feat: Refactor web-servers module and move common configuration to common.nix

2025-06-12 21:35:43 +08:00 · 2025-06-12 21:35:43 +08:00 · e5f942acbe
commit e5f942acbe
parent 7093a338f4
7 changed files with 94 additions and 76 deletions
--- a/modules/nixos/server/web-servers/default.nix
+++ b/modules/nixos/server/web-servers/default.nix
@ -1,15 +1,25 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  inherit (lib) mkMerge mkIf mkEnableOption;
+  cfg = config.server.web-servers;
+in
 {
-  config = {
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        email = "rafiq@rrv.sh";
-        dnsProvider = "cloudflare";
-        credentialFiles = {
-          "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
+  options.server.web-servers = {
+    enableSSL = mkEnableOption "";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enableSSL {
+      security.acme = {
+        acceptTerms = true;
+        defaults = {
+          inherit (config.system.mainUser) email;
+          dnsProvider = "cloudflare";
+          credentialFiles = {
+            "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
+          };
        };
      };
-    };
-  };
+    })
+  ];
 }
--- a/modules/nixos/server/web-servers/nginx/default.nix
+++ b/modules/nixos/server/web-servers/nginx/default.nix
@ -1,17 +1,49 @@
 { config, lib, ... }:
 let
+  inherit (lib) mkOption mkEnableOption mkIf;
+  inherit (lib.pantheon) mkStrOption;
+  inherit (builtins) listToAttrs map;
+  inherit (config.server.web-servers) enableSSL;
  cfg = config.server.web-servers.nginx;
+  defaultSink = mkIf cfg.enableDefaultSink {
+    "_" = {
+      default = true;
+      rejectSSL = mkIf enableSSL true;
+      locations."/" = {
+        return = "444";
+      };
+    };
+  };
+  proxyPasses = listToAttrs (
+    map (proxy: {
+      name = proxy.source;
+      value = {
+        forceSSL = mkIf enableSSL true;
+        enableACME = mkIf enableSSL true;
+        acmeRoot = mkIf enableSSL null;
+        locations."/" = {
+          proxyPass = proxy.target;
+        } // proxy.extraConfig;
+      };
+    }) cfg.proxies
+  );
 in
 {
  options.server.web-servers.nginx = {
-    enable = lib.mkEnableOption "the Nginx server";
-    proxies = lib.mkOption {
+    enable = mkEnableOption "the Nginx server";
+    openFirewall = mkEnableOption "" // {
+      default = true;
+    };
+    enableDefaultSink = mkEnableOption "" // {
+      default = true;
+    };
+    proxies = mkOption {
      type =
        with lib.types;
        listOf (submodule {
          options = {
-            source = lib.pantheon.mkStrOption;
-            target = lib.pantheon.mkStrOption;
+            source = mkStrOption;
+            target = mkStrOption;
            extraConfig = lib.mkOption {
              type = attrs;
              default = { };
@ -30,36 +62,14 @@ in
    };
  };

-  config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
      443
      80
    ];
    services.nginx = {
      enable = true;
-      virtualHosts =
-        {
-          "_" = {
-            default = true;
-            rejectSSL = true;
-            locations."/" = {
-              return = "444";
-            };
-          };
-        }
-        // (builtins.listToAttrs (
-          builtins.map (proxy: {
-            name = proxy.source;
-            value = {
-              forceSSL = true;
-              enableACME = true;
-              acmeRoot = null;
-              locations."/" = {
-                proxyPass = proxy.target;
-              } // proxy.extraConfig;
-            };
-          }) cfg.proxies
-        ));
+      virtualHosts = defaultSink // proxyPasses;
    };
  };
 }