diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-12-18 17:15:09 +0100 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-12-18 17:15:09 +0100 |
| commit | a65b247f94cc542bafdc68b8642bcaa176e02c9c (patch) | |
| tree | 9abcebc3af5ff5e5b967758529469cea1748b96f /modules/by-name/an/anubis | |
| parent | scripts: Consolidate in `scripts` directory and advance (diff) | |
| download | nixos-server-a65b247f94cc542bafdc68b8642bcaa176e02c9c.zip | |
modules/anubis: Introduce and setup
This should hopefully reduce the workload applied to our servers. Notably, `cgit` is not yet behind it, as it requires more, considering that it is a fgi application.
Diffstat (limited to '')
| -rw-r--r-- | modules/by-name/an/anubis/module.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/modules/by-name/an/anubis/module.nix b/modules/by-name/an/anubis/module.nix new file mode 100644 index 0000000..e30a0a0 --- /dev/null +++ b/modules/by-name/an/anubis/module.nix @@ -0,0 +1,90 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.anubis; + + anubisInstances = + lib.mapAttrs (domain: conf: { + settings = { + TARGET = conf.target; + BIND = "/run/anubis/anubis-${domain}/anubis.sock"; + METRICS_BIND = "/run/anubis/anubis-${domain}/anubis-metrics.sock"; + }; + }) + cfg.instances; + + nginxVirtualHosts = lib.mapAttrs' (domain: conf: + lib.nameValuePair domain { + locations."/" = { + proxyPass = "http://unix:${config.services.anubis.instances."${domain}".settings.BIND}"; + + recommendedProxySettings = true; + proxyWebsockets = true; + }; + + enableACME = true; + forceSSL = true; + }) + cfg.instances; +in { + options.vhack.anubis.instances = lib.mkOption { + description = '' + Protect this reverse proxy with anubis. + + The attr key is the subdomain, the value the config. + ''; + + type = lib.types.attrsOf (lib.types.submodule { + options = { + target = lib.mkOption { + description = "nginx `proxyPass` target"; + type = lib.types.str; + example = "http://127.0.0.1:8080"; + }; + }; + config = {}; + }); + + default = {}; + + example = lib.literalExample '' + { + target = "http://127.0.0.1:$${toString config.servies.<name>.port}"; + } + ''; + }; + + config = { + users = { + users.nginx.extraGroups = [ + config.services.anubis.defaultOptions.group + ]; + + users.anubis = { + uid = config.vhack.constants.ids.uids.anubis; + group = "anubis"; + }; + groups.anubis.gid = config.vhack.constants.ids.gids.anubis; + }; + + services = { + anubis = { + defaultOptions.settings.COOKIE_DYNAMIC_DOMAIN = true; + instances = anubisInstances; + }; + + nginx = { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = nginxVirtualHosts; + }; + }; + }; +} |