diff options
Diffstat (limited to 'nixos/modules/services/web-servers')
4 files changed, 32 insertions, 23 deletions
diff --git a/nixos/modules/services/web-servers/lighttpd/cgit.nix b/nixos/modules/services/web-servers/lighttpd/cgit.nix index 5042fbf1f8f..e9f42c41183 100644 --- a/nixos/modules/services/web-servers/lighttpd/cgit.nix +++ b/nixos/modules/services/web-servers/lighttpd/cgit.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.lighttpd.cgit; - pathPrefix = if stringLength cfg.subdir == 0 then "" else "/" + cfg.subdir; + pathPrefix = optionalString (stringLength cfg.subdir != 0) ("/" + cfg.subdir); configFile = pkgs.writeText "cgitrc" '' # default paths to static assets diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index 21bec4f63a8..0bc7421a0e3 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -30,8 +30,8 @@ in dataDir = mkOption { default = [ "/var/lib/minio/data" ]; - type = types.listOf types.path; - description = lib.mdDoc "The list of data directories for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode."; + type = types.listOf (types.either types.path types.str); + description = lib.mdDoc "The list of data directories or nodes for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode."; }; configDir = mkOption { @@ -99,7 +99,7 @@ in systemd = lib.mkMerge [{ tmpfiles.rules = [ "d '${cfg.configDir}' - minio minio - -" - ] ++ (map (x: "d '" + x + "' - minio minio - - ") cfg.dataDir); + ] ++ (map (x: "d '" + x + "' - minio minio - - ") (builtins.filter lib.types.path.check cfg.dataDir)); services.minio = { description = "Minio Object Storage"; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index e87159ba99c..fccc31b5116 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -261,23 +261,6 @@ let ${proxyCachePathConfig} - ${optionalString cfg.statusPage '' - server { - listen ${toString cfg.defaultHTTPListenPort}; - ${optionalString enableIPv6 "listen [::]:${toString cfg.defaultHTTPListenPort};" } - - server_name localhost; - - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - ${optionalString enableIPv6 "allow ::1;"} - deny all; - } - } - ''} - ${vhosts} ${cfg.appendHttpConfig} @@ -352,7 +335,7 @@ let + ";")) + " listen ${addr}:${toString port} " - + optionalString (ssl && vhost.http2) "http2 " + + optionalString (ssl && vhost.http2 && oldHTTP2) "http2 " + optionalString ssl "ssl " + optionalString vhost.default "default_server " + optionalString vhost.reuseport "reuseport " @@ -362,7 +345,9 @@ let redirectListen = filter (x: !x.ssl) defaultListen; - acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) '' + # The acme-challenge location doesn't need to be added if we are not using any automated + # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge + acmeLocation = optionalString (vhost.enableACME || (vhost.useACMEHost != null && config.security.acme.certs.${vhost.useACMEHost}.dnsProvider == null)) '' # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could # otherwise easily override this intended match accidentally). @@ -395,6 +380,9 @@ let server { ${concatMapStringsSep "\n" listenString hostListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + ${optionalString (hasSSL && vhost.http2 && !oldHTTP2) '' + http2 on; + ''} ${optionalString (hasSSL && vhost.quic) '' http3 ${if vhost.http3 then "on" else "off"}; http3_hq ${if vhost.http3_hq then "on" else "off"}; @@ -478,6 +466,8 @@ let ); mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; + + oldHTTP2 = versionOlder cfg.package.version "1.25.1"; in { @@ -1175,6 +1165,21 @@ in services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli ++ lib.optional cfg.recommendedZstdSettings pkgs.nginxModules.zstd; + services.nginx.virtualHosts.localhost = mkIf cfg.statusPage { + listenAddresses = lib.mkDefault ([ + "0.0.0.0" + ] ++ lib.optional enableIPv6 "[::]"); + locations."/nginx_status" = { + extraConfig = '' + stub_status on; + access_log off; + allow 127.0.0.1; + ${optionalString enableIPv6 "allow ::1;"} + deny all; + ''; + }; + }; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/web-servers/rustus.nix b/nixos/modules/services/web-servers/rustus.nix index 95c9a645557..878d790e366 100644 --- a/nixos/modules/services/web-servers/rustus.nix +++ b/nixos/modules/services/web-servers/rustus.nix @@ -226,6 +226,10 @@ in serviceConfig = { ExecStart = "${pkgs.rustus}/bin/rustus"; StateDirectory = "rustus"; + # User name is defined here to enable restoring a backup for example + # You will run the backup restore command as sudo -u rustus in order + # to have write permissions to /var/lib + User = "rustus"; DynamicUser = true; LoadCredential = lib.optionals isHybridS3 [ "S3_ACCESS_KEY_PATH:${cfg.storage.s3_access_key_file}" |