blob: 1812f225b74d7b6e95d33f2a168d07d519fde673 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
{ config, lib, pkgs, ...}:
let
cfg = config.services.hitch;
ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp";
hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [
("backend = \"${cfg.backend}\"")
(concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend)
(concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files)
("ciphers = \"${cfg.ciphers}\"")
("ocsp-dir = \"${ocspDir}\"")
"user = \"${cfg.user}\""
"group = \"${cfg.group}\""
cfg.extraConfig
]);
in
with lib;
{
options = {
services.hitch = {
enable = mkEnableOption "Hitch Server";
backend = mkOption {
type = types.str;
description = ''
The host and port Hitch connects to when receiving
a connection in the form [HOST]:PORT
'';
};
ciphers = mkOption {
type = types.str;
default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
description = "The list of ciphers to use";
};
frontend = mkOption {
type = types.either types.str (types.listOf types.str);
default = "[127.0.0.1]:443";
description = ''
The port and interface of the listen endpoint in the
+ form [HOST]:PORT[+CERT].
'';
apply = toList;
};
pem-files = mkOption {
type = types.listOf types.path;
default = [];
description = "PEM files to use";
};
ocsp-stapling = {
enabled = mkOption {
type = types.bool;
default = true;
description = "Whether to enable OCSP Stapling";
};
};
user = mkOption {
type = types.str;
default = "hitch";
description = "The user to run as";
};
group = mkOption {
type = types.str;
default = "hitch";
description = "The group to run as";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Additional configuration lines";
};
};
};
config = mkIf cfg.enable {
systemd.services.hitch = {
description = "Hitch";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig}
'' + (optionalString cfg.ocsp-stapling.enabled ''
mkdir -p ${ocspDir}
chown -R hitch:hitch ${ocspDir}
'');
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "5s";
LimitNOFILE = 131072;
};
};
environment.systemPackages = [ pkgs.hitch ];
users.users.hitch = {
group = "hitch";
isSystemUser = true;
};
users.groups.hitch = {};
};
}
|