hitch: init at 1.4.8 + service + test (#39358)
Add the Hitch TLS reverse proxy as an option for TLS termination.wip/yesman
parent
164b580b36
commit
519b64592d
@ -0,0 +1,108 @@ |
||||
{ config, lib, pkgs, ...}: |
||||
let |
||||
cfg = config.services.hitch; |
||||
ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp"; |
||||
hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [ |
||||
("backend = \"${cfg.backend}\"") |
||||
(concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend) |
||||
(concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files) |
||||
("ciphers = \"${cfg.ciphers}\"") |
||||
("ocsp-dir = \"${ocspDir}\"") |
||||
"user = \"${cfg.user}\"" |
||||
"group = \"${cfg.group}\"" |
||||
cfg.extraConfig |
||||
]); |
||||
in |
||||
with lib; |
||||
{ |
||||
options = { |
||||
services.hitch = { |
||||
enable = mkEnableOption "Hitch Server"; |
||||
|
||||
backend = mkOption { |
||||
type = types.str; |
||||
description = '' |
||||
The host and port Hitch connects to when receiving |
||||
a connection in the form [HOST]:PORT |
||||
''; |
||||
}; |
||||
|
||||
ciphers = mkOption { |
||||
type = types.str; |
||||
default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; |
||||
description = "The list of ciphers to use"; |
||||
}; |
||||
|
||||
frontend = mkOption { |
||||
type = types.either types.str (types.listOf types.str); |
||||
default = "[127.0.0.1]:443"; |
||||
description = '' |
||||
The port and interface of the listen endpoint in the |
||||
+ form [HOST]:PORT[+CERT]. |
||||
''; |
||||
apply = toList; |
||||
}; |
||||
|
||||
pem-files = mkOption { |
||||
type = types.listOf types.path; |
||||
default = []; |
||||
description = "PEM files to use"; |
||||
}; |
||||
|
||||
ocsp-stapling = { |
||||
enabled = mkOption { |
||||
type = types.bool; |
||||
default = true; |
||||
description = "Whether to enable OCSP Stapling"; |
||||
}; |
||||
}; |
||||
|
||||
user = mkOption { |
||||
type = types.str; |
||||
default = "hitch"; |
||||
description = "The user to run as"; |
||||
}; |
||||
|
||||
group = mkOption { |
||||
type = types.str; |
||||
default = "hitch"; |
||||
description = "The group to run as"; |
||||
}; |
||||
|
||||
extraConfig = mkOption { |
||||
type = types.lines; |
||||
default = ""; |
||||
description = "Additional configuration lines"; |
||||
}; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
|
||||
systemd.services.hitch = { |
||||
description = "Hitch"; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
after = [ "network.target" ]; |
||||
preStart = '' |
||||
${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig} |
||||
'' + (optionalString cfg.ocsp-stapling.enabled '' |
||||
mkdir -p ${ocspDir} |
||||
chown -R hitch:hitch ${ocspDir} |
||||
''); |
||||
serviceConfig = { |
||||
Type = "forking"; |
||||
ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}"; |
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
||||
Restart = "always"; |
||||
RestartSec = "5s"; |
||||
LimitNOFILE = 131072; |
||||
}; |
||||
}; |
||||
|
||||
environment.systemPackages = [ pkgs.hitch ]; |
||||
|
||||
users.extraUsers.hitch.group = "hitch"; |
||||
users.extraGroups.hitch = {}; |
||||
}; |
||||
} |
@ -0,0 +1,33 @@ |
||||
import ../make-test.nix ({ pkgs, ... }: |
||||
{ |
||||
name = "hitch"; |
||||
meta = with pkgs.stdenv.lib.maintainers; { |
||||
maintainers = [ jflanglois ]; |
||||
}; |
||||
machine = { config, pkgs, ... }: { |
||||
environment.systemPackages = [ pkgs.curl ]; |
||||
services.hitch = { |
||||
enable = true; |
||||
backend = "[127.0.0.1]:80"; |
||||
pem-files = [ |
||||
./example.pem |
||||
]; |
||||
}; |
||||
|
||||
services.httpd = { |
||||
enable = true; |
||||
documentRoot = ./example; |
||||
adminAddr = "noone@testing.nowhere"; |
||||
}; |
||||
}; |
||||
|
||||
testScript = |
||||
'' |
||||
startAll; |
||||
|
||||
$machine->waitForUnit('multi-user.target'); |
||||
$machine->waitForUnit('hitch.service'); |
||||
$machine->waitForOpenPort(443); |
||||
$machine->succeed('curl -k https://localhost:443/index.txt | grep "We are all good!"'); |
||||
''; |
||||
}) |
@ -0,0 +1,53 @@ |
||||
-----BEGIN CERTIFICATE----- |
||||
MIIEKTCCAxGgAwIBAgIJAIFAWQXSZ7lIMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD |
||||
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMUmVkd29vZCBD |
||||
aXR5MRkwFwYDVQQKDBBUZXN0aW5nIDEyMyBJbmMuMRQwEgYDVQQLDAtJVCBTZXJ2 |
||||
aWNlczEYMBYGA1UEAwwPdGVzdGluZy5ub3doZXJlMSQwIgYJKoZIhvcNAQkBFhVu |
||||
b29uZUB0ZXN0aW5nLm5vd2hlcmUwHhcNMTgwNDIzMDcxMTI5WhcNMTkwNDIzMDcx |
||||
MTI5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNV |
||||
BAcMDFJlZHdvb2QgQ2l0eTEZMBcGA1UECgwQVGVzdGluZyAxMjMgSW5jLjEUMBIG |
||||
A1UECwwLSVQgU2VydmljZXMxGDAWBgNVBAMMD3Rlc3Rpbmcubm93aGVyZTEkMCIG |
||||
CSqGSIb3DQEJARYVbm9vbmVAdGVzdGluZy5ub3doZXJlMIIBIjANBgkqhkiG9w0B |
||||
AQEFAAOCAQ8AMIIBCgKCAQEAxQq6AA9o/QErMbQwfgDF4mqXcvglRTwPr2zPE6Rv |
||||
1g0ncRBSMM8iKbPapHM6qHNfg2e1fU2SFqzD6HkyZqHHLCgLzkdzswEcEjsMqiUP |
||||
OR++5g4CWoQrdTi31itzYzCjnQ45BrAMrLEhBQgDTNwrEE+Tit0gpOGggtj/ktLk |
||||
OD8BKa640lkmWEUGF18fd3rYTUC4hwM5qhAVXTe21vj9ZWsgprpQKdN61v0dCUap |
||||
C5eAgvZ8Re+Cd0Id674hK4cJ4SekqfHKv/jLyIg3Vsdc9nkhmiC4O6KH5f1Zzq2i |
||||
E4Kd5mnJDFxfSzIErKWmbhriLWsj3KEJ983AGLJ9hxQTAwIDAQABo1AwTjAdBgNV |
||||
HQ4EFgQU76Mm6DP/BePJRQUNrJ9z038zjocwHwYDVR0jBBgwFoAU76Mm6DP/BePJ |
||||
RQUNrJ9z038zjocwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAZzt |
||||
VdPaUqrvDAh5rMYqzYMJ3tj6daNYoX6CbTFoevK5J5D4FESM0D/FMKgpNiVz39kB |
||||
8Cjaw5rPHMHY61rHz7JRDK1sWXsonwzCF21BK7Tx0G1CIfLpYHWYb/FfdWGROx+O |
||||
hPgKuoMRWQB+txozkZp5BqWJmk5MOyFCDEXhMOmrfsJq0IYU6QaH3Lsf1oJRy4yU |
||||
afFrT9o3DLOyYLG/j/HXijCu8DVjZVa4aboum79ecYzPjjGF1posrFUnvQiuAeYy |
||||
t7cuHNUB8gW9lWR5J7tP8fzFWtIcyT2oRL8u3H+fXf0i4bW73wtOBOoeULBzBNE7 |
||||
6rphcSrQunSZQIc+hg== |
||||
-----END CERTIFICATE----- |
||||
-----BEGIN PRIVATE KEY----- |
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFCroAD2j9ASsx |
||||
tDB+AMXiapdy+CVFPA+vbM8TpG/WDSdxEFIwzyIps9qkczqoc1+DZ7V9TZIWrMPo |
||||
eTJmoccsKAvOR3OzARwSOwyqJQ85H77mDgJahCt1OLfWK3NjMKOdDjkGsAyssSEF |
||||
CANM3CsQT5OK3SCk4aCC2P+S0uQ4PwEprrjSWSZYRQYXXx93ethNQLiHAzmqEBVd |
||||
N7bW+P1layCmulAp03rW/R0JRqkLl4CC9nxF74J3Qh3rviErhwnhJ6Sp8cq/+MvI |
||||
iDdWx1z2eSGaILg7oofl/VnOraITgp3mackMXF9LMgSspaZuGuItayPcoQn3zcAY |
||||
sn2HFBMDAgMBAAECggEAcaR8HijFHpab+PC5vxJnDuz3KEHiDQpU6ZJR5DxEnCm+ |
||||
A8GsBaaRR4gJpCspO5o/DiS0Ue55QUanPt8XqIXJv7fhBznCiw0qyYDxDviMzR94 |
||||
FGskBFySS+tIa+dnh1+4HY7kaO0Egl0udB5o+N1KoP+kUsSyXSYcUxsgW+fx5FW9 |
||||
22Ya3HNWnWxMCSfSGGlTFXGj2whf25SkL25dM9iblO4ZOx4MX8kaXij7TaYy8hMM |
||||
Vf6/OMnXqtPKho+ctZZVKZkE9PxdS4f/pnp5EsdoOZwNBtfQ1WqVLWd3DlGWhnsH |
||||
7L8ZSP2HkoI4Pd1wtkpOKZc+yM2bFXWa8WY4TcmpUQKBgQD33HxGdtmtZehrexSA |
||||
/ZwWJlMslUsNz4Ivv6s7J4WCRhdh94+r9TWQP/yHdT9Ry5bvn84I5ZLUdp+aA962 |
||||
mvjz+GIglkCGpA7HU/hqurB1O63pj2cIDB8qhV21zjVIoqXcQ7IBJ+tqD79nF8vm |
||||
h3KfuHUhuu1rayGepbtIyNhLdwKBgQDLgw4TJBg/QB8RzYECk78QnfZpCExsQA/z |
||||
YJpc+dF2/nsid5R2u9jWzfmgHM2Jjo2/+ofRUaTqcFYU0K57CqmQkOLIzsbNQoYt |
||||
e2NOANNVHiZLuzTZC2r3BrrkNbo3YvQzhAesUA5lS6LfrxBLUKiwo2LU9NlmJs3b |
||||
UPVFYI0/1QKBgCswxIcS1sOcam+wNtZzWuuRKhUuvrFdY3YmlBPuwxj8Vb7AgMya |
||||
IgdM3xhLmgkKzPZchm6OcpOLSCxyWDDBuHfq5E6BYCUWGW0qeLNAbNdA2wFD99Qz |
||||
KIskSjwP/sD1dql3MmF5L1CABf5U6zb0i0jBv8ds50o8lNMsVgJM3UPpAoGBAL1+ |
||||
nzllb4pdi1CJWKnspoizfQCZsIdPM0r71V/jYY36MO+MBtpz2NlSWzAiAaQm74gl |
||||
oBdgfT2qMg0Zro11BSRONEykdOolGkj5TiMQk7b65s+3VeMPRZ8UTis2d9kgs5/Q |
||||
PVDODkl1nwfGu1ZVmW04BUujXVZHpYCkJm1eFMetAoGAImE7gWj+qRMhpbtCCGCg |
||||
z06gDKvMrF6S+GJsvUoSyM8oUtfdPodI6gWAC65NfYkIiqbpCaEVNzfui73f5Lnz |
||||
p5X1IbzhuH5UZs/k5A3OR2PPDbPs3lqEw7YJdBdLVRmO1o824uaXaJJwkL/1C+lq |
||||
8dh1wV3CnynNmZApkz4vpzQ= |
||||
-----END PRIVATE KEY----- |
@ -0,0 +1 @@ |
||||
We are all good! |
@ -0,0 +1,23 @@ |
||||
{ stdenv, fetchurl, docutils, libev, openssl, pkgconfig }: |
||||
stdenv.mkDerivation rec { |
||||
version = "1.4.8"; |
||||
name = "hitch-${version}"; |
||||
|
||||
src = fetchurl { |
||||
url = "https://hitch-tls.org/source/${name}.tar.gz"; |
||||
sha256 = "1hqs5p69gr1lb3xldbrgq7d6d0vk4za0wpizlzybn98cv68acaym"; |
||||
}; |
||||
|
||||
nativeBuildInputs = [ pkgconfig ]; |
||||
buildInputs = [ docutils libev openssl ]; |
||||
|
||||
outputs = [ "out" "doc" "man" ]; |
||||
|
||||
meta = with stdenv.lib; { |
||||
description = "Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software"; |
||||
homepage = https://hitch-tls.org/; |
||||
license = licenses.bsd2; |
||||
maintainers = [ maintainers.jflanglois ]; |
||||
platforms = platforms.linux; |
||||
}; |
||||
} |
Loading…
Reference in new issue