globalized port/vhost config

2024-05-09 12:16:28 +02:00 · 2024-05-09 12:16:28 +02:00 · 181f108308
commit 181f108308
parent aa06c9b3e9
3 changed files with 103 additions and 68 deletions
--- a/fake_flake.nix
+++ b/fake_flake.nix
@ -67,7 +67,7 @@ in
        concatLines (
          map (
            n:
-            "NIXOS_TARGET_HOST=${n} nixos-rebuild build --upgrade --show-trace"
+            "NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --fast"
            + optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${lib.getExe pkgs.nix-output-monitor}"
          ) (attrNames host_modules)
        )
--- a/modules/default.nix
+++ b/modules/default.nix
@ -24,18 +24,89 @@ in
    ./mastodon.nix
  ];

+  options.serverConfig = with lib; {
+    ports = mkOption {
+      type = types.attrsOf types.int;
+      default = { };
+      description = "ports associated with services";
+    };
+
+    vhosts = mkOption {
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            port = mkOption {
+              type = types.int;
+              description = "port to redirect to this vhost";
+            };
+            host = mkOption {
+              type = types.nonEmptyStr;
+              description = "name if the vhost";
+            };
+          };
+        }
+      );
+      default = { };
+      description = "vhosts associated with services";
+    };
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts =
+      [
+        80
+        443
+      ]
+      ++ lib.attrValues config.serverConfig.ports
+      ++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts);
+
+    services.nginx.virtualHosts =
+      {
+        "${domain}" = {
+          forceSSL = true;
+          enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
+          useACMEHost = domain;
+          locations."/" = {
+            root = "/var/www/${domain}";
+          };
+        };
+      }
+      // (lib.concatMapAttrs (_: host: {
+        "${host.host}" = {
+          serverName = host.host;
+          forceSSL = true;
+          useACMEHost = domain;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${builtins.toString host.port}";
+          };
+        };
+      }) config.serverConfig.vhosts);
+
+    serverConfig = {
+      ports = {
+        puffer_sftp_port = 5657;
+      };
+      vhosts = {
+        puffer_host = {
+          port = 8080;
+          host = "puffer.${domain}";
+        };
+        tlemap_host = {
+          port = 8100;
+          host = "tlemap.${domain}";
+        };
+      };
+    };
+
    security.acme = {
      acceptTerms = true;
      defaults.email = root_email;
      certs."${domain}" = {
        webroot = "/var/lib/acme/acme-challenge/";
+        extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
      };
    };

-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
    services.nginx = {
      # package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
      enable = true;
@ -44,16 +115,8 @@ in
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
-    virtualHosts."${domain}" = {
-      forceSSL = true;
-      enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
-      useACMEHost = domain;
-      locations."/" = {
-        root = "/var/www/${domain}";
-      };
-    };
    };

    users.users.nginx.extraGroups = [ "acme" ];
+  };
 }
--- a/modules/puffer.nix
+++ b/modules/puffer.nix
@ -7,48 +7,20 @@
 }:
 let
  inherit (config.networking) domain;
-  puffer_port = 8080;
-  puffer_sftp_port = 5657;
-  puffer_host = "puffer.${domain}";
-  tlemap_host = "tlemap.${domain}";
-  tlemap_port = 8100;
+  inherit (config.serverConfig) ports vhosts;
 in
 {
  services.pufferpanel = {
    enable = true;
    environment = {
-      PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
-      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
+      PUFFER_WEB_HOST = ":${builtins.toString vhosts.puffer_host.port}";
+      PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString ports.puffer_sftp_port}";
    };
    extraPackages = with pkgs; [ ];
    extraGroups = [ "docker" ];
  };

-  services.nginx = {
-    enable = true;
-    virtualHosts."${puffer_host}" = {
-      serverName = puffer_host;
-      forceSSL = true;
-      useACMEHost = domain;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
-      };
-    };
-    virtualHosts."${tlemap_host}" = {
-      serverName = tlemap_host;
-      forceSSL = true;
-      useACMEHost = domain;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
-      };
-    };
-  };
-  security.acme.certs."${domain}".extraDomainNames = [
-    puffer_host
-    tlemap_host
-  ];
  networking.firewall.allowedTCPPorts = [
-    puffer_sftp_port
    25565
    25566
    25567