rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(nix): add nginx reverse proxy to web-servers module

Browse source 
Adds nginx reverse proxy functionality with SSL support.
This commit is contained in:
Mohammad Rafiq 2025-07-09 02:59:31 +08:00
parent 9657329282
commit 5f42498a39
No known key found for this signature in database
2 changed files with 112 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nix/manifest.nix
View file

@ -40,6 +40,19 @@
}; };
web-servers = { web-servers = {
enableSSL = true; enableSSL = true;
nginx = {
enable = true;
proxies = [
{
source = "aenyrathia.wiki";
target = "http://helios:5896";
}
{
source = "il.bwfiq.com";
target = "http://helios:2283";
}
];
};
}; };
databases = { databases = {
mongodb.enable = true; mongodb.enable = true;

99
nix/modules/server/web-servers.nix
View file

@ -15,10 +15,54 @@ in
{ config, ... }: { config, ... }:
let let
cfg = config.server.web-servers; cfg = config.server.web-servers;
sslCheck = good: bad: if cfg.enableSSL then good else bad;
in in
{ {
options.server.web-servers = { options.server.web-servers = {
enableSSL = mkEnableOption ""; enableSSL = mkEnableOption "";
nginx = {
enable = mkEnableOption "the Nginx server";
openFirewall = mkEnableOption "" // {
default = true;
};
enableDefaultSink = mkEnableOption "" // {
default = true;
};
pages = mkOption {
default = [ ];
type = listOf (submodule {
options = {
domain = mkStrOption "";
root = mkPathOption "";
extraConfig = mkOption {
type = attrs;
default = { };
};
locations = mkOption {
type = attrs;
default = { };
};
};
});
};
proxies = mkOption {
default = [ ];
type = listOf (submodule {
options = {
source = mkStrOption "";
target = mkStrOption "";
extraConfig = mkOption {
type = attrs;
default = { };
};
locations = mkOption {
type = attrs;
default = { };
};
};
});
};
};
}; };
config = mkMerge [ config = mkMerge [
(mkIf cfg.enableSSL { (mkIf cfg.enableSSL {
@ -38,6 +82,61 @@ in
}; };
}; };
}) })
(mkIf cfg.nginx.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.nginx.openFirewall [
443
80
];
users.users.nginx.extraGroups = singleton "acme";
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = mkMerge [
(mkIf cfg.nginx.enableDefaultSink {
"_" = {
default = true;
rejectSSL = sslCheck true false;
locations."/" = {
return = "444";
};
};
})
(listToAttrs (
map (page: {
name = page.domain;
value = {
addSSL = sslCheck true false;
useACMEHost = sslCheck (mkRootDomain page.domain) null;
acmeRoot = null; # needed for DNS validation
locations = {
"/" = {
inherit (page) root;
} // page.extraConfig;
} // page.locations;
};
}) cfg.nginx.pages
))
(listToAttrs (
map (proxy: {
name = proxy.source;
value = {
addSSL = sslCheck true false;
useACMEHost = sslCheck (mkRootDomain proxy.source) null;
acmeRoot = null; # needed for DNS validation
locations = {
"/" = {
proxyPass = proxy.target;
} // proxy.extraConfig;
} // proxy.locations;
};
}) cfg.nginx.proxies
))
];
};
})
]; ];
}; };
} }