6 files changed, 65 insertions, 95 deletions

diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
index b344fcd..fed14d3 100644
--- a/modules/by-name/co/constants/module.nix
+++ b/modules/by-name/co/constants/module.nix
@@ -25,6 +25,7 @@
       nscd = 330;
       sshd = 331;
       systemd-oom = 332;
+      nix-sync = 334;
       redis-peertube = 990;
       peertube = 992; # TODO Sort correctly
       mastodon = 996;
@@ -47,6 +48,7 @@
       sshd = 331;
       systemd-oom = 332;
       resolvconf = 333; # This group is not matched to an user?
+      nix-sync = 334;
       systemd-coredump = 151; # matches systemd-coredump user
       redis-peertube = 990;
       peertube = 992;
diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix
index a73fd13..4b730da 100644
--- a/modules/by-name/ma/matrix/module.nix
+++ b/modules/by-name/ma/matrix/module.nix
@@ -24,10 +24,14 @@ in {
       type = lib.types.str;
       description = "The url the matrix-server should be known under.";
     };
+    sharedSecretFile = lib.mkOption {
+      type = lib.types.path;
+      description = "The age encrypted shared secret file for synapse, passed to agenix";
+    };
   };
   config = lib.mkIf cfg.enable {
     age.secrets.matrix-synapse_registration_shared_secret = {
-      file = ./passwd.age;
+      file = cfg.sharedSecretFile;
       mode = "700";
       owner = "matrix-synapse";
       group = "matrix-synapse";
diff --git a/modules/by-name/ma/matrix/passwd.age b/modules/by-name/ma/matrix/passwd.age
deleted file mode 100644
index 6386ed6..0000000
--- a/modules/by-name/ma/matrix/passwd.age
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF
-bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC
-aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q
-Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk
-ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
-YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5
-cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg
-LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy
-dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3
-RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv
-OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A
-sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK
-4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria
------END AGE ENCRYPTED FILE-----
diff --git a/modules/by-name/ni/nix-sync/hosts.nix b/modules/by-name/ni/nix-sync/hosts.nix
deleted file mode 100644
index 98dbbf1..0000000
--- a/modules/by-name/ni/nix-sync/hosts.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{...}: let
-  extraWkdSettings = {
-    locations."/.well-known/openpgpkey/hu/".extraConfig = ''
-      default_type application/octet-stream;
-
-      # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/
-      # No idea if it is actually necessary
-      # add_header Access-Control-Allow-Origin * always;
-    '';
-  };
-in [
-  {
-    domain = "vhack.eu";
-    url = "https://codeberg.org/vhack.eu/website.git";
-  }
-  {
-    domain = "b-peetz.de";
-    url = "https://codeberg.org/bpeetz/b-peetz.de.git";
-  }
-
-  # Trinitrix
-  {
-    domain = "trinitrix.vhack.eu";
-    url = "https://codeberg.org/trinitrix/website.git";
-  }
-
-  # WKD
-  {
-    domain = "openpgpkey.b-peetz.de";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.s-schoeffel.de";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.sils.li";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.vhack.eu";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-]
diff --git a/modules/by-name/ni/nix-sync/module.nix b/modules/by-name/ni/nix-sync/module.nix
index de096b9..9ddd210 100644
--- a/modules/by-name/ni/nix-sync/module.nix
+++ b/modules/by-name/ni/nix-sync/module.nix
@@ -1,43 +1,44 @@
 {
   config,
   lib,
+  modulesPath,
+  nixLib,
   ...
 }: let
   cfg = config.vhack.nix-sync;
 
   mkNixSyncRepository = {
     domain,
-    root ? "",
-    url,
-    extraSettings ? {},
+    repositoryUrl,
+    extraSettings,
   }: {
     name = "${domain}";
     value = {
-      path = "/etc/nginx/websites/${domain}/${root}";
-      uri = "${url}";
+      path = "/etc/nginx/websites/${domain}";
+      uri = "${repositoryUrl}";
       inherit extraSettings;
     };
   };
-  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
+  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository cfg.domains);
 
   mkVirtHost = {
     domain,
-    root ? "",
-    url,
-    extraSettings ? {},
+    repositoryUrl,
+    extraSettings,
   }: {
     name = "${domain}";
     value =
-      lib.recursiveUpdate {
+      # FIXME(@bpeetz): We cannot use something like `lib.recursiveUpdate` because the
+      # `extraSettings` are instantiated from the “real” nginx type. As such the
+      # `extaSettings` would override our values here. Therefore, the direct merge. <2025-02-07>
+      extraSettings
+      // {
         forceSSL = true;
         enableACME = true;
-        root = "/etc/nginx/websites/${domain}/${root}";
-      }
-      extraSettings;
+        root = "/etc/nginx/websites/${domain}";
+      };
   };
-  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
-
-  domains = import ./hosts.nix {};
+  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost cfg.domains);
 in {
   imports = [
     ./internal_module.nix
@@ -47,6 +48,38 @@ in {
     enable = lib.mkEnableOption ''
       a website git ops solution.
     '';
+
+    domains = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          domain = lib.mkOption {
+            type = lib.types.str;
+            example = "b-peetz.de";
+            description = ''
+              The fully qualified domain to use as base of this website.
+            '';
+          };
+          repositoryUrl = lib.mkOption {
+            type = lib.types.str;
+            example = "b-peetz.de";
+            description = ''
+              The url used for the source git repository, which is deployed at this domain.
+            '';
+          };
+          extraSettings = lib.mkOption {
+            type =
+              lib.types.submodule (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") {inherit config lib;});
+            example = {
+              locations."/.well-known/openpgpkey/".extraConfig = "default_type application/octet-stream";
+            };
+            default = {};
+            description = ''
+              Extra configuration to add to the nginx virtual host.
+            '';
+          };
+        };
+      });
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -66,5 +99,10 @@ in {
 
     vhack.nginx.enable = true;
     services.nginx.virtualHosts = virtHosts;
+
+    users = {
+      users.nix-sync.uid = config.vhack.constants.ids.uids.nix-sync;
+      groups.nix-sync.gid = config.vhack.constants.ids.gids.nix-sync;
+    };
   };
 }
diff --git a/modules/default.nix b/modules/default.nix
index 61d259d..0618f90 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,21 +1,10 @@
 {nixLib, ...}: let
-  files =
-    builtins.attrValues
-    (nixLib.mkByName {
+  files = builtins.attrValues (
+    nixLib.mkByName {
       baseDirectory = ./by-name;
       fileName = "module.nix";
-
-      # We only want the base paths.
-      finalizeFunction = name: value: value;
-
-      # TODO: Re-activate, when/if most modules have tests.  <2024-11-23>
-      # coImportsNameFunction = {
-      #   shard,
-      #   name,
-      # }:
-      #   ../tests/by-name + "/${shard}" + "/${name}" + "/test.nix";
-      # coImportsWarnMessageObject = "test";
-    });
+    }
+  );
 in {
   imports = files;
 }