globalized port/vhost config

fake_flake.nix

@@ -67,7 +67,7 @@ in
         concatLines (
           map (
             n:
-            "NIXOS_TARGET_HOST=${n} nixos-rebuild build --upgrade --show-trace"
+            "NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --fast"
             + optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${lib.getExe pkgs.nix-output-monitor}"
           ) (attrNames host_modules)
         )

modules/default.nix

@@ -11,49 +11,112 @@ let
 in
 {
   imports = [
-      ./matrix.nix
+    ./matrix.nix
-      ./puffer.nix
+    ./puffer.nix
-      ./gitea.nix
+    ./gitea.nix
-      ./grafana.nix
+    ./grafana.nix
-      ./nextcloud.nix
+    ./nextcloud.nix
-      ./prometheus.nix
+    ./prometheus.nix
-      # ./mjolnir.nix
+    # ./mjolnir.nix
-      ./fail2ban.nix
+    ./fail2ban.nix
-      ./email.nix
+    ./email.nix
-      ./discord-matrix-bridge.nix
+    ./discord-matrix-bridge.nix
-      ./mastodon.nix
+    ./mastodon.nix
   ];
 
-  security.acme = {
+  options.serverConfig = with lib; {
-    acceptTerms = true;
+    ports = mkOption {
-    defaults.email = root_email;
+      type = types.attrsOf types.int;
-    certs."${domain}" = {
+      default = { };
-      webroot = "/var/lib/acme/acme-challenge/";
+      description = "ports associated with services";
+    };
+
+    vhosts = mkOption {
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            port = mkOption {
+              type = types.int;
+              description = "port to redirect to this vhost";
+            };
+            host = mkOption {
+              type = types.nonEmptyStr;
+              description = "name if the vhost";
+            };
+          };
+        }
+      );
+      default = { };
+      description = "vhosts associated with services";
     };
   };
 
-  networking.firewall.allowedTCPPorts = [
+  config = {
-    80
+    networking.firewall.allowedTCPPorts =
-    443
+      [
-  ];
+        80
-  services.nginx = {
+        443
-    # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
+      ]
-    enable = true;
+      ++ lib.attrValues config.serverConfig.ports
-    recommendedGzipSettings = true;
+      ++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts);
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
-    virtualHosts."${domain}" = {
+    services.nginx.virtualHosts =
-      forceSSL = true;
+      {
-      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
+        "${domain}" = {
-      useACMEHost = domain;
+          forceSSL = true;
-      locations."/" = {
+          enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
-        root = "/var/www/${domain}";
+          useACMEHost = domain;
+          locations."/" = {
+            root = "/var/www/${domain}";
+          };
+        };
+      }
+      // (lib.concatMapAttrs (_: host: {
+        "${host.host}" = {
+          serverName = host.host;
+          forceSSL = true;
+          useACMEHost = domain;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${builtins.toString host.port}";
+          };
+        };
+      }) config.serverConfig.vhosts);
+
+    serverConfig = {
+      ports = {
+        puffer_sftp_port = 5657;
+      };
+      vhosts = {
+        puffer_host = {
+          port = 8080;
+          host = "puffer.${domain}";
+        };
+        tlemap_host = {
+          port = 8100;
+          host = "tlemap.${domain}";
+        };
       };
     };
-  };
 
-  users.users.nginx.extraGroups = [ "acme" ];
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = root_email;
+      certs."${domain}" = {
+        webroot = "/var/lib/acme/acme-challenge/";
+        extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
+      };
+    };
+
+    services.nginx = {
+      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    };
+
+    users.users.nginx.extraGroups = [ "acme" ];
+  };
 }

modules/puffer.nix

@@ -7,48 +7,20 @@
 }:
 let
   inherit (config.networking) domain;
-  puffer_port = 8080;
+  inherit (config.serverConfig) ports vhosts;
-  puffer_sftp_port = 5657;
-  puffer_host = "puffer.${domain}";
-  tlemap_host = "tlemap.${domain}";
-  tlemap_port = 8100;
 in
 {
   services.pufferpanel = {
     enable = true;
     environment = {
-      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
+      PUFFER_WEB_HOST = ":${builtins.toString vhosts.puffer_host.port}";
-      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
+      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString ports.puffer_sftp_port}";
     };
     extraPackages = with pkgs; [ ];
     extraGroups = [ "docker" ];
   };
 
-  services.nginx = {
-    enable = true;
-    virtualHosts."${puffer_host}" = {
-      serverName = puffer_host;
-      forceSSL = true;
-      useACMEHost = domain;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
-      };
-    };
-    virtualHosts."${tlemap_host}" = {
-      serverName = tlemap_host;
-      forceSSL = true;
-      useACMEHost = domain;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
-      };
-    };
-  };
-  security.acme.certs."${domain}".extraDomainNames = [
-    puffer_host
-    tlemap_host
-  ];
   networking.firewall.allowedTCPPorts = [
-    puffer_sftp_port
     25565
     25566
     25567