default.nix (1864B)
1 { 2 lib, 3 options, 4 config, 5 pkgs, 6 ... 7 }: 8 { 9 options.modules.quark.tls = { 10 enable = lib.mkOption { 11 description = "Whether to enable the Hitch reverse proxy."; 12 default = false; 13 type = lib.types.bool; 14 }; 15 pemFiles = lib.mkOption { 16 description = "The list of PEM files to pass to Hitch."; 17 type = lib.types.listOf lib.types.path; 18 }; 19 }; 20 21 config = 22 let 23 inherit (config.modules.quark) tls; 24 in 25 lib.mkIf (tls.enable && config.modules.quark.enable) { 26 users = { 27 users = { 28 hitch = { 29 hashedPassword = "!"; 30 isSystemUser = true; 31 group = "quark"; 32 createHome = true; 33 home = "/var/lib/hitch"; 34 }; 35 }; 36 groups = { 37 hitch = { }; 38 }; 39 }; 40 41 systemd.services.hitch = { 42 enable = true; 43 wantedBy = [ "multi-user.target" ]; 44 after = [ 45 "acme.service" 46 ]; 47 serviceConfig = 48 let 49 script = pkgs.writeShellScriptBin "script" '' 50 ${pkgs.sbase}/bin/cat \ 51 ${builtins.concatStringsSep " " tls.pemFiles} > \ 52 /var/lib/hitch/full.pem 53 54 ${pkgs.hitch}/bin/hitch \ 55 --backend [localhost]:80 \ 56 --frontend [*]:443 \ 57 --backend-connect-timeout 30 \ 58 --ssl-handshake-timeout 30 \ 59 --ocsp-dir /var/lib/hitch \ 60 --user hitch \ 61 --group hitch \ 62 /var/lib/hitch/full.pem 63 ''; 64 in 65 { 66 User = "root"; 67 Group = "root"; 68 Type = "simple"; 69 Restart = "on-failure"; 70 ExecStart = "${script}/bin/script"; 71 }; 72 }; 73 74 networking.firewall.allowedTCPPorts = [ 443 ]; 75 }; 76 }