{ config, lib, ... }: let cfg = config.vhack.anubis; anubisInstances = lib.mapAttrs (domain: conf: { settings = { TARGET = conf.target; BIND = "/run/anubis/anubis-${domain}/anubis.sock"; METRICS_BIND = "/run/anubis/anubis-${domain}/anubis-metrics.sock"; }; }) cfg.instances; nginxVirtualHosts = lib.mapAttrs' (domain: conf: lib.nameValuePair domain { locations."/" = { proxyPass = "http://unix:${config.services.anubis.instances."${domain}".settings.BIND}"; recommendedProxySettings = true; proxyWebsockets = true; }; enableACME = true; forceSSL = true; }) cfg.instances; in { options.vhack.anubis.instances = lib.mkOption { description = '' Protect this reverse proxy with anubis. The attr key is the subdomain, the value the config. ''; type = lib.types.attrsOf (lib.types.submodule { options = { target = lib.mkOption { description = "nginx `proxyPass` target"; type = lib.types.str; example = "http://127.0.0.1:8080"; }; }; config = {}; }); default = {}; example = lib.literalExample '' { target = "http://127.0.0.1:$${toString config.servies..port}"; } ''; }; config = { users = { users.nginx.extraGroups = [ config.services.anubis.defaultOptions.group ]; users.anubis = { uid = config.vhack.constants.ids.uids.anubis; group = "anubis"; }; groups.anubis.gid = config.vhack.constants.ids.gids.anubis; }; vhack.nginx = lib.mkIf (cfg.instances != {}) { enable = true; }; services = { anubis = { defaultOptions.settings.COOKIE_DYNAMIC_DOMAIN = true; instances = anubisInstances; }; nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = nginxVirtualHosts; }; }; }; }