntimeDirectory = "phpfpm";
RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running
Restart = "always";
};
serviceConfig =
let
cfgFile = fpmCfgFile pool poolOpts;
iniFile = phpIni poolOpts;
in
{
Slice = "system-phpfpm.slice";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = true;
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
Type = "notify";
ExecStart = "${poolOpts.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
RuntimeDirectory = "phpfpm";
RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running
Restart = "always";
};
}
) cfg.pools;
};

167
nixos/modules/services/web-servers/pomerium.nix
View File

@@ -1,9 +1,14 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
let
format = pkgs.formats.yaml {};
format = pkgs.formats.yaml { };
in
{
options.services.pomerium = {
@@ -41,7 +46,7 @@ in
configuration reference](https://pomerium.io/reference/) for more information about what to put
here.
'';
default = {};
default = { };
type = format.type;
};
@@ -55,81 +60,93 @@ in
};
};
config = let
cfg = config.services.pomerium;
cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
in mkIf cfg.enable ({
systemd.services.pomerium = {
description = "Pomerium authenticating reverse proxy";
wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
wantedBy = [ "multi-user.target" ];
environment = optionalAttrs (cfg.useACMEHost != null) {
CERTIFICATE_FILE = "fullchain.pem";
CERTIFICATE_KEY_FILE = "key.pem";
config =
let
cfg = config.services.pomerium;
cfgFile =
if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
in
mkIf cfg.enable ({
systemd.services.pomerium = {
description = "Pomerium authenticating reverse proxy";
wants = [
"network.target"
] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
after = [
"network.target"
] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
wantedBy = [ "multi-user.target" ];
environment = optionalAttrs (cfg.useACMEHost != null) {
CERTIFICATE_FILE = "fullchain.pem";
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
script = ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
'';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectKernelLogs = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
SystemCallArchitectures = "native";
EnvironmentFile = cfg.secretsFile;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
];
};
};
startLimitIntervalSec = 60;
script = ''
if [[ -v CREDENTIALS_DIRECTORY ]]; then
cd "$CREDENTIALS_DIRECTORY"
fi
exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
'';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
# postRun hooks on cert renew can't be used to restart Nginx since renewal
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
# which allows the acme-finished-$cert.target to signify the successful updating
# of certs end-to-end.
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
# TODO(lukegb): figure out how to make config reloading work with credentials.
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectKernelLogs = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
SystemCallArchitectures = "native";
EnvironmentFile = cfg.secretsFile;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
wantedBy = [
"acme-finished-${cfg.useACMEHost}.target"
"multi-user.target"
];
# Before the finished targets, after the renew services.
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.
unitConfig.ConditionPathExists = [
"${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem"
];
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
};
};
};
# postRun hooks on cert renew can't be used to restart Nginx since renewal
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
# which allows the acme-finished-$cert.target to signify the successful updating
# of certs end-to-end.
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
# TODO(lukegb): figure out how to make config reloading work with credentials.
wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
# Before the finished targets, after the renew services.
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.
unitConfig.ConditionPathExists = [ "${config.security.acme.certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
};
};
});
});
}

56
nixos/modules/services/web-servers/traefik.nix
View File

@@ -1,29 +1,37 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.traefik;
format = pkgs.formats.toml {};
format = pkgs.formats.toml { };
dynamicConfigFile = if cfg.dynamicConfigFile == null then
format.generate "config.toml" cfg.dynamicConfigOptions
else
cfg.dynamicConfigFile;
dynamicConfigFile =
if cfg.dynamicConfigFile == null then
format.generate "config.toml" cfg.dynamicConfigOptions
else
cfg.dynamicConfigFile;
staticConfigFile = if cfg.staticConfigFile == null then
format.generate "config.toml" (recursiveUpdate cfg.staticConfigOptions {
providers.file.filename = "${dynamicConfigFile}";
})
else
cfg.staticConfigFile;
staticConfigFile =
if cfg.staticConfigFile == null then
format.generate "config.toml" (
recursiveUpdate cfg.staticConfigOptions {
providers.file.filename = "${dynamicConfigFile}";
}
)
else
cfg.staticConfigFile;
finalStaticConfigFile =
if cfg.environmentFiles == []
then staticConfigFile
else "/run/traefik/config.toml";
in {
if cfg.environmentFiles == [ ] then staticConfigFile else "/run/traefik/config.toml";
in
{
options.services.traefik = {
enable = mkEnableOption "Traefik web server";
@@ -42,7 +50,9 @@ in {
Static configuration for Traefik.
'';
type = format.type;
default = { entryPoints.http.address = ":80"; };
default = {
entryPoints.http.address = ":80";
};
example = {
entryPoints.web.address = ":8080";
entryPoints.http.address = ":80";
@@ -73,8 +83,7 @@ in {
service = "service1";
};
http.services.service1.loadBalancer.servers =
[{ url = "http://localhost:8080"; }];
http.services.service1.loadBalancer.servers = [ { url = "http://localhost:8080"; } ];
};
};
@@ -99,7 +108,7 @@ in {
package = mkPackageOption pkgs "traefik" { };
environmentFiles = mkOption {
default = [];
default = [ ];
type = types.listOf types.path;
example = [ "/run/secrets/traefik.env" ];
description = ''
@@ -121,11 +130,12 @@ in {
startLimitBurst = 5;
serviceConfig = {
EnvironmentFile = cfg.environmentFiles;
ExecStartPre = lib.optional (cfg.environmentFiles != [])
(pkgs.writeShellScript "pre-start" ''
ExecStartPre = lib.optional (cfg.environmentFiles != [ ]) (
pkgs.writeShellScript "pre-start" ''
umask 077
${pkgs.envsubst}/bin/envsubst -i "${staticConfigFile}" > "${finalStaticConfigFile}"
'');
''
);
ExecStart = "${cfg.package}/bin/traefik --configfile=${finalStaticConfigFile}";
Type = "simple";
User = "traefik";