summary refs log tree commit diff stats
path: root/modules
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-08-02 22:39:02 +0200
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-08-02 23:13:29 +0200
commit30e649a6d43c4ef2473a1820930cbe7d43e28432 (patch)
treef34df66d41344a9289628d9c8f9e002614f97c16 /modules
parentbuild(flake): Update (diff)
downloadnixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.tar.gz
nixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.zip
refactor(nixos/{nginx, nix-sync}): Migrate from `system/services`
Nix-sync was sort-of mixed into the nginx configuration, thus separating
it completely seemed reasonable.
Diffstat (limited to '')
-rw-r--r--modules/nixos/vhack/default.nix2
-rw-r--r--modules/nixos/vhack/nginx/default.nix68
-rw-r--r--modules/nixos/vhack/nginx/redirects.nix (renamed from system/services/nginx/redirects.nix)0
-rw-r--r--modules/nixos/vhack/nix-sync/default.nix61
-rw-r--r--modules/nixos/vhack/nix-sync/hosts.nix (renamed from system/services/nginx/hosts.nix)0
-rw-r--r--modules/nixos/vhack/nix-sync/module.nix (renamed from system/services/nix-sync/default.nix)0
6 files changed, 131 insertions, 0 deletions
diff --git a/modules/nixos/vhack/default.nix b/modules/nixos/vhack/default.nix
index 1c98f58..cb0131f 100644
--- a/modules/nixos/vhack/default.nix
+++ b/modules/nixos/vhack/default.nix
@@ -2,6 +2,8 @@
   imports = [
     ./etesync
     ./git-server
+    ./nginx
+    ./nix-sync
     ./peertube
   ];
 }
diff --git a/modules/nixos/vhack/nginx/default.nix b/modules/nixos/vhack/nginx/default.nix
new file mode 100644
index 0000000..6a82147
--- /dev/null
+++ b/modules/nixos/vhack/nginx/default.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  importedRedirects = import ./redirects.nix {};
+  mkRedirect = {
+    key,
+    value,
+  }: {
+    name = key;
+    value = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".return = "301 ${value}";
+    };
+  };
+
+  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
+
+  cfg = config.vhack.nginx;
+in {
+  options.vhack.nginx = {
+    enable = lib.mkEnableOption ''
+      a default nginx config.
+    '';
+
+    selfsign = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to selfsign the acme certificates. This should only
+        really be useful for tests.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "admin@vhack.eu";
+        webroot = "/var/lib/acme/acme-challenge";
+
+        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
+        # certificates
+        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+    };
+    services.nginx = {
+      enable = true;
+      # The merge here is fine, as no domain should be specified twice
+      virtualHosts =
+        {
+          "gallery.s-schoeffel.de" = {
+            forceSSL = true;
+            enableACME = true;
+            root = "/srv/gallery.s-schoeffel.de";
+          };
+        }
+        // redirects;
+    };
+  };
+}
diff --git a/system/services/nginx/redirects.nix b/modules/nixos/vhack/nginx/redirects.nix
index a021e72..a021e72 100644
--- a/system/services/nginx/redirects.nix
+++ b/modules/nixos/vhack/nginx/redirects.nix
diff --git a/modules/nixos/vhack/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/default.nix
new file mode 100644
index 0000000..a624e0e
--- /dev/null
+++ b/modules/nixos/vhack/nix-sync/default.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.nix-sync;
+
+  mkNixSyncRepository = {
+    domain,
+    root ? "",
+    url,
+    extraSettings ? {},
+  }: {
+    name = "${domain}";
+    value = {
+      path = "/etc/nginx/websites/${domain}/${root}";
+      uri = "${url}";
+      inherit extraSettings;
+    };
+  };
+  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
+
+  mkVirtHost = {
+    domain,
+    root ? "",
+    url,
+    extraSettings ? {},
+  }: {
+    name = "${domain}";
+    value =
+      lib.recursiveUpdate {
+        forceSSL = true;
+        enableACME = true;
+        root = "/etc/nginx/websites/${domain}/${root}";
+      }
+      extraSettings;
+  };
+  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
+
+  domains = import ./hosts.nix {};
+in {
+  imports = [
+    ./module.nix
+  ];
+
+  options.vhack.nix-sync = {
+    enable = lib.mkEnableOption ''
+      a website git ops solution.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nix-sync = {
+      enable = true;
+      repositories = nixSyncRepositories;
+    };
+
+    vhack.nginx.enable = true;
+    services.nginx.virtualHosts = virtHosts;
+  };
+}
diff --git a/system/services/nginx/hosts.nix b/modules/nixos/vhack/nix-sync/hosts.nix
index 98dbbf1..98dbbf1 100644
--- a/system/services/nginx/hosts.nix
+++ b/modules/nixos/vhack/nix-sync/hosts.nix
diff --git a/system/services/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/module.nix
index a3ab0af..a3ab0af 100644
--- a/system/services/nix-sync/default.nix
+++ b/modules/nixos/vhack/nix-sync/module.nix