msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Modularise Nginx vhosts

Browse Source
This commit is contained in:
Madeleine Sydney
2025-01-19 18:52:23 -07:00
parent 46d6c129c1
commit f4924eeb59
11 changed files with 213 additions and 171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.org
View File

@@ -67,6 +67,20 @@ Where =default.nix= returns an attrset of form
}
#+end_src
*** ~modules/~
#+begin_example
modules
├── home
│   └── «Various home-manager modules»…
└── nixos
├── defaults
│   └── «NixOS modules that are *enabled by default*»…
├── deertopia
│   └── «NixOS modules that are *specific to Deertopia*»…
└── «Various NixOS modules»…
#+end_example
** Impermanence and persistence
I use impermanence to wipe most of my filesystem on boot.

20
hosts/deertopia/configuration.nix
View File

@@ -3,7 +3,6 @@
imports = [
./hardware-configuration.nix
./disko-config.nix
./services.nix
];
sydnix = {
@@ -37,6 +36,25 @@
enable = true;
keyFile = "/persist/vault/root/deertopia-key";
};
deertopia = {
nginx.enable = true;
git-annex.enable = true;
# A simple default webpage. This should probably live somewhere else.
nginx.vhosts."www" = {
vhostName = "deertopia.net";
vhost = {
# addSSL = true;
forceSSL = true;
enableACME = true;
locations."/" = {
index = "index.html";
};
};
};
};
};
boot.loader = {

10
hosts/deertopia/services.nix
View File

@@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
# ./services/seafile.nix
# ./services/tinydns.nix
./services/git-annex.nix
./services/nginx.nix
];
}

36
hosts/deertopia/services/git-annex.nix
View File

@@ -1,36 +0,0 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
git-annex
git
rsync
];
# Our files managed by git-annex actually live on a WebDAV server that is
# declared by the following section.
services.nginx = {
# Nginx's WebDAV support is in a separate module we must import.
additionalModules = [ pkgs.nginxModules.dav ];
virtualHosts."dav.deertopia.net" = {
addSSL = true;
enableACME = true;
locations."/".extraConfig = ''
alias /persist/web/webdav;
client_body_temp_path /tmp/nginx/webdav;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/webdav.passwd;
# Deny all access unless authenticated
satisfy all;
allow all; # This allows all authenticated users
deny all; # This denies all other users
'';
};
};
}

28
hosts/deertopia/services/nextcloud.nix
View File

@@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
{
sydnix = {
sops.secrets = {
nextcloud-admin = {
owner = "nextcloud";
group = "nextcloud";
};
};
impermanence.directories = [ "/var/lib/nextcloud" ];
};
# Setting `services.nextcloud.hostName` automatically sets up a Nginx server
# (on port 80) hosting the Nextcloud services.
networking.firewall.allowedTCPPorts = [ 80 ];
services.nextcloud = {
enable = true;
hostName = "cloud.internal.deertopia.net";
package = pkgs.nextcloud30;
config = {
adminpassFile = "/run/secrets/nextcloud-admin";
dbtype = "sqlite";
};
};
}

46
hosts/deertopia/services/nginx.nix
View File

@@ -1,46 +0,0 @@
{ config, lib, pkgs, ... }:
let
deertopiaRoot = {
directory = "/persist/deertopia.net/";
group = "nginx";
user = "nginx";
};
in
{
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
# With this section, virtual hosts declared through the Nginx NixOS module
# will automatically request ACME SSL certificates and configure systemd
# timers to renew the certificate if required. See the article on the NixOS
# wiki, from which I've nabbed the following snippet:
# https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
security.acme = {
acceptTerms = true;
defaults.email = "lomiskiam@gmail.com";
};
services.nginx.virtualHosts."deertopia.net" = {
root = "${deertopiaRoot.directory}/www";
# addSSL = true;
forceSSL = true;
enableACME = true;
locations."/" = {
index = "index.html";
};
};
system.activationScripts.initialiseDeertopiaRoot.text = ''
mkdir -p "${deertopiaRoot.directory}"
chown -R "${deertopiaRoot.user}:${deertopiaRoot.user}" \
"${deertopiaRoot.directory}"
chmod -R 775 "${deertopiaRoot.directory}"
'';
}

29
hosts/deertopia/services/seafile.nix
View File

@@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }:
{
sydnix.impermanence = {
directories = [
"/var/lib/seafile"
];
};
services.seafile = {
enable = true;
adminEmail = "lomiskiam@gmail.com";
initialAdminPassword = "password123";
ccnetSettings.General.SERVICE_URL = "http://files.deertopia.net";
seafileSettings = {
fileserver = {
host = "ipv4:127.0.0.1";
port = 8082;
};
};
};
services.nginx.virtualHosts."files.deertopia.net" = {
};
}

21
hosts/deertopia/services/tinydns.nix
View File

@@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.tinydns = {
enable = true;
data = ''
.internal.deertopia.net:192.168.68.79:dns:86400
=*.internal.deertopia.net:192.168.68.79:86400
=internal.deertopia.net:192.168.68.79:86400
# Redirect everything else to the router's nameservers.
&.::192.168.68.1:86400
'';
};
networking.firewall.allowedUDPPorts = [
53
];
networking.nameservers = [ "192.168.68.79" ];
}

15
modules/nixos/deertopia.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
let
# TODO: Move to a fucking utility library already!
listNixFilesInDirectory = dir:
builtins.attrNames
(lib.filterAttrs
(k: _v: lib.hasSuffix ".nix" k)
(builtins.readDir dir));
in {
imports =
builtins.map
(k: ./deertopia/${k})
(listNixFilesInDirectory ./deertopia);
}

46
modules/nixos/deertopia/git-annex.nix Executable file
View File

@@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sydnix.deertopia.git-annex;
in
{
options.sydnix.deertopia.git-annex = {
enable = lib.mkEnableOption "Git-annex";
};
config = {
environment.systemPackages = with pkgs; [
git-annex
# git
# rsync
];
# # Our files managed by git-annex actually live on a WebDAV server that is
# # declared by the following section. This is mainly because it's the most
# # convenient way to share files with my iPhone. Apple hates developers!
# services.nginx = {
# # Nginx's WebDAV support is in a separate module we must import.
# additionalModules = [ pkgs.nginxModules.dav ];
# virtualHosts."dav.deertopia.net" = {
# addSSL = true;
# enableACME = true;
# locations."/".extraConfig = ''
# alias /persist/web/webdav;
# client_body_temp_path /tmp/nginx/webdav;
# dav_methods PUT DELETE MKCOL COPY MOVE;
# dav_ext_methods PROPFIND OPTIONS;
# create_full_put_path on
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/webdav.passwd;
# # Deny all access unless authenticated
# satisfy all;
# allow all; # This allows all authenticated users
# deny all; # This denies all other users
# '';
# };
# };
};
}

119
modules/nixos/deertopia/nginx.nix Normal file
View File

@@ -0,0 +1,119 @@
{ config, lib, options, pkgs, ... }:
let
cfg = config.sydnix.deertopia.nginx;
in
{
options.sydnix.deertopia.nginx = {
enable = lib.mkEnableOption "Nginx";
root = lib.mkOption {
type = lib.types.path;
description = "deertopia.net's root directory.";
default = "/persist/deertopia.net";
};
group = lib.mkOption {
type = lib.types.str;
description =
"The owning group of deertopia.net's root directory.";
default = "nginx";
};
user = lib.mkOption {
type = lib.types.str;
description =
"The owning user of deertopia.net's root directory.";
default = "nginx";
};
vhosts = lib.mkOption {
# NOTE: `name` shouldn't contain spaces.
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkOption {
description = "Enable ${name}.deertopia.net.";
default = true;
type = lib.types.boolean;
};
directory = lib.mkOption {
description = "Host's root directory.";
type = lib.types.str;
default = "${cfg.root}/${name}";
};
vhostName = lib.mkOption {
type = lib.types.str;
default = "${name}.deertopia.net";
};
vhost = lib.mkOption {
description = ''
Virtual host settings, passed directly to the NixOS's Nginx
module.
'';
type = lib.types.anything;
};
};
}));
};
};
config = lib.mkIf cfg.enable {
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
# With this section, virtual hosts declared through the Nginx NixOS module
# will automatically request ACME SSL certificates and configure systemd
# timers to renew the certificate if required. See the article on the NixOS
# wiki, from which I've nabbed the following snippet:
# https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
security.acme = {
acceptTerms = true;
defaults.email = "lomiskiam@gmail.com";
};
services.nginx.virtualHosts =
builtins.listToAttrs
(builtins.map
(k: {
name = cfg.vhosts.${k}.vhostName;
value = cfg.vhosts.${k}.vhost // {
root = cfg.vhosts.${k}.directory;
};
})
(builtins.attrNames cfg.vhosts));
# services.nginx.virtualHosts."deertopia.net" = {
# root = "${cfg.www.root}/www";
# # addSSL = true;
# forceSSL = true;
# enableACME = true;
# locations."/" = {
# index = "index.html";
# };
# };
system.activationScripts.initialiseDeertopiaRoot.text =
let
directories =
builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts);
inherit (cfg) root group user;
in ''
mkdir -p "${root}"
chown -R "${user}:${group}" "${root}"
chmod -R 775 "${root}"
dirs=(${builtins.concatStringsSep " " (map (x: "'${x}'") directories)})
for i in "''${dirs[@]}"; do
mkdir -p "$i"
chown -R "${user}:${group}" "$i"
chmod -R 775 "$i"
done
'';
};
}