diff --git a/system/options.nix b/system/options.nix
index 974034648f9..30475fd6bcb 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -899,6 +899,13 @@
";
};
+ enableSSL = mkOption {
+ default = false;
+ description = "
+ Whether to enable SSL (https) support.
+ ";
+ };
+
adminAddr = mkOption {
example = "admin@example.org";
description = "
diff --git a/upstart-jobs/apache-httpd/default.nix b/upstart-jobs/apache-httpd/default.nix
new file mode 100644
index 00000000000..feec4f7f000
--- /dev/null
+++ b/upstart-jobs/apache-httpd/default.nix
@@ -0,0 +1,200 @@
+{config, pkgs}:
+
+let
+
+ cfg = config.services.httpd;
+
+ startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces";
+
+ httpd = pkgs.apacheHttpd;
+
+
+ documentRoot = "/etc";
+
+
+ # Names of modules from ${httpd}/modules that we want to load.
+ apacheModules =
+ [ # HTTP authentication mechanisms: basic and digest.
+ "auth_basic" "auth_digest"
+
+ # Authentication: is the user who he claims to be?
+ "authn_file" "authn_dbm" "authn_anon" "authn_alias"
+
+ # Authorization: is the user allowed access?
+ "authz_user" "authz_groupfile" "authz_host"
+
+ # Other modules.
+ "ext_filter" "include" "log_config" "env" "mime_magic"
+ "cern_meta" "expires" "headers" "usertrack" "unique_id" "setenvif"
+ "mime" "dav" "status" "autoindex" "asis" "info" "cgi" "dav_fs"
+ "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
+ "userdir" "alias" "rewrite"
+ ] ++ pkgs.lib.optional cfg.enableSSL "ssl_module";
+
+
+ loggingConf = ''
+ ErrorLog ${cfg.logDir}/error_log
+
+ LogLevel notice
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+ LogFormat "%{Referer}i -> %U" referer
+ LogFormat "%{User-agent}i" agent
+
+ CustomLog ${cfg.logDir}/access_log common
+ '';
+
+
+ browserHacks = ''
+ BrowserMatch "Mozilla/2" nokeepalive
+ BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+ BrowserMatch "RealPlayer 4\.0" force-response-1.0
+ BrowserMatch "Java/1\.0" force-response-1.0
+ BrowserMatch "JDK/1\.0" force-response-1.0
+ BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+ BrowserMatch "^WebDrive" redirect-carefully
+ BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+ BrowserMatch "^gnome-vfs" redirect-carefully
+ '';
+
+
+ sslConf = ''
+ Listen ${toString cfg.httpsPort}
+
+ SSLSessionCache dbm:${cfg.stateDir}/ssl_scache
+
+ SSLMutex file:${cfg.stateDir}/ssl_mutex
+
+ SSLRandomSeed startup builtin
+ SSLRandomSeed connect builtin
+
+
+
+ SSLEngine on
+
+ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+ SSLCertificateFile @sslServerCert@
+ SSLCertificateKeyFile @sslServerKey@
+
+ # MSIE compatability.
+ SetEnvIf User-Agent ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+
+ '';
+
+
+ mimeConf = ''
+ TypesConfig ${httpd}/conf/mime.types
+
+ AddType application/x-x509-ca-cert .crt
+ AddType application/x-pkcs7-crl .crl
+
+
+ MIMEMagicFile ${httpd}/conf/magic
+
+
+ AddEncoding x-compress Z
+ AddEncoding x-gzip gz tgz
+ '';
+
+
+ documentRootConf = ''
+ DocumentRoot "${documentRoot}"
+
+
+ Options Indexes FollowSymLinks
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+
+ '';
+
+
+ httpdConf = pkgs.writeText "httpd.conf" ''
+
+ ServerRoot ${httpd}
+
+ ServerAdmin ${cfg.adminAddr}
+
+ ServerName ${cfg.hostName}:${toString cfg.httpPort}
+
+ PidFile ${cfg.stateDir}/httpd.pid
+
+
+ MaxClients 150
+ MaxRequestsPerChild 0
+
+
+ Listen ${toString cfg.httpPort}
+
+ User ${cfg.user}
+ Group ${cfg.group}
+
+ ${let f = name: "LoadModule ${name}_module ${httpd}/modules/mod_${name}.so\n";
+ in pkgs.lib.concatStrings (map f apacheModules)
+ }
+
+ # !!! is this a good idea?
+ UseCanonicalName Off
+
+ ServerSignature On
+
+ ${if cfg.noUserDir then "" else "UserDir public_html"}
+
+ AddHandler type-map var
+
+
+ Order allow,deny
+ Deny from all
+
+
+ ${mimeConf}
+ ${loggingConf}
+ ${browserHacks}
+
+ Include ${httpd}/conf/extra/httpd-autoindex.conf
+ Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
+ Include ${httpd}/conf/extra/httpd-languages.conf
+
+ ${if cfg.enableSSL then sslConf else ""}
+
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+ ${documentRootConf}
+ '';
+
+
+in
+
+{
+
+ name = "httpd";
+
+ users = [
+ { name = cfg.user;
+ description = "Apache httpd user";
+ }
+ ];
+
+ groups = [
+ { name = cfg.group;
+ }
+ ];
+
+ job = ''
+ description "Apache HTTPD"
+
+ start on ${startingDependency}/started
+ stop on ${startingDependency}/stop
+
+ respawn ${httpd}/bin/httpd -f ${httpdConf} -DNO_DETACH
+ '';
+
+}