summary refs log blame commit diff
path: root/nixos/modules/services/web-servers/hitch/default.nix
blob: 1812f225b74d7b6e95d33f2a168d07d519fde673 (plain) (tree) 
519b64592d5 ^








































































































d6c08776ba6 ^




fff5923686c ^

519b64592d5 ^


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

105
106
107
108

109

110
111








































































































                                                                                 



                          
                            

    
{ config, lib, pkgs, ...}:
let
  cfg = config.services.hitch;
  ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp";
  hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [
    ("backend = \"${cfg.backend}\"")
    (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend)
    (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
    ("ciphers = \"${cfg.ciphers}\"")
    ("ocsp-dir = \"${ocspDir}\"")
    "user = \"${cfg.user}\""
    "group = \"${cfg.group}\""
    cfg.extraConfig
  ]);
in
with lib;
{
  options = {
    services.hitch = {
      enable = mkEnableOption "Hitch Server";

      backend = mkOption {
        type = types.str;
        description = ''
          The host and port Hitch connects to when receiving
          a connection in the form [HOST]:PORT
        '';
      };

      ciphers = mkOption {
        type = types.str;
        default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        description = "The list of ciphers to use";
      };

      frontend = mkOption {
        type = types.either types.str (types.listOf types.str);
        default = "[127.0.0.1]:443";
        description = ''
          The port and interface of the listen endpoint in the
+         form [HOST]:PORT[+CERT].
        '';
        apply = toList;
      };

      pem-files = mkOption {
        type = types.listOf types.path;
        default = [];
        description = "PEM files to use";
      };

      ocsp-stapling = {
        enabled = mkOption {
          type = types.bool;
          default = true;
          description = "Whether to enable OCSP Stapling";
        };
      };

      user = mkOption {
        type = types.str;
        default = "hitch";
        description = "The user to run as";
      };

      group = mkOption {
        type = types.str;
        default = "hitch";
        description = "The group to run as";
      };

      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = "Additional configuration lines";
      };
    };

  };

  config = mkIf cfg.enable {

    systemd.services.hitch = {
      description = "Hitch";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      preStart = ''
        ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
      '' + (optionalString cfg.ocsp-stapling.enabled ''
        mkdir -p ${ocspDir}
        chown -R hitch:hitch ${ocspDir}
      '');
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        Restart = "always";
        RestartSec = "5s";
        LimitNOFILE = 131072;
      };
    };

    environment.systemPackages = [ pkgs.hitch ];

    users.users.hitch = {
      group = "hitch";
      isSystemUser = true;
    };
    users.groups.hitch = {};
  };
}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-19 19:08:32 +0000