Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 9cb5f60190960ce4dbff228880bfa5274dddd3ff / . / modules / common / nginx.nix
blob: 5bc99ad4990e6e6dfa5b9865e7af8a9361009c6f [file] [log] [blame]
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]1{ config, lib, pkgs, helpers, base, ... }:
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]2lib.recursiveUpdate {
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]3 options.clicks = {
4 nginx = {
5 services = lib.mkOption {
6 type = with lib.types;
7 listOf (submodule {
8 options = {
9 host = lib.mkOption { type = str; };
10 extraHosts = lib.mkOption { type = listOf str; };
11 secure = lib.mkOption { type = bool; };
12 service = lib.mkOption {
13 type = let
14 validServiceTypes = {
15 "redirect" = {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]16 to = [ "string" str ];
17 permanent = [ "bool" bool ];
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]18 };
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]19 "reverseproxy" = { to = [ "string" str ]; };
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]20 "php" = {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]21 root = [ "string" str ];
22 socket = [ "string" str ];
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]23 };
24 "directory" = {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]25 private = [ "bool" bool ];
26 root = [ "string" str ];
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]27 };
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]28 "file" = { path = [ "string" str ]; };
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]29 "path" = {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]30 path = [ "string" str ];
31 service = [ "set" serviceType ];
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]32 };
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]33 "compose" = { services = [ "list" (listOf serviceType) ]; };
34 "status" = { statusCode = [ "int" int ]; };
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]35 };
36
37 serviceType = mkOptionType {
38 name = "Service";
39
40 description = "clicks Nginx service";
41 descriptionClass = "noun";
42
43 check = (x:
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]44 if (builtins.typeOf x) != "set" then
45 lib.warn
46 "clicks nginx services must be sets but ${x} is not a set"
47 false
48 else if !(builtins.hasAttr "type" x) then
49 lib.warn
50 "clicks nginx services must have a type attribute but ${x} does not"
51 false
52 else if !(builtins.hasAttr x.type validServiceTypes) then
53 lib.warn
54 "clicks nginx services must have a valid type, but ${x.type} is not one"
55 false
56 else
57 (let
58 optionTypes =
59 (builtins.mapAttrs (n: o: builtins.elemAt o 0)
60 validServiceTypes.${x.type}) // {
61 type = "string";
62 };
63 in (lib.pipe x [
64 (builtins.mapAttrs (n: o:
65 (builtins.hasAttr n optionTypes) && optionTypes.${n}
66 == (builtins.typeOf o)))
67 lib.attrValues
68 (builtins.all (x: x))
69 ]) && (lib.pipe optionTypes [
70 (builtins.mapAttrs (n: _: builtins.hasAttr n x))
71 lib.attrValues
72 (builtins.all (x: x))
73 ])));
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]74 };
75 in serviceType;
76 };
77 type = lib.mkOption { type = strMatching "hosts"; };
78 };
79 });
80 example = lib.literalExpression ''
81 with helpers.nginx; [
82 (Host "example.clicks.codes" (ReverseProxy "generic:1001"))
83 ]'';
84 description = lib.mdDoc ''
85 Connects hostnames to services for your nginx server. We recommend using the Clicks helper to generate these
86 '';
87 default = [ ];
88 };
89 serviceAliases = lib.mkOption {
90 type = with lib.types;
91 listOf (submodule {
92 options = {
93 host = lib.mkOption {
94 type = str;
95 example = "example.clicks.codes";
96 description = ''
97 The ServerName of the server. If you override this in the nginx server block, you still need to put in the name of the attribute
98 '';
99 };
100 aliases = lib.mkOption {
101 type = listOf str;
102 example = [ "example2.clicks.codes" "example.coded.codes" ];
103 description = ''
104 A list of servers to add as aliases
105 '';
106 };
107 type = lib.mkOption { type = strMatching "aliases"; };
108 };
109 });
110 example = lib.literalExpression ''
111 with helpers.nginx; [
112 (Host "example.clicks.codes" (ReverseProxy "generic:1001"))
113 ]'';
114 description = lib.mdDoc ''
115 Adds additional host names to your nginx server. If you're using `clicks.nginx.services`
116 you should generally use a Hosts block instead
117 '';
118 default = [ ];
119 };
120 streams = lib.mkOption {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]121 type = with lib.types;
122 listOf (submodule {
123 options = {
124 internal = lib.mkOption { type = str; };
125 external = lib.mkOption { type = port; };
126 protocol = lib.mkOption { type = strMatching "^(tcp|udp)$"; };
Skyler Grey56b293d2023-10-22 22:53:34 +0000[diff] [blame]127 haproxy = lib.mkOption { type = bool; };
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]128 };
129 });
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]130 example = lib.literalExpression ''
131 with helpers.nginx; [
132 (Stream 1001 "generic:1002" "tcp")
133 ]'';
134 description = lib.mdDoc ''
135 A list of servers to be placed in the nginx streams block. We recommend using the Clicks helper to generate these
136 '';
137 default = [ ];
138 };
139 };
140 };
141 config = {
142 services.nginx = {
143 enable = true;
144 enableReload = true;
145
Skyler Grey896e9282023-12-22 23:49:10 +0000[diff] [blame]146 serverNamesHashMaxSize = 4096;
147
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]148 virtualHosts = lib.recursiveUpdate (helpers.nginx.Merge
149 config.clicks.nginx.services) # clicks.nginx.services
150 (lib.pipe config.clicks.nginx.serviceAliases [
151 (map (alias: {
152 name = alias.host;
153 value.serverAliases = alias.aliases;
154 }))
155 builtins.listToAttrs
156 ]); # clicks.nginx.serviceAliases
157
158 streamConfig = builtins.concatStringsSep "\n" (map (stream: ''
159 server {
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]160 listen ${builtins.toString stream.external}${
161 lib.optionalString (stream.protocol == "udp") " udp"
162 };
Skyler Grey56b293d2023-10-22 22:53:34 +0000[diff] [blame]163 proxy_pass ${stream.internal};
164 ${if stream.haproxy then "proxy_protocol on;" else ""}
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]165 }
166 '') config.clicks.nginx.streams);
167 };
168
169 networking.firewall.allowedTCPPorts = lib.pipe config.clicks.nginx.streams [
170 (builtins.filter (stream: stream.protocol == "tcp"))
171 (map (stream: stream.external))
172 ];
173 networking.firewall.allowedUDPPorts = lib.pipe config.clicks.nginx.streams [
174 (builtins.filter (stream: stream.protocol == "udp"))
175 (map (stream: stream.external))
176 ];
177
178 security.acme.defaults = {
179 email = "admin@clicks.codes";
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]180 environmentFile = config.sops.secrets.cloudflare_cert__api_token.path;
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]181 };
182 security.acme.acceptTerms = true;
183
184 sops.secrets.cloudflare_cert__api_token = {
185 mode = "0660";
186 owner = config.users.users.nginx.name;
187 group = config.users.users.acme.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]188 sopsFile = ../../secrets/cloudflare-cert.env.bin;
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]189 format = "binary";
190 };
Skyler Grey4259e932023-10-21 21:37:03 +0000[diff] [blame]191
192 users.users.nginx.extraGroups = [ config.users.users.acme.group ];
Skyler Grey2ca6ccd2023-10-14 22:56:43 +0000[diff] [blame]193 };
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]194} (if base != null then {
Skyler Grey4259e932023-10-21 21:37:03 +0000[diff] [blame]195 config.security.acme.certs = lib.mkForce (builtins.mapAttrs (_: v:
Skyler Grey896e9282023-12-22 23:49:10 +0000[diff] [blame]196 (lib.filterAttrs (n: _: n != "directory" && n != "credentialsFile") v) // {
Skyler Grey4259e932023-10-21 21:37:03 +0000[diff] [blame]197 webroot = null;
198 dnsProvider = "cloudflare";
199 }) base.config.security.acme.certs);
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]200} else
201 { })