modules: services: nginx: overhaul modularity

This should be all that's needed for almost all my services.
This commit is contained in:
Bruno BELANYI 2021-08-24 22:30:44 +02:00
parent b97eff2479
commit 81e12969eb
2 changed files with 175 additions and 10 deletions

View file

@ -90,6 +90,9 @@ in
enable = true;
password = my.secrets.nextcloud.password;
};
nginx = {
enable = true; # FIXME: remove this when done migrating
};
# The whole *arr software suite
pirate.enable = true;
# Podcast automatic downloader

View file

@ -1,12 +1,147 @@
# Configuration shamelessly stolen from [1]
#
# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
# A simple abstraction layer for almost all of my services' needs
{ config, lib, pkgs, ... }:
let
cfg = config.my.services.nginx;
virtualHostOption = with lib; types.submodule {
options = {
subdomain = mkOption {
type = types.str;
example = "dev";
description = ''
Which subdomain, under config.networking.domain, to use
for this virtual host.
'';
};
port = mkOption {
type = with types; nullOr port;
default = null;
example = 8080;
description = ''
Which port to proxy to, through 127.0.0.1, for this virtual host.
This option is incompatible with `root`.
'';
};
root = mkOption {
type = with types; nullOr path;
default = null;
example = "/var/www/blog";
description = ''
The root folder for this virtual host. This option is incompatible
with `port`.
'';
};
extraConfig = mkOption {
type = types.attrs; # FIXME: forward type of virtualHosts
example = litteralExample ''
{
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096/";
proxyWebsockets = true;
};
}
'';
default = { };
description = ''
Any extra configuration that should be applied to this virtual host.
'';
};
};
};
in
{
# Whenever something defines an nginx vhost, ensure that nginx defaults are
# properly set.
config = lib.mkIf ((builtins.attrNames config.services.nginx.virtualHosts) != [ ]) {
options.my.services.nginx = with lib; {
enable =
mkEnableOption "Nginx, activates when `virtualHosts` is not empty" // {
default = builtins.length cfg.virtualHosts != 0;
};
monitoring = {
enable = my.mkDisableOption "monitoring through grafana and prometheus";
};
virtualHosts = mkOption {
type = types.listOf virtualHostOption;
default = [ ];
example = litteralExample ''
[
{
subdomain = "gitea";
port = 8080;
}
{
subdomain = "dev";
root = "/var/www/dev";
}
{
subdomain = "jellyfin";
port = 8096;
extraConfig = {
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096/";
proxyWebsockets = true;
};
};
}
]
'';
description = ''
List of virtual hosts to set-up using default settings.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [ ]
++ (lib.flip builtins.map cfg.virtualHosts ({ subdomain, ... } @ args:
let
conflicts = [ "port" "root" ];
optionsNotNull = builtins.map (v: args.${v} != null) conflicts;
optionsSet = lib.filter lib.id optionsNotNull;
in
{
assertion = builtins.length optionsSet == 1;
message = ''
Subdomain '${subdomain}' must have exactly one of ${
lib.concatStringsSep ", " (builtins.map (v: "'${v}'") conflicts)
} configured.
'';
}))
++ (
let
ports = lib.my.mapFilter
(v: v != null)
({ port, ... }: port)
cfg.virtualHosts;
portCounts = lib.my.countValues ports;
nonUniquesCounts = lib.filterAttrs (_: v: v != 1) portCounts;
nonUniques = builtins.attrNames nonUniquesCounts;
mkAssertion = port: {
assertion = false;
message = "Port ${port} cannot appear in multiple virtual hosts.";
};
in
map mkAssertion nonUniques
) ++ (
let
subs = map ({ subdomain, ... }: subdomain) cfg.virtualHosts;
subsCounts = lib.my.countValues subs;
nonUniquesCounts = lib.filterAttrs (_: v: v != 1) subsCounts;
nonUniques = builtins.attrNames nonUniquesCounts;
mkAssertion = v: {
assertion = false;
message = ''
Subdomain '${v}' cannot appear in multiple virtual hosts.
'';
};
in
map mkAssertion nonUniques
)
;
services.nginx = {
enable = true;
statusPage = true; # For monitoring scraping.
@ -15,6 +150,33 @@
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts =
let
domain = config.networking.domain;
mkVHost = ({ subdomain, ... } @ args: lib.nameValuePair
"${subdomain}.${domain}"
(builtins.foldl' lib.recursiveUpdate { } [
# Base configuration
{
forceSSL = true;
useACMEHost = domain;
}
# Proxy to port
(lib.optionalAttrs (args.port != null) {
locations."/".proxyPass =
"http://127.0.0.1:${toString args.port}";
})
# Serve filesystem content
(lib.optionalAttrs (args.root != null) {
inherit (args) root;
})
# VHost specific configuration
args.extraConfig
])
);
in
lib.my.genAttrs' cfg.virtualHosts mkVHost;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -22,10 +184,10 @@
# Nginx needs to be able to read the certificates
users.users.nginx.extraGroups = [ "acme" ];
# Use DNS wildcard certificate
security.acme = {
email = "bruno.acme@belanyi.fr";
acceptTerms = true;
# Use DNS wildcard certificate
certs =
let
domain = config.networking.domain;
@ -40,8 +202,8 @@
};
};
};
# Setup monitoring
services.grafana.provision.dashboards = [
services.grafana.provision.dashboards = lib.mkIf cfg.monitoring.enable [
{
name = "NGINX";
options.path = pkgs.nur.repos.alarsyo.grafanaDashboards.nginx;
@ -49,7 +211,7 @@
}
];
services.prometheus = {
services.prometheus = lib.mkIf cfg.monitoring.enable {
exporters.nginx = {
enable = true;
listenAddress = "127.0.0.1";