grimm-nixos-laptop/modules/default.nix

{
  lib,
  config,
  inputs,
  pkgs,
  ...
}:
let
  inherit (config.networking) domain;
  root_email = "contact@${domain}";
in
{
  imports = [
    ./matrix.nix
    ./puffer.nix
    ./gitea.nix
    ./grafana.nix
    ./nextcloud.nix
    ./prometheus.nix
    # ./mjolnir.nix
    ./fail2ban.nix
    ./email.nix
    ./discord-matrix-bridge.nix
    ./mastodon.nix
  ];

  options.serverConfig = with lib; {
    ports = mkOption {
      type = types.attrsOf (
        types.submodule (
          { config, ... }:
          rec {
            options = {
              port = mkOption {
                type = types.int;
                description = "port to define";
              };
              open = mkEnableOption "whether to open the port" // {
                default = true;
              };
            };
          }
        )
      );
      default = { };
      description = "ports associated with services";
    };

    vhosts = mkOption {
      type = types.attrsOf (
        types.submodule (
          { config, ... }:
          rec {
            options = {
              port = mkOption {
                type = types.int;
                default = 80;
                description = "port to redirect to this vhost";
              };
              host = mkOption {
                type = types.nonEmptyStr;
                description = "name if the vhost";
              };
              accessType = mkOption {
                type = types.enum [
                  "proxy"
                  "redirect"
                  "custom"
                  "none"
                ];
                default = "proxy";
                description = "nginx template to use";
              };
              extraNginx = mkOption {
                type = types.attrs;
                default =
                  if config.accessType == "redirect" then
                    { locations."/".return = "307 https://${domain}"; }
                  else
                    (
                      if config.accessType == "proxy" then
                        { locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.port}"; }
                      else
                        { }
                    );
                description = "location definition for nginx";
              };
            };
          }
        )
      );
      default = { };
      description = "vhosts associated with services";
    };
  };

  config = {
    networking.firewall.allowedTCPPorts = [
      80
      443
    ] ++ (lib.mapAttrsToList (n: v: v.port) (lib.filterAttrs (n: v: v.open) config.serverConfig.ports));
    #       ++ (lib.mapAttrsToList (n: v: v.port) (lib.filterAttrs (n: v: !v.disableWebAccess) config.serverConfig.vhosts));

    services.nginx.virtualHosts =
      {
        "${domain}" = {
          forceSSL = true;
          enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
          useACMEHost = domain;
          locations."/" = {
            root = "/var/www/${domain}";
          };
        };
      }
      // (lib.concatMapAttrs (_: host: {
        "${host.host}" = {
          serverName = host.host;
          forceSSL = true;
          useACMEHost = domain;
          enableACME = lib.mkForce false;
        } // host.extraNginx;
      }) (lib.filterAttrs (n: v: v.accessType != "none") config.serverConfig.vhosts));

    serverConfig = {
      ports = {
        puffer_sftp_port.port = 5657;
        gitea_ssh_port.port = 2222;
        node_exporter = {
          port = 9002;
          open = false;
        };
        discord_matrix_bridge_port = {
          port = 9005;
          open = false;
        };
        redis_nextcloud_port = {
          port = 6379;
          open = false;
        };
      };

      vhosts = {
        puffer_host = {
          port = 8080;
          host = "puffer.${domain}";
        };
        tlemap_host = {
          port = 8100;
          host = "tlemap.${domain}";
        };
        mail_host = {
          host = "mail.${domain}";
          accessType = "redirect";
        };
        gitea_host = {
          host = "git.${domain}";
          port = 8081;
        };
        matrix_host = {
          accessType = "redirect";
          host = "matrix.${domain}";
        };
        prometheus_host = {
          host = "prometheus.${domain}";
          port = 9090;
          accessType = "redirect";
        };
        grafana_host = {
          host = "grafana.${domain}";
          port = 8082;
        };
        nextcloud_host = rec {
          host = "cloud.${domain}";
          port = 8083;
          accessType = "custom";
          extraNginx.serverName = host;
        };
        mastodon_host = {
          host = "mastodon.${domain}";
          accessType = "none";
        };
      };
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = root_email;
      certs."${domain}" = {
        webroot = "/var/lib/acme/acme-challenge/";
        extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
      };
    };

    services.nginx = {
      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    };

    users.users.nginx.extraGroups = [ "acme" ];
  };
}
move server module loading to modules folder 2024-05-09 11:03:43 +02:00			`{`
			`lib,`
			`config,`
			`inputs,`
			`pkgs,`
			`...`
			`}:`
			`let`
			`inherit (config.networking) domain;`
			`root_email = "contact@${domain}";`
			`in`
			`{`
			`imports = [`
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`./matrix.nix`
			`./puffer.nix`
			`./gitea.nix`
			`./grafana.nix`
			`./nextcloud.nix`
			`./prometheus.nix`
			`# ./mjolnir.nix`
			`./fail2ban.nix`
			`./email.nix`
			`./discord-matrix-bridge.nix`
			`./mastodon.nix`
move server module loading to modules folder 2024-05-09 11:03:43 +02:00			`];`

globalized port/vhost config 2024-05-09 12:16:28 +02:00			`options.serverConfig = with lib; {`
			`ports = mkOption {`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`type = types.attrsOf (`
			`types.submodule (`
			`{ config, ... }:`
			`rec {`
			`options = {`
			`port = mkOption {`
			`type = types.int;`
			`description = "port to define";`
			`};`
			`open = mkEnableOption "whether to open the port" // {`
			`default = true;`
			`};`
			`};`
			`}`
			`)`
			`);`
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`default = { };`
			`description = "ports associated with services";`
			`};`

			`vhosts = mkOption {`
			`type = types.attrsOf (`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`types.submodule (`
			`{ config, ... }:`
			`rec {`
			`options = {`
			`port = mkOption {`
			`type = types.int;`
			`default = 80;`
			`description = "port to redirect to this vhost";`
			`};`
			`host = mkOption {`
			`type = types.nonEmptyStr;`
			`description = "name if the vhost";`
			`};`
			`accessType = mkOption {`
			`type = types.enum [`
			`"proxy"`
			`"redirect"`
			`"custom"`
			`"none"`
			`];`
			`default = "proxy";`
			`description = "nginx template to use";`
			`};`
			`extraNginx = mkOption {`
			`type = types.attrs;`
			`default =`
			`if config.accessType == "redirect" then`
			`{ locations."/".return = "307 https://${domain}"; }`
			`else`
			`(`
			`if config.accessType == "proxy" then`
			`{ locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.port}"; }`
			`else`
			`{ }`
			`);`
			`description = "location definition for nginx";`
			`};`
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`};`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`}`
			`)`
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`);`
			`default = { };`
			`description = "vhosts associated with services";`
move server module loading to modules folder 2024-05-09 11:03:43 +02:00			`};`
			`};`

globalized port/vhost config 2024-05-09 12:16:28 +02:00			`config = {`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`] ++ (lib.mapAttrsToList (n: v: v.port) (lib.filterAttrs (n: v: v.open) config.serverConfig.ports));`
			`# ++ (lib.mapAttrsToList (n: v: v.port) (lib.filterAttrs (n: v: !v.disableWebAccess) config.serverConfig.vhosts));`
globalized port/vhost config 2024-05-09 12:16:28 +02:00
			`services.nginx.virtualHosts =`
			`{`
			`"${domain}" = {`
			`forceSSL = true;`
			`enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies`
			`useACMEHost = domain;`
			`locations."/" = {`
			`root = "/var/www/${domain}";`
			`};`
			`};`
			`}`
			`// (lib.concatMapAttrs (_: host: {`
			`"${host.host}" = {`
			`serverName = host.host;`
			`forceSSL = true;`
			`useACMEHost = domain;`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`enableACME = lib.mkForce false;`
			`} // host.extraNginx;`
			`}) (lib.filterAttrs (n: v: v.accessType != "none") config.serverConfig.vhosts));`
globalized port/vhost config 2024-05-09 12:16:28 +02:00
			`serverConfig = {`
			`ports = {`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`puffer_sftp_port.port = 5657;`
			`gitea_ssh_port.port = 2222;`
			`node_exporter = {`
			`port = 9002;`
			`open = false;`
			`};`
			`discord_matrix_bridge_port = {`
			`port = 9005;`
			`open = false;`
			`};`
			`redis_nextcloud_port = {`
			`port = 6379;`
			`open = false;`
			`};`
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`};`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00
globalized port/vhost config 2024-05-09 12:16:28 +02:00			`vhosts = {`
			`puffer_host = {`
			`port = 8080;`
			`host = "puffer.${domain}";`
			`};`
			`tlemap_host = {`
			`port = 8100;`
			`host = "tlemap.${domain}";`
			`};`
globalized port/vhost config: move modules 2024-05-09 14:55:02 +02:00			`mail_host = {`
			`host = "mail.${domain}";`
			`accessType = "redirect";`
			`};`
			`gitea_host = {`
			`host = "git.${domain}";`
			`port = 8081;`
			`};`
			`matrix_host = {`
			`accessType = "redirect";`
			`host = "matrix.${domain}";`
			`};`
			`prometheus_host = {`
			`host = "prometheus.${domain}";`
			`port = 9090;`
			`accessType = "redirect";`
			`};`
			`grafana_host = {`
			`host = "grafana.${domain}";`
			`port = 8082;`
			`};`
			`nextcloud_host = rec {`
			`host = "cloud.${domain}";`
			`port = 8083;`
			`accessType = "custom";`
			`extraNginx.serverName = host;`
			`};`
			`mastodon_host = {`
			`host = "mastodon.${domain}";`
			`accessType = "none";`
			`};`
move server module loading to modules folder 2024-05-09 11:03:43 +02:00			`};`
			`};`

globalized port/vhost config 2024-05-09 12:16:28 +02:00			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = root_email;`
			`certs."${domain}" = {`
			`webroot = "/var/lib/acme/acme-challenge/";`
			`extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;`
			`};`
			`};`

			`services.nginx = {`
			`# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`
			`};`

			`users.users.nginx.extraGroups = [ "acme" ];`
			`};`
move server module loading to modules folder 2024-05-09 11:03:43 +02:00			`}`