modules/anubis: Introduce and setup

This should hopefully reduce the workload applied to our servers. Notably, `cgit` is not yet behind it, as it requires more, considering that it is a fgi application.
author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-12-18 17:15:09 +0100
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-12-18 17:15:09 +0100
commit: a65b247f94cc542bafdc68b8642bcaa176e02c9c (patch)
tree: 9abcebc3af5ff5e5b967758529469cea1748b96f /modules
parent: scripts: Consolidate in `scripts` directory and advance (diff)
download: nixos-server-a65b247f94cc542bafdc68b8642bcaa176e02c9c.zip
6 files changed, 98 insertions, 40 deletions
diff --git a/modules/by-name/an/anubis/module.nix b/modules/by-name/an/anubis/module.nix
new file mode 100644
index 0000000..e30a0a0
--- /dev/null
+++ b/modules/by-name/an/anubis/module.nix
@@ -0,0 +1,90 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.anubis;
+
+  anubisInstances =
+    lib.mapAttrs (domain: conf: {
+      settings = {
+        TARGET = conf.target;
+        BIND = "/run/anubis/anubis-${domain}/anubis.sock";
+        METRICS_BIND = "/run/anubis/anubis-${domain}/anubis-metrics.sock";
+      };
+    })
+    cfg.instances;
+
+  nginxVirtualHosts = lib.mapAttrs' (domain: conf:
+    lib.nameValuePair domain {
+      locations."/" = {
+        proxyPass = "http://unix:${config.services.anubis.instances."${domain}".settings.BIND}";
+
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+      };
+
+      enableACME = true;
+      forceSSL = true;
+    })
+  cfg.instances;
+in {
+  options.vhack.anubis.instances = lib.mkOption {
+    description = ''
+      Protect this reverse proxy with anubis.
+
+      The attr key is the subdomain, the value the config.
+    '';
+
+    type = lib.types.attrsOf (lib.types.submodule {
+      options = {
+        target = lib.mkOption {
+          description = "nginx `proxyPass` target";
+          type = lib.types.str;
+          example = "http://127.0.0.1:8080";
+        };
+      };
+      config = {};
+    });
+
+    default = {};
+
+    example = lib.literalExample ''
+      {
+        target = "http://127.0.0.1:$${toString config.servies.<name>.port}";
+      }
+    '';
+  };
+
+  config = {
+    users = {
+      users.nginx.extraGroups = [
+        config.services.anubis.defaultOptions.group
+      ];
+
+      users.anubis = {
+        uid = config.vhack.constants.ids.uids.anubis;
+        group = "anubis";
+      };
+      groups.anubis.gid = config.vhack.constants.ids.gids.anubis;
+    };
+
+    services = {
+      anubis = {
+        defaultOptions.settings.COOKIE_DYNAMIC_DOMAIN = true;
+        instances = anubisInstances;
+      };
+
+      nginx = {
+        enable = true;
+
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedProxySettings = true;
+
+        virtualHosts = nginxVirtualHosts;
+      };
+    };
+  };
+}
diff --git a/modules/by-name/at/atuin-sync/module.nix b/modules/by-name/at/atuin-sync/module.nix
index 0db2e29..e0d75bb 100644
--- a/modules/by-name/at/atuin-sync/module.nix
+++ b/modules/by-name/at/atuin-sync/module.nix
@@ -19,17 +19,9 @@ in {
   config = lib.mkIf cfg.enable {
     vhack.nginx.enable = true;
 
-    services = {
-      nginx.virtualHosts."${cfg.fqdn}" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.atuin.port}";
-          recommendedProxySettings = true;
-        };
-
-        enableACME = true;
-        forceSSL = true;
-      };
+    vhack.anubis.instances."${cfg.fqdn}".target = "http://127.0.0.1:${toString config.services.atuin.port}";
 
+    services = {
       atuin = {
         enable = true;
         package = vhackPackages.atuin-server-only;
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
index 1513b0c..fa9ce17 100644
--- a/modules/by-name/co/constants/module.nix
+++ b/modules/by-name/co/constants/module.nix
@@ -53,6 +53,7 @@
       sharkey = 339;
       redis-sharkey = 340;
       grocy = 341;
+      anubis = 342;
 
       # As per the NixOS file, the uids should not be greater or equal to 400;
     };
@@ -64,6 +65,7 @@
       inherit
         (uids)
         acme
+        anubis
         dhcpcd
         etebase-server
         knot-resolver
diff --git a/modules/by-name/et/etesync/module.nix b/modules/by-name/et/etesync/module.nix
index bcabc8a..4dc8575 100644
--- a/modules/by-name/et/etesync/module.nix
+++ b/modules/by-name/et/etesync/module.nix
@@ -45,26 +45,14 @@ in {
     ];
 
     services.nginx = {
-      enable = true;
-      recommendedTlsSettings = true;
-      recommendedOptimisation = true;
-      recommendedGzipSettings = true;
-      recommendedProxySettings = true;
-
       virtualHosts = {
         "etebase.vhack.eu" = {
-          enableACME = true;
-          forceSSL = true;
-
           locations = {
             # TODO: Maybe fix permissions to use pregenerated static files which would
             # improve performance.
             #"/static" = {
             #  root = config.services.etebase-server.settings.global.static_root;
             #};
-            "/" = {
-              proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
-            };
           };
           serverAliases = [
             "dav.vhack.eu"
@@ -72,6 +60,8 @@ in {
         };
       };
     };
+    vhack.anubis.instances."etebase.vhack.eu".target = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
+
     users = {
       users.etebase-server.uid = config.vhack.constants.ids.uids.etebase-server;
       groups.etebase-server.gid = config.vhack.constants.ids.gids.etebase-server;
diff --git a/modules/by-name/gi/git-back/module.nix b/modules/by-name/gi/git-back/module.nix
index 96f4913..7df1bac 100644
--- a/modules/by-name/gi/git-back/module.nix
+++ b/modules/by-name/gi/git-back/module.nix
@@ -28,14 +28,6 @@ in {
       };
     };
 
-    services.nginx = {
-      enable = true;
-      virtualHosts."${cfg.domain}" = {
-        locations."/".proxyPass = "http://127.0.0.1:8000";
-
-        enableACME = true;
-        forceSSL = true;
-      };
-    };
+    vhack.anubis.instances."${cfg.domain}".target = "http://127.0.0.1:8000";
   };
 }
diff --git a/modules/by-name/re/redlib/module.nix b/modules/by-name/re/redlib/module.nix
index 909c9f1..4d3c600 100644
--- a/modules/by-name/re/redlib/module.nix
+++ b/modules/by-name/re/redlib/module.nix
@@ -23,14 +23,6 @@ in {
       openFirewall = false;
     };
 
-    services.nginx = {
-      enable = true;
-      virtualHosts.${domain} = {
-        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.redlib.port}";
-
-        enableACME = true;
-        forceSSL = true;
-      };
-    };
+    vhack.anubis.instances."${domain}".target = "http://127.0.0.1:${toString config.services.redlib.port}";
   };
 }
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-12-18 17:15:09 +0100
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-12-18 17:15:09 +0100
commit	a65b247f94cc542bafdc68b8642bcaa176e02c9c (patch)
tree	9abcebc3af5ff5e5b967758529469cea1748b96f /modules
parent	scripts: Consolidate in `scripts` directory and advance (diff)
download	nixos-server-a65b247f94cc542bafdc68b8642bcaa176e02c9c.zip