rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: Refactor web-servers module and move common configuration to common.nix

Browse source
This commit is contained in:
Mohammad Rafiq 2025-06-12 21:35:43 +08:00
parent 7093a338f4
commit e5f942acbe
No known key found for this signature in database
7 changed files with 94 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/server/web-servers/default.nix
View file

@ -1,15 +1,25 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (lib) mkMerge mkIf mkEnableOption;
cfg = config.server.web-servers;
in
{
config = {
options.server.web-servers = {
enableSSL = mkEnableOption "";
};
config = mkMerge [
(mkIf cfg.enableSSL {
security.acme = {
acceptTerms = true;
defaults = {
email = "rafiq@rrv.sh";
inherit (config.system.mainUser) email;
dnsProvider = "cloudflare";
credentialFiles = {
"CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
};
};
};
};
})
];
}

68
modules/nixos/server/web-servers/nginx/default.nix
View file

@ -1,17 +1,49 @@
{ config, lib, ... }:
let
inherit (lib) mkOption mkEnableOption mkIf;
inherit (lib.pantheon) mkStrOption;
inherit (builtins) listToAttrs map;
inherit (config.server.web-servers) enableSSL;
cfg = config.server.web-servers.nginx;
defaultSink = mkIf cfg.enableDefaultSink {
"_" = {
default = true;
rejectSSL = mkIf enableSSL true;
locations."/" = {
return = "444";
};
};
};
proxyPasses = listToAttrs (
map (proxy: {
name = proxy.source;
value = {
forceSSL = mkIf enableSSL true;
enableACME = mkIf enableSSL true;
acmeRoot = mkIf enableSSL null;
locations."/" = {
proxyPass = proxy.target;
} // proxy.extraConfig;
};
}) cfg.proxies
);
in
{
options.server.web-servers.nginx = {
enable = lib.mkEnableOption "the Nginx server";
proxies = lib.mkOption {
enable = mkEnableOption "the Nginx server";
openFirewall = mkEnableOption "" // {
default = true;
};
enableDefaultSink = mkEnableOption "" // {
default = true;
};
proxies = mkOption {
type =
with lib.types;
listOf (submodule {
options = {
source = lib.pantheon.mkStrOption;
target = lib.pantheon.mkStrOption;
source = mkStrOption;
target = mkStrOption;
extraConfig = lib.mkOption {
type = attrs;
default = { };
@ -30,36 +62,14 @@ in
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
443
80
];
services.nginx = {
enable = true;
virtualHosts =
{
"_" = {
default = true;
rejectSSL = true;
locations."/" = {
return = "444";
};
};
}
// (builtins.listToAttrs (
builtins.map (proxy: {
name = proxy.source;
value = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = proxy.target;
} // proxy.extraConfig;
};
}) cfg.proxies
));
virtualHosts = defaultSink // proxyPasses;
};
};
}

1
modules/nixos/system/default.nix
View file

@ -17,6 +17,7 @@
hostname = lib.pantheon.mkStrOption;
mainUser.name = lib.pantheon.mkStrOption;
mainUser.publicKey = lib.pantheon.mkStrOption;
mainUser.email = lib.pantheon.mkStrOption;
bootloader = lib.pantheon.mkStrOption;
};

16
systems/x86_64-linux/apollo/default.nix
View file

@ -3,10 +3,10 @@
...
}:
{
imports = lib.singleton ../common.nix;
system = {
hostname = "apollo";
mainUser.name = "rafiq";
mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
bootloader = "systemd-boot";
};
@ -21,7 +21,6 @@
server = {
enableDDNS = true;
mountHelios = true;
databases = {
mongodb.enable = true;
mysql.enable = true;
@ -32,13 +31,16 @@
mattermost.enable = true;
mattermost.url = "mm.bwfiq.com";
};
web-servers.nginx.enable = true;
web-servers.nginx.proxies = [
web-servers = {
nginx = {
enable = true;
proxies = [
{
source = "aenyrathia.wiki";
target = "http://helios:5896";
}
{
#TODO: merge into librechat module
source = "chat.bwfiq.com";
target = "http://localhost:3080";
}
@ -48,6 +50,6 @@
}
];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
};
};
}

9
systems/x86_64-linux/common.nix Normal file
View file

@ -0,0 +1,9 @@
{
system.mainUser = {
name = "rafiq";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
email = "rafiq@rrv.sh";
};
server.mountHelios = true;
nixpkgs.hostPlatform = "x86_64-linux";
}

8
systems/x86_64-linux/mellinoe/default.nix
View file

@ -3,8 +3,6 @@
system = {
hostname = "mellinoe";
mainUser.name = "rafiq";
mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
bootloader = "systemd-boot";
};
@ -32,10 +30,4 @@
refresh-rate = "60";
};
};
server = {
mountHelios = true;
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

10
systems/x86_64-linux/nemesis/default.nix
View file

@ -3,10 +3,10 @@
...
}:
{
imports = lib.singleton ../common.nix;
system = {
hostname = "nemesis";
mainUser.name = "rafiq";
mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
bootloader = "systemd-boot";
};
@ -41,16 +41,10 @@
enableSunshine = true;
};
server = {
mountHelios = true;
};
services = {
tor = {
enable = true;
client.enable = true;
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}