default.nix (1858B)
1 { 2 lib, 3 options, 4 config, 5 pkgs, 6 ... 7 }: 8 { 9 options.fs.services.quark.tls = { 10 enable = lib.mkOption { 11 description = "Whether to enable the Hitch reverse proxy."; 12 default = false; 13 type = lib.types.bool; 14 }; 15 pemFiles = lib.mkOption { 16 description = "The list of PEM files to pass to Hitch."; 17 type = lib.types.listOf lib.types.path; 18 }; 19 }; 20 21 config = 22 let 23 inherit (config.fs.services.quark) tls; 24 in 25 lib.mkIf (tls.enable && config.fs.services.quark.enable) { 26 users = { 27 users = { 28 hitch = { 29 hashedPassword = "!"; 30 isSystemUser = true; 31 group = "quark"; 32 createHome = true; 33 home = "/var/lib/hitch"; 34 }; 35 }; 36 groups = { 37 hitch = { }; 38 }; 39 }; 40 41 systemd.services.hitch = { 42 enable = true; 43 wantedBy = [ "multi-user.target" ]; 44 after = [ "acme.service" ]; 45 serviceConfig = 46 let 47 script = pkgs.writeShellScriptBin "script" '' 48 ${pkgs.sbase}/bin/cat \ 49 ${builtins.concatStringsSep " " tls.pemFiles} > \ 50 /var/lib/hitch/full.pem 51 52 ${pkgs.hitch}/bin/hitch \ 53 --backend [localhost]:80 \ 54 --frontend [*]:443 \ 55 --backend-connect-timeout 30 \ 56 --ssl-handshake-timeout 30 \ 57 --ocsp-dir /var/lib/hitch \ 58 --user hitch \ 59 --group hitch \ 60 /var/lib/hitch/full.pem 61 ''; 62 in 63 { 64 User = "root"; 65 Group = "root"; 66 Type = "simple"; 67 Restart = "on-failure"; 68 ExecStart = "${script}/bin/script"; 69 }; 70 }; 71 72 networking.firewall.allowedTCPPorts = [ 443 ]; 73 }; 74 }