diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-08-02 22:39:02 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-08-02 23:13:29 +0200 |
commit | 30e649a6d43c4ef2473a1820930cbe7d43e28432 (patch) | |
tree | f34df66d41344a9289628d9c8f9e002614f97c16 /modules | |
parent | build(flake): Update (diff) | |
download | nixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.tar.gz nixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.zip |
refactor(nixos/{nginx, nix-sync}): Migrate from `system/services`
Nix-sync was sort-of mixed into the nginx configuration, thus separating it completely seemed reasonable.
Diffstat (limited to '')
-rw-r--r-- | modules/nixos/vhack/default.nix | 2 | ||||
-rw-r--r-- | modules/nixos/vhack/nginx/default.nix | 68 | ||||
-rw-r--r-- | modules/nixos/vhack/nginx/redirects.nix (renamed from system/services/nginx/redirects.nix) | 0 | ||||
-rw-r--r-- | modules/nixos/vhack/nix-sync/default.nix | 61 | ||||
-rw-r--r-- | modules/nixos/vhack/nix-sync/hosts.nix (renamed from system/services/nginx/hosts.nix) | 0 | ||||
-rw-r--r-- | modules/nixos/vhack/nix-sync/module.nix (renamed from system/services/nix-sync/default.nix) | 0 |
6 files changed, 131 insertions, 0 deletions
diff --git a/modules/nixos/vhack/default.nix b/modules/nixos/vhack/default.nix index 1c98f58..cb0131f 100644 --- a/modules/nixos/vhack/default.nix +++ b/modules/nixos/vhack/default.nix @@ -2,6 +2,8 @@ imports = [ ./etesync ./git-server + ./nginx + ./nix-sync ./peertube ]; } diff --git a/modules/nixos/vhack/nginx/default.nix b/modules/nixos/vhack/nginx/default.nix new file mode 100644 index 0000000..6a82147 --- /dev/null +++ b/modules/nixos/vhack/nginx/default.nix @@ -0,0 +1,68 @@ +{ + lib, + config, + ... +}: let + importedRedirects = import ./redirects.nix {}; + mkRedirect = { + key, + value, + }: { + name = key; + value = { + forceSSL = true; + enableACME = true; + locations."/".return = "301 ${value}"; + }; + }; + + redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects); + + cfg = config.vhack.nginx; +in { + options.vhack.nginx = { + enable = lib.mkEnableOption '' + a default nginx config. + ''; + + selfsign = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to selfsign the acme certificates. This should only + really be useful for tests. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults = { + email = "admin@vhack.eu"; + webroot = "/var/lib/acme/acme-challenge"; + + # Avoid spamming the acme server, if we run in a test, and only really want self-signed + # certificates + server = lib.mkIf cfg.selfsign "https://127.0.0.1"; + }; + }; + + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + # The merge here is fine, as no domain should be specified twice + virtualHosts = + { + "gallery.s-schoeffel.de" = { + forceSSL = true; + enableACME = true; + root = "/srv/gallery.s-schoeffel.de"; + }; + } + // redirects; + }; + }; +} diff --git a/system/services/nginx/redirects.nix b/modules/nixos/vhack/nginx/redirects.nix index a021e72..a021e72 100644 --- a/system/services/nginx/redirects.nix +++ b/modules/nixos/vhack/nginx/redirects.nix diff --git a/modules/nixos/vhack/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/default.nix new file mode 100644 index 0000000..a624e0e --- /dev/null +++ b/modules/nixos/vhack/nix-sync/default.nix @@ -0,0 +1,61 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.nix-sync; + + mkNixSyncRepository = { + domain, + root ? "", + url, + extraSettings ? {}, + }: { + name = "${domain}"; + value = { + path = "/etc/nginx/websites/${domain}/${root}"; + uri = "${url}"; + inherit extraSettings; + }; + }; + nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains); + + mkVirtHost = { + domain, + root ? "", + url, + extraSettings ? {}, + }: { + name = "${domain}"; + value = + lib.recursiveUpdate { + forceSSL = true; + enableACME = true; + root = "/etc/nginx/websites/${domain}/${root}"; + } + extraSettings; + }; + virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains); + + domains = import ./hosts.nix {}; +in { + imports = [ + ./module.nix + ]; + + options.vhack.nix-sync = { + enable = lib.mkEnableOption '' + a website git ops solution. + ''; + }; + + config = lib.mkIf cfg.enable { + services.nix-sync = { + enable = true; + repositories = nixSyncRepositories; + }; + + vhack.nginx.enable = true; + services.nginx.virtualHosts = virtHosts; + }; +} diff --git a/system/services/nginx/hosts.nix b/modules/nixos/vhack/nix-sync/hosts.nix index 98dbbf1..98dbbf1 100644 --- a/system/services/nginx/hosts.nix +++ b/modules/nixos/vhack/nix-sync/hosts.nix diff --git a/system/services/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/module.nix index a3ab0af..a3ab0af 100644 --- a/system/services/nix-sync/default.nix +++ b/modules/nixos/vhack/nix-sync/module.nix |