msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fb3299d89c8f2dd9d2412335a75e7e4fd125ad34
sydnix/modules/nixos/deertopia/nginx.nix
Madeleine Sydney a5bab1d73d fix(deertopia): Persist SSL certs
2025-02-25 03:46:43 -07:00

135 lines
3.8 KiB
Nix
Raw Blame History

{ config, lib, options, pkgs, ... }:
let
cfg = config.sydnix.deertopia.nginx;
in
{
options.sydnix.deertopia.nginx = {
enable = lib.mkEnableOption "Nginx";
root = lib.mkOption {
type = lib.types.path;
description = "deertopia.net's root directory.";
default = "/persist/deertopia.net";
};
group = lib.mkOption {
type = lib.types.str;
description =
"The owning group of deertopia.net's root directory.";
default = "nginx";
};
user = lib.mkOption {
type = lib.types.str;
description =
"The owning user of deertopia.net's root directory.";
default = "nginx";
};
vhosts = lib.mkOption {
# NOTE: `name` shouldn't contain spaces.
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkOption {
description = "Enable ${name}.deertopia.net.";
default = true;
type = lib.types.boolean;
};
directory = lib.mkOption {
description = "Host's root directory.";
type = lib.types.nullOr lib.types.path;
default = "${cfg.root}/${name}";
};
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "The owning user of the host's root directory.";
default = cfg.user;
};
group = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "The owning group of the host's root directory.";
default = cfg.group;
};
vhostName = lib.mkOption {
type = lib.types.str;
default = "${name}.deertopia.net";
};
vhost = lib.mkOption {
description = ''
Virtual host settings, passed directly to the NixOS's Nginx
module.
'';
type = lib.types.anything;
};
};
}));
};
};
config = lib.mkIf cfg.enable {
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
# With this section, virtual hosts declared through the Nginx NixOS module
# will automatically request ACME SSL certificates and configure systemd
# timers to renew the certificate if required. See the article on the NixOS
# wiki, from which I've nabbed the following snippet:
# https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
security.acme = {
acceptTerms = true;
defaults.email = "lomiskiam@gmail.com";
};
sydnix.impermanence.directories = [
# Don't regenerate certs on reboot.
"/var/lib/acme"
];
services.nginx.virtualHosts =
builtins.listToAttrs
(builtins.map
(k: {
name = cfg.vhosts.${k}.vhostName;
value = cfg.vhosts.${k}.vhost // {
root = cfg.vhosts.${k}.directory;
};
})
(builtins.attrNames cfg.vhosts));
# services.nginx.virtualHosts."deertopia.net" = {
# root = "${cfg.www.root}/www";
# # addSSL = true;
# forceSSL = true;
# enableACME = true;
# locations."/" = {
# index = "index.html";
# };
# };
# system.activationScripts.initialiseDeertopiaRoot.text =
# let
# # FIXME: Use `lib.strings.toShellVar`.
# inherit (cfg) root group user;
# in ''
# mkdir -p "${root}"
# chown -R "${user}:${group}" "${root}"
# chmod -R 775 "${root}"
# ${lib.toShellVar "dirs"
# (builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts))}
# for i in "''${dirs[@]}"; do
# mkdir -p "$i"
# chown -R "${user}:${group}" "$i"
# chmod -R 775 "$i"
# done
# '';
};
}
Reference in New Issue View Git Blame Copy Permalink