diff options
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index dc174c8b41d06..6876dbf39d84b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -245,12 +245,9 @@ let defaultListen = if vhost.listen != [] then vhost.listen else - let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else ( - [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]" - ); - in - optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = 443; ssl = true; }) addrs) - ++ optionals (!onlySSL) (map (addr: { inherit addr; port = 80; ssl = false; }) addrs); + let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else cfg.defaultListenAddresses; + in optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = 443; ssl = true; }) addrs) + ++ optionals (!onlySSL) (map (addr: { inherit addr; port = 80; ssl = false; }) addrs); hostListen = if vhost.forceSSL @@ -374,6 +371,8 @@ let ${user}:{PLAIN}${password} '') authDef) ); + + mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix; in { @@ -430,6 +429,16 @@ in "; }; + defaultListenAddresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]"; + defaultText = literalExpression ''[ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"''; + example = literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]''; + description = " + If vhosts do not specify listenAddresses, use these addresses by default. + "; + }; + package = mkOption { default = pkgs.nginxStable; defaultText = literalExpression "pkgs.nginxStable"; @@ -842,7 +851,11 @@ in services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. ''; } - ]; + ] ++ map (name: mkCertOwnershipAssertion { + inherit (cfg) group user; + cert = config.security.acme.certs.${name}; + groups = config.users.groups; + }) dependentCertNames; systemd.services.nginx = { description = "Nginx Web Server"; @@ -911,7 +924,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ]; }; }; |