diff --git a/fake_flake.nix b/fake_flake.nix index 9909384..0358f01 100644 --- a/fake_flake.nix +++ b/fake_flake.nix @@ -67,7 +67,7 @@ in concatLines ( map ( n: - "NIXOS_TARGET_HOST=${n} nixos-rebuild build --upgrade --show-trace" + "NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --fast" + optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${lib.getExe pkgs.nix-output-monitor}" ) (attrNames host_modules) ) diff --git a/modules/default.nix b/modules/default.nix index a60e7a2..d9df9a6 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -11,49 +11,112 @@ let in { imports = [ - ./matrix.nix - ./puffer.nix - ./gitea.nix - ./grafana.nix - ./nextcloud.nix - ./prometheus.nix - # ./mjolnir.nix - ./fail2ban.nix - ./email.nix - ./discord-matrix-bridge.nix - ./mastodon.nix + ./matrix.nix + ./puffer.nix + ./gitea.nix + ./grafana.nix + ./nextcloud.nix + ./prometheus.nix + # ./mjolnir.nix + ./fail2ban.nix + ./email.nix + ./discord-matrix-bridge.nix + ./mastodon.nix ]; - security.acme = { - acceptTerms = true; - defaults.email = root_email; - certs."${domain}" = { - webroot = "/var/lib/acme/acme-challenge/"; + options.serverConfig = with lib; { + ports = mkOption { + type = types.attrsOf types.int; + default = { }; + description = "ports associated with services"; + }; + + vhosts = mkOption { + type = types.attrsOf ( + types.submodule { + options = { + port = mkOption { + type = types.int; + description = "port to redirect to this vhost"; + }; + host = mkOption { + type = types.nonEmptyStr; + description = "name if the vhost"; + }; + }; + } + ); + default = { }; + description = "vhosts associated with services"; }; }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - services.nginx = { - # package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + config = { + networking.firewall.allowedTCPPorts = + [ + 80 + 443 + ] + ++ lib.attrValues config.serverConfig.ports + ++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts); - virtualHosts."${domain}" = { - forceSSL = true; - enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies - useACMEHost = domain; - locations."/" = { - root = "/var/www/${domain}"; + services.nginx.virtualHosts = + { + "${domain}" = { + forceSSL = true; + enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies + useACMEHost = domain; + locations."/" = { + root = "/var/www/${domain}"; + }; + }; + } + // (lib.concatMapAttrs (_: host: { + "${host.host}" = { + serverName = host.host; + forceSSL = true; + useACMEHost = domain; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString host.port}"; + }; + }; + }) config.serverConfig.vhosts); + + serverConfig = { + ports = { + puffer_sftp_port = 5657; + }; + vhosts = { + puffer_host = { + port = 8080; + host = "puffer.${domain}"; + }; + tlemap_host = { + port = 8100; + host = "tlemap.${domain}"; + }; }; }; - }; - users.users.nginx.extraGroups = [ "acme" ]; + security.acme = { + acceptTerms = true; + defaults.email = root_email; + certs."${domain}" = { + webroot = "/var/lib/acme/acme-challenge/"; + extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts; + }; + }; + + services.nginx = { + # package = pkgs.nginxStable.override { openssl = pkgs.libressl; }; + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + }; } diff --git a/modules/puffer.nix b/modules/puffer.nix index 4f9d894..54d6370 100644 --- a/modules/puffer.nix +++ b/modules/puffer.nix @@ -7,48 +7,20 @@ }: let inherit (config.networking) domain; - puffer_port = 8080; - puffer_sftp_port = 5657; - puffer_host = "puffer.${domain}"; - tlemap_host = "tlemap.${domain}"; - tlemap_port = 8100; + inherit (config.serverConfig) ports vhosts; in { services.pufferpanel = { enable = true; environment = { - PUFFER_WEB_HOST = ":${builtins.toString puffer_port}"; - PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}"; + PUFFER_WEB_HOST = ":${builtins.toString vhosts.puffer_host.port}"; + PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString ports.puffer_sftp_port}"; }; extraPackages = with pkgs; [ ]; extraGroups = [ "docker" ]; }; - services.nginx = { - enable = true; - virtualHosts."${puffer_host}" = { - serverName = puffer_host; - forceSSL = true; - useACMEHost = domain; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}"; - }; - }; - virtualHosts."${tlemap_host}" = { - serverName = tlemap_host; - forceSSL = true; - useACMEHost = domain; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}"; - }; - }; - }; - security.acme.certs."${domain}".extraDomainNames = [ - puffer_host - tlemap_host - ]; networking.firewall.allowedTCPPorts = [ - puffer_sftp_port 25565 25566 25567