| Skyler Grey | d7e1acd | 2024-06-22 14:42:11 +0000 | [diff] [blame] | 1 | # SPDX-FileCopyrightText: 2024 Clicks Codes |
| 2 | # |
| 3 | # SPDX-License-Identifier: GPL-3.0-only |
| 4 | |
| 5 | { lib, config, ... }: |
| 6 | let |
| 7 | cfg = config.clicks.services.nginx; |
| 8 | in |
| 9 | { |
| 10 | options.clicks.services.nginx = { |
| 11 | enable = lib.mkEnableOption "Enable Nginx routing"; |
| 12 | hosts = lib.options.mkOption { |
| 13 | type = lib.types.attrsOf (lib.clicks.types.nginx.host config); |
| 14 | description = "Attrset of web domain to host data"; |
| 15 | default = {}; |
| 16 | }; |
| 17 | defaultDnsProvider = lib.options.mkOption { |
| 18 | type = lib.types.nullOr lib.types.str; |
| 19 | description = "Default provider for getting web certificates"; |
| 20 | default = null; |
| 21 | }; |
| Skyler Grey | d7e1acd | 2024-06-22 14:42:11 +0000 | [diff] [blame] | 22 | }; |
| 23 | |
| 24 | config = lib.modules.mkIf cfg.enable (let |
| 25 | processedHosts = lib.clicks.nginx.http.internal.serviceTranslation cfg.hosts; |
| 26 | hostsList = lib.attrsets.attrsToList processedHosts; |
| 27 | nginxHosts = lib.attrsets.mapAttrs (_: host: lib.attrsets.removeAttrs host [ "authWith" "dnsProvider" ]) processedHosts; |
| 28 | acmeCerts = lib.attrsets.mapAttrs (_: host: { |
| 29 | inherit (host) dnsProvider; |
| 30 | webroot = if host.dnsProvider == null |
| 31 | then config.security.acme.defaults.webroot |
| 32 | else null; |
| 33 | }) processedHosts; |
| 34 | tailscaleAuthHosts = lib.pipe hostsList [ |
| 35 | (lib.lists.filter (host: host.value.authWith == "tailscale")) |
| 36 | (map (host: host.name)) |
| 37 | ]; |
| 38 | in { |
| 39 | services.nginx = { |
| 40 | enable = true; |
| 41 | enableReload = true; |
| 42 | virtualHosts = { |
| 43 | "default_server_ssl" = { |
| 44 | listen = [ |
| 45 | { |
| 46 | ssl = true; |
| 47 | port = 443; |
| 48 | addr = "0.0.0.0"; |
| 49 | extraParameters = [ |
| 50 | "default_server" |
| 51 | ]; |
| 52 | } |
| 53 | ]; |
| 54 | |
| 55 | rejectSSL = true; |
| 56 | }; |
| 57 | "default_server" = { |
| 58 | listen = [ |
| 59 | { |
| 60 | port = 80; |
| 61 | addr = "0.0.0.0"; |
| 62 | extraParameters = [ |
| 63 | "default_server" |
| 64 | ]; |
| 65 | } |
| 66 | ]; |
| 67 | |
| 68 | locations."/" = { |
| 69 | return = 444; |
| 70 | }; |
| 71 | }; |
| 72 | } // nginxHosts; |
| 73 | }; |
| 74 | |
| 75 | security.acme.certs = acmeCerts; |
| 76 | |
| 77 | clicks.services.tailscaleAuth = lib.mkIf (lib.lists.length tailscaleAuthHosts > 0) { |
| 78 | enable = true; |
| 79 | |
| 80 | hosts = tailscaleAuthHosts; |
| 81 | }; |
| 82 | |
| 83 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
| 84 | }); |
| 85 | } |