refactor(nixos/{nginx, nix-sync}): Migrate from `system/services`

Nix-sync was sort-of mixed into the nginx configuration, thus separating it completely seemed reasonable.
author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-08-02 22:39:02 +0200
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2024-08-02 23:13:29 +0200
commit: 30e649a6d43c4ef2473a1820930cbe7d43e28432 (patch)
tree: f34df66d41344a9289628d9c8f9e002614f97c16
parent: build(flake): Update (diff)
download: nixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.zip
8 files changed, 131 insertions, 81 deletions
diff --git a/modules/nixos/vhack/default.nix b/modules/nixos/vhack/default.nix
index 1c98f58..cb0131f 100644
--- a/modules/nixos/vhack/default.nix
+++ b/modules/nixos/vhack/default.nix
@@ -2,6 +2,8 @@
   imports = [
     ./etesync
     ./git-server
+    ./nginx
+    ./nix-sync
     ./peertube
   ];
 }
diff --git a/modules/nixos/vhack/nginx/default.nix b/modules/nixos/vhack/nginx/default.nix
new file mode 100644
index 0000000..6a82147
--- /dev/null
+++ b/modules/nixos/vhack/nginx/default.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  importedRedirects = import ./redirects.nix {};
+  mkRedirect = {
+    key,
+    value,
+  }: {
+    name = key;
+    value = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".return = "301 ${value}";
+    };
+  };
+
+  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
+
+  cfg = config.vhack.nginx;
+in {
+  options.vhack.nginx = {
+    enable = lib.mkEnableOption ''
+      a default nginx config.
+    '';
+
+    selfsign = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to selfsign the acme certificates. This should only
+        really be useful for tests.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "admin@vhack.eu";
+        webroot = "/var/lib/acme/acme-challenge";
+
+        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
+        # certificates
+        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+    };
+    services.nginx = {
+      enable = true;
+      # The merge here is fine, as no domain should be specified twice
+      virtualHosts =
+        {
+          "gallery.s-schoeffel.de" = {
+            forceSSL = true;
+            enableACME = true;
+            root = "/srv/gallery.s-schoeffel.de";
+          };
+        }
+        // redirects;
+    };
+  };
+}
diff --git a/system/services/nginx/redirects.nix b/modules/nixos/vhack/nginx/redirects.nix
index a021e72..a021e72 100644
--- a/system/services/nginx/redirects.nix
+++ b/modules/nixos/vhack/nginx/redirects.nix
diff --git a/modules/nixos/vhack/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/default.nix
new file mode 100644
index 0000000..a624e0e
--- /dev/null
+++ b/modules/nixos/vhack/nix-sync/default.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.nix-sync;
+
+  mkNixSyncRepository = {
+    domain,
+    root ? "",
+    url,
+    extraSettings ? {},
+  }: {
+    name = "${domain}";
+    value = {
+      path = "/etc/nginx/websites/${domain}/${root}";
+      uri = "${url}";
+      inherit extraSettings;
+    };
+  };
+  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
+
+  mkVirtHost = {
+    domain,
+    root ? "",
+    url,
+    extraSettings ? {},
+  }: {
+    name = "${domain}";
+    value =
+      lib.recursiveUpdate {
+        forceSSL = true;
+        enableACME = true;
+        root = "/etc/nginx/websites/${domain}/${root}";
+      }
+      extraSettings;
+  };
+  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
+
+  domains = import ./hosts.nix {};
+in {
+  imports = [
+    ./module.nix
+  ];
+
+  options.vhack.nix-sync = {
+    enable = lib.mkEnableOption ''
+      a website git ops solution.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nix-sync = {
+      enable = true;
+      repositories = nixSyncRepositories;
+    };
+
+    vhack.nginx.enable = true;
+    services.nginx.virtualHosts = virtHosts;
+  };
+}
diff --git a/system/services/nginx/hosts.nix b/modules/nixos/vhack/nix-sync/hosts.nix
index 98dbbf1..98dbbf1 100644
--- a/system/services/nginx/hosts.nix
+++ b/modules/nixos/vhack/nix-sync/hosts.nix
diff --git a/system/services/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/module.nix
index a3ab0af..a3ab0af 100644
--- a/system/services/nix-sync/default.nix
+++ b/modules/nixos/vhack/nix-sync/module.nix
diff --git a/system/services/default.nix b/system/services/default.nix
index 8b8151a..3155272 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -10,9 +10,7 @@
     ./minecraft
     ./miniflux
     ./murmur
-    ./nginx
     ./nix
-    ./nix-sync
     ./openssh
     ./restic
     ./rust-motd
diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix
deleted file mode 100644
index b804754..0000000
--- a/system/services/nginx/default.nix
+++ /dev/null
@@ -1,79 +0,0 @@
-{lib, ...}: let
-  domains = import ./hosts.nix {};
-  importedRedirects = import ./redirects.nix {};
-  mkRedirect = {
-    key,
-    value,
-  }: {
-    name = key;
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "301 ${value}";
-    };
-  };
-  mkVirtHost = {
-    domain,
-    root ? "",
-    url,
-    extraSettings ? {},
-  }: {
-    name = "${domain}";
-    value =
-      lib.recursiveUpdate {
-        forceSSL = true;
-        enableACME = true;
-        root = "/etc/nginx/websites/${domain}/${root}";
-      }
-      extraSettings;
-  };
-
-  mkNixSyncRepository = {
-    domain,
-    root ? "",
-    url,
-    extraSettings ? {},
-  }: {
-    name = "${domain}";
-    value = {
-      path = "/etc/nginx/websites/${domain}/${root}";
-      uri = "${url}";
-      inherit extraSettings;
-    };
-  };
-
-  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
-  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
-  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
-in {
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "admin@vhack.eu";
-      webroot = "/var/lib/acme/acme-challenge";
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [80 443];
-  };
-  services.nginx = {
-    enable = true;
-    # The merge here is fine, as no domain should be specified twice
-    virtualHosts =
-      {
-        "gallery.s-schoeffel.de" = {
-          forceSSL = true;
-          enableACME = true;
-          root = "/srv/gallery.s-schoeffel.de";
-        };
-      }
-      // virtHosts
-      // redirects;
-  };
-
-  services.nix-sync = {
-    enable = true;
-    repositories = nixSyncRepositories;
-  };
-}
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-08-02 22:39:02 +0200
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2024-08-02 23:13:29 +0200
commit	30e649a6d43c4ef2473a1820930cbe7d43e28432 (patch)
tree	f34df66d41344a9289628d9c8f9e002614f97c16
parent	build(flake): Update (diff)
download	nixos-server-30e649a6d43c4ef2473a1820930cbe7d43e28432.zip