blob: e30a0a046b517632871799b5db3b21c3a53ee380 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
{
config,
lib,
...
}: let
cfg = config.vhack.anubis;
anubisInstances =
lib.mapAttrs (domain: conf: {
settings = {
TARGET = conf.target;
BIND = "/run/anubis/anubis-${domain}/anubis.sock";
METRICS_BIND = "/run/anubis/anubis-${domain}/anubis-metrics.sock";
};
})
cfg.instances;
nginxVirtualHosts = lib.mapAttrs' (domain: conf:
lib.nameValuePair domain {
locations."/" = {
proxyPass = "http://unix:${config.services.anubis.instances."${domain}".settings.BIND}";
recommendedProxySettings = true;
proxyWebsockets = true;
};
enableACME = true;
forceSSL = true;
})
cfg.instances;
in {
options.vhack.anubis.instances = lib.mkOption {
description = ''
Protect this reverse proxy with anubis.
The attr key is the subdomain, the value the config.
'';
type = lib.types.attrsOf (lib.types.submodule {
options = {
target = lib.mkOption {
description = "nginx `proxyPass` target";
type = lib.types.str;
example = "http://127.0.0.1:8080";
};
};
config = {};
});
default = {};
example = lib.literalExample ''
{
target = "http://127.0.0.1:$${toString config.servies.<name>.port}";
}
'';
};
config = {
users = {
users.nginx.extraGroups = [
config.services.anubis.defaultOptions.group
];
users.anubis = {
uid = config.vhack.constants.ids.uids.anubis;
group = "anubis";
};
groups.anubis.gid = config.vhack.constants.ids.gids.anubis;
};
services = {
anubis = {
defaultOptions.settings.COOKIE_DYNAMIC_DOMAIN = true;
instances = anubisInstances;
};
nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = nginxVirtualHosts;
};
};
};
}
|
