refactor: Modularise Nginx vhosts

2025-01-19 18:52:23 -07:00
parent 46d6c129c1
commit f4924eeb59
11 changed files with 213 additions and 171 deletions
--- a/hosts/deertopia/configuration.nix
+++ b/hosts/deertopia/configuration.nix
@@ -3,7 +3,6 @@
  imports = [
    ./hardware-configuration.nix
    ./disko-config.nix
-    ./services.nix
  ];

  sydnix = {
@@ -37,6 +36,25 @@
      enable = true;
      keyFile = "/persist/vault/root/deertopia-key";
    };
+
+    deertopia = {
+      nginx.enable = true;
+      git-annex.enable = true;
+
+      # A simple default webpage.  This should probably live somewhere else.
+      nginx.vhosts."www" = {
+        vhostName = "deertopia.net";
+        vhost = {
+          # addSSL = true;
+          forceSSL = true;
+          enableACME = true;
+
+          locations."/" = {
+            index = "index.html";
+          };
+        };
+      };
+    };
  };

  boot.loader = {
--- a/hosts/deertopia/services.nix
+++ b/hosts/deertopia/services.nix
@@ -1,10 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    # ./services/seafile.nix
-    # ./services/tinydns.nix
-    ./services/git-annex.nix
-    ./services/nginx.nix
-  ];
-}
--- a/hosts/deertopia/services/git-annex.nix
+++ b/hosts/deertopia/services/git-annex.nix
@@ -1,36 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    git-annex
-    git
-    rsync
-  ];
-
-  # Our files managed by git-annex actually live on a WebDAV server that is
-  # declared by the following section.
-  services.nginx = {
-    # Nginx's WebDAV support is in a separate module we must import.
-    additionalModules = [ pkgs.nginxModules.dav ];
-
-    virtualHosts."dav.deertopia.net" = {
-      addSSL = true;
-      enableACME = true;
-      locations."/".extraConfig = ''
-        alias /persist/web/webdav;
-        client_body_temp_path /tmp/nginx/webdav;
-        dav_methods PUT DELETE MKCOL COPY MOVE;
-        dav_ext_methods PROPFIND OPTIONS;
-        create_full_put_path on
-
-        auth_basic "Restricted Access";
-        auth_basic_user_file /etc/nginx/webdav.passwd;
-
-        # Deny all access unless authenticated
-        satisfy all;
-        allow all;  # This allows all authenticated users
-        deny all;   # This denies all other users
-      '';
-    };
-  };
-}
--- a/hosts/deertopia/services/nextcloud.nix
+++ b/hosts/deertopia/services/nextcloud.nix
@@ -1,28 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  sydnix = {
-    sops.secrets = {
-      nextcloud-admin = {
-        owner = "nextcloud";
-        group = "nextcloud";
-      };
-    };
-
-    impermanence.directories = [ "/var/lib/nextcloud" ];
-  };
-
-  # Setting `services.nextcloud.hostName` automatically sets up a Nginx server
-  # (on port 80) hosting the Nextcloud services.
-  networking.firewall.allowedTCPPorts = [ 80 ];
-
-  services.nextcloud = {
-    enable = true;
-    hostName = "cloud.internal.deertopia.net";
-    package = pkgs.nextcloud30;
-    config = {
-      adminpassFile = "/run/secrets/nextcloud-admin";
-      dbtype = "sqlite";
-    };
-  };
-}
--- a/hosts/deertopia/services/nginx.nix
+++ b/hosts/deertopia/services/nginx.nix
@@ -1,46 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  deertopiaRoot = {
-    directory = "/persist/deertopia.net/";
-    group = "nginx";
-    user = "nginx";
-  };
-in
-{
-  services.nginx.enable = true;
-
-  networking.firewall.allowedTCPPorts = [
-    80  # HTTP
-    443 # HTTPS
-  ];
-
-  # With this section, virtual hosts declared through the Nginx NixOS module
-  # will automatically request ACME SSL certificates and configure systemd
-  # timers to renew the certificate if required.  See the article on the NixOS
-  # wiki, from which I've nabbed the following snippet:
-  # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "lomiskiam@gmail.com";
-  };
-
-  services.nginx.virtualHosts."deertopia.net" = {
-    root = "${deertopiaRoot.directory}/www";
-
-    # addSSL = true;
-    forceSSL = true;
-    enableACME = true;
-
-    locations."/" = {
-      index = "index.html";
-    };
-  };
-
-  system.activationScripts.initialiseDeertopiaRoot.text = ''
-    mkdir -p "${deertopiaRoot.directory}"
-    chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \
-      "${deertopiaRoot.directory}"
-    chmod -R 775 "${deertopiaRoot.directory}"
-  '';
-}
--- a/hosts/deertopia/services/seafile.nix
+++ b/hosts/deertopia/services/seafile.nix
@@ -1,29 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  sydnix.impermanence = {
-    directories = [
-      "/var/lib/seafile"
-    ];
-  };
-
-  services.seafile = {
-    enable = true;
-
-    adminEmail = "lomiskiam@gmail.com";
-    initialAdminPassword = "password123";
-
-    ccnetSettings.General.SERVICE_URL = "http://files.deertopia.net";
-
-    seafileSettings = {
-      fileserver = {
-        host = "ipv4:127.0.0.1";
-        port = 8082;
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."files.deertopia.net" = {
-
-  };
-}
--- a/hosts/deertopia/services/tinydns.nix
+++ b/hosts/deertopia/services/tinydns.nix
@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  services.tinydns = {
-    enable = true;
-    data = ''
-      .internal.deertopia.net:192.168.68.79:dns:86400
-      =*.internal.deertopia.net:192.168.68.79:86400
-      =internal.deertopia.net:192.168.68.79:86400
-
-      # Redirect everything else to the router's nameservers.
-      &.::192.168.68.1:86400
-    '';
-  };
-
-  networking.firewall.allowedUDPPorts = [
-    53
-  ];
-
-  networking.nameservers = [ "192.168.68.79" ];
-}