about summary refs log tree commit diff stats
path: root/modules/by-name/an/anubis/module.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/by-name/an/anubis/module.nix')
-rw-r--r--modules/by-name/an/anubis/module.nix90
1 files changed, 90 insertions, 0 deletions
diff --git a/modules/by-name/an/anubis/module.nix b/modules/by-name/an/anubis/module.nix
new file mode 100644
index 0000000..e30a0a0
--- /dev/null
+++ b/modules/by-name/an/anubis/module.nix
@@ -0,0 +1,90 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.anubis;
+
+  anubisInstances =
+    lib.mapAttrs (domain: conf: {
+      settings = {
+        TARGET = conf.target;
+        BIND = "/run/anubis/anubis-${domain}/anubis.sock";
+        METRICS_BIND = "/run/anubis/anubis-${domain}/anubis-metrics.sock";
+      };
+    })
+    cfg.instances;
+
+  nginxVirtualHosts = lib.mapAttrs' (domain: conf:
+    lib.nameValuePair domain {
+      locations."/" = {
+        proxyPass = "http://unix:${config.services.anubis.instances."${domain}".settings.BIND}";
+
+        recommendedProxySettings = true;
+        proxyWebsockets = true;
+      };
+
+      enableACME = true;
+      forceSSL = true;
+    })
+  cfg.instances;
+in {
+  options.vhack.anubis.instances = lib.mkOption {
+    description = ''
+      Protect this reverse proxy with anubis.
+
+      The attr key is the subdomain, the value the config.
+    '';
+
+    type = lib.types.attrsOf (lib.types.submodule {
+      options = {
+        target = lib.mkOption {
+          description = "nginx `proxyPass` target";
+          type = lib.types.str;
+          example = "http://127.0.0.1:8080";
+        };
+      };
+      config = {};
+    });
+
+    default = {};
+
+    example = lib.literalExample ''
+      {
+        target = "http://127.0.0.1:$${toString config.servies.<name>.port}";
+      }
+    '';
+  };
+
+  config = {
+    users = {
+      users.nginx.extraGroups = [
+        config.services.anubis.defaultOptions.group
+      ];
+
+      users.anubis = {
+        uid = config.vhack.constants.ids.uids.anubis;
+        group = "anubis";
+      };
+      groups.anubis.gid = config.vhack.constants.ids.gids.anubis;
+    };
+
+    services = {
+      anubis = {
+        defaultOptions.settings.COOKIE_DYNAMIC_DOMAIN = true;
+        instances = anubisInstances;
+      };
+
+      nginx = {
+        enable = true;
+
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedProxySettings = true;
+
+        virtualHosts = nginxVirtualHosts;
+      };
+    };
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-12-19 21:36:14 +0000