From e5f942acbe27a426dae8af06181962b332a92466 Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Thu, 12 Jun 2025 21:35:43 +0800 Subject: [PATCH] feat: Refactor web-servers module and move common configuration to common.nix --- modules/nixos/server/web-servers/default.nix | 32 ++++++--- .../server/web-servers/nginx/default.nix | 68 +++++++++++-------- modules/nixos/system/default.nix | 1 + systems/x86_64-linux/apollo/default.nix | 42 ++++++------ systems/x86_64-linux/common.nix | 9 +++ systems/x86_64-linux/mellinoe/default.nix | 8 --- systems/x86_64-linux/nemesis/default.nix | 10 +-- 7 files changed, 94 insertions(+), 76 deletions(-) create mode 100644 systems/x86_64-linux/common.nix diff --git a/modules/nixos/server/web-servers/default.nix b/modules/nixos/server/web-servers/default.nix index 7739cc8..d409ae1 100644 --- a/modules/nixos/server/web-servers/default.nix +++ b/modules/nixos/server/web-servers/default.nix @@ -1,15 +1,25 @@ -{ config, ... }: +{ config, lib, ... }: +let + inherit (lib) mkMerge mkIf mkEnableOption; + cfg = config.server.web-servers; +in { - config = { - security.acme = { - acceptTerms = true; - defaults = { - email = "rafiq@rrv.sh"; - dnsProvider = "cloudflare"; - credentialFiles = { - "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; + options.server.web-servers = { + enableSSL = mkEnableOption ""; + }; + + config = mkMerge [ + (mkIf cfg.enableSSL { + security.acme = { + acceptTerms = true; + defaults = { + inherit (config.system.mainUser) email; + dnsProvider = "cloudflare"; + credentialFiles = { + "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; + }; }; }; - }; - }; + }) + ]; } diff --git a/modules/nixos/server/web-servers/nginx/default.nix b/modules/nixos/server/web-servers/nginx/default.nix index 810b69a..0facd6c 100644 --- a/modules/nixos/server/web-servers/nginx/default.nix +++ b/modules/nixos/server/web-servers/nginx/default.nix @@ -1,17 +1,49 @@ { config, lib, ... }: let + inherit (lib) mkOption mkEnableOption mkIf; + inherit (lib.pantheon) mkStrOption; + inherit (builtins) listToAttrs map; + inherit (config.server.web-servers) enableSSL; cfg = config.server.web-servers.nginx; + defaultSink = mkIf cfg.enableDefaultSink { + "_" = { + default = true; + rejectSSL = mkIf enableSSL true; + locations."/" = { + return = "444"; + }; + }; + }; + proxyPasses = listToAttrs ( + map (proxy: { + name = proxy.source; + value = { + forceSSL = mkIf enableSSL true; + enableACME = mkIf enableSSL true; + acmeRoot = mkIf enableSSL null; + locations."/" = { + proxyPass = proxy.target; + } // proxy.extraConfig; + }; + }) cfg.proxies + ); in { options.server.web-servers.nginx = { - enable = lib.mkEnableOption "the Nginx server"; - proxies = lib.mkOption { + enable = mkEnableOption "the Nginx server"; + openFirewall = mkEnableOption "" // { + default = true; + }; + enableDefaultSink = mkEnableOption "" // { + default = true; + }; + proxies = mkOption { type = with lib.types; listOf (submodule { options = { - source = lib.pantheon.mkStrOption; - target = lib.pantheon.mkStrOption; + source = mkStrOption; + target = mkStrOption; extraConfig = lib.mkOption { type = attrs; default = { }; @@ -30,36 +62,14 @@ in }; }; - config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 443 80 ]; services.nginx = { enable = true; - virtualHosts = - { - "_" = { - default = true; - rejectSSL = true; - locations."/" = { - return = "444"; - }; - }; - } - // (builtins.listToAttrs ( - builtins.map (proxy: { - name = proxy.source; - value = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = proxy.target; - } // proxy.extraConfig; - }; - }) cfg.proxies - )); + virtualHosts = defaultSink // proxyPasses; }; }; } diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index 98b7c1f..5d876e7 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -17,6 +17,7 @@ hostname = lib.pantheon.mkStrOption; mainUser.name = lib.pantheon.mkStrOption; mainUser.publicKey = lib.pantheon.mkStrOption; + mainUser.email = lib.pantheon.mkStrOption; bootloader = lib.pantheon.mkStrOption; }; diff --git a/systems/x86_64-linux/apollo/default.nix b/systems/x86_64-linux/apollo/default.nix index 9033745..6fb27cb 100644 --- a/systems/x86_64-linux/apollo/default.nix +++ b/systems/x86_64-linux/apollo/default.nix @@ -3,10 +3,10 @@ ... }: { + imports = lib.singleton ../common.nix; + system = { hostname = "apollo"; - mainUser.name = "rafiq"; - mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; bootloader = "systemd-boot"; }; @@ -21,7 +21,6 @@ server = { enableDDNS = true; - mountHelios = true; databases = { mongodb.enable = true; mysql.enable = true; @@ -32,22 +31,25 @@ mattermost.enable = true; mattermost.url = "mm.bwfiq.com"; }; - web-servers.nginx.enable = true; - web-servers.nginx.proxies = [ - { - source = "aenyrathia.wiki"; - target = "http://helios:5896"; - } - { - source = "chat.bwfiq.com"; - target = "http://localhost:3080"; - } - { - source = "il.bwfiq.com"; - target = "http://helios:2283"; - } - ]; + web-servers = { + nginx = { + enable = true; + proxies = [ + { + source = "aenyrathia.wiki"; + target = "http://helios:5896"; + } + { + #TODO: merge into librechat module + source = "chat.bwfiq.com"; + target = "http://localhost:3080"; + } + { + source = "il.bwfiq.com"; + target = "http://helios:2283"; + } + ]; + }; + }; }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/systems/x86_64-linux/common.nix b/systems/x86_64-linux/common.nix new file mode 100644 index 0000000..eb507c3 --- /dev/null +++ b/systems/x86_64-linux/common.nix @@ -0,0 +1,9 @@ +{ + system.mainUser = { + name = "rafiq"; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; + email = "rafiq@rrv.sh"; + }; + server.mountHelios = true; + nixpkgs.hostPlatform = "x86_64-linux"; +} diff --git a/systems/x86_64-linux/mellinoe/default.nix b/systems/x86_64-linux/mellinoe/default.nix index 6174544..e3f89df 100644 --- a/systems/x86_64-linux/mellinoe/default.nix +++ b/systems/x86_64-linux/mellinoe/default.nix @@ -3,8 +3,6 @@ system = { hostname = "mellinoe"; - mainUser.name = "rafiq"; - mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; bootloader = "systemd-boot"; }; @@ -32,10 +30,4 @@ refresh-rate = "60"; }; }; - - server = { - mountHelios = true; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/systems/x86_64-linux/nemesis/default.nix b/systems/x86_64-linux/nemesis/default.nix index eefdf44..f8b4af4 100644 --- a/systems/x86_64-linux/nemesis/default.nix +++ b/systems/x86_64-linux/nemesis/default.nix @@ -3,10 +3,10 @@ ... }: { + imports = lib.singleton ../common.nix; + system = { hostname = "nemesis"; - mainUser.name = "rafiq"; - mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; bootloader = "systemd-boot"; }; @@ -41,16 +41,10 @@ enableSunshine = true; }; - server = { - mountHelios = true; - }; - services = { tor = { enable = true; client.enable = true; }; }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; }