From af61ae6e611604fbfd6a3e6b511e3965006a31d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 12 Oct 2024 18:40:03 +0200 Subject: [PATCH] feat(dgn-web): Add simpleProxies This proxies the required host to localhost:$port and enables SSL --- machines/storage01/forgejo.nix | 14 ++---- machines/storage01/influxdb.nix | 10 ++--- machines/storage01/prometheus.nix | 12 ++--- modules/dgn-web.nix | 73 ++++++++++++++++++++++++++++++- 4 files changed, 81 insertions(+), 28 deletions(-) diff --git a/machines/storage01/forgejo.nix b/machines/storage01/forgejo.nix index 7ea165f..24041c0 100644 --- a/machines/storage01/forgejo.nix +++ b/machines/storage01/forgejo.nix @@ -76,18 +76,10 @@ in mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path; }; + }; - nginx = { - enable = true; - - virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - }; - }; - }; + dgn-web.simpleProxies.forgejo = { + inherit host port; }; users.users.git = { diff --git a/machines/storage01/influxdb.nix b/machines/storage01/influxdb.nix index 0dc331e..4f1ec31 100644 --- a/machines/storage01/influxdb.nix +++ b/machines/storage01/influxdb.nix @@ -5,6 +5,7 @@ let token = user: secret "${user}_token_file"; host = "influx.dgnum.eu"; + port = 8086; in { @@ -41,13 +42,8 @@ in }; }; - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:8086"; - }; + dgn-web.simpleProxies.influxdb = { + inherit host port; }; age-secrets.autoMatch = [ "influxdb2" ]; diff --git a/machines/storage01/prometheus.nix b/machines/storage01/prometheus.nix index 168e9a5..e0b35ba 100644 --- a/machines/storage01/prometheus.nix +++ b/machines/storage01/prometheus.nix @@ -77,15 +77,9 @@ in ]; }; - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; + dgn-web.simpleProxies.prometheus = { + inherit host port; + proxyWebsockets = true; }; age-secrets.autoMatch = [ "prometheus" ]; diff --git a/modules/dgn-web.nix b/modules/dgn-web.nix index 8b224b6..f0ade3d 100644 --- a/modules/dgn-web.nix +++ b/modules/dgn-web.nix @@ -5,12 +5,24 @@ let attrsToList concatStringsSep filterAttrs + getAttr + mapAttrs + mapAttrs' mkEnableOption mkIf mkOption + nameValuePair + recursiveUpdate ; - inherit (lib.types) attrsOf port; + inherit (lib.types) + attrs + attrsOf + bool + port + str + submodule + ; cfg = config.dgn-web; in @@ -25,6 +37,42 @@ in Map from the web services to their internal ports, it should avoid port clashes. ''; }; + + simpleProxies = mkOption { + type = attrsOf (submodule { + options = { + port = mkOption { + type = port; + description = '' + Port where the service will listen. + ''; + }; + + host = mkOption { + type = str; + description = '' + Hostname of the service. + ''; + }; + + proxyWebsockets = mkOption { + type = bool; + default = false; + description = '' + Whether to support proxying websocket connections with HTTP/1.1. + ''; + }; + + vhostConfig = mkOption { + type = attrs; + default = { }; + description = '' + Additional virtualHost settings. + ''; + }; + }; + }); + }; }; config = mkIf cfg.enable { @@ -56,9 +104,32 @@ in ) ]; + dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies; + services.nginx = { enable = true; + virtualHosts = mapAttrs' ( + _: + { + host, + port, + proxyWebsockets, + vhostConfig, + }: + nameValuePair host ( + recursiveUpdate { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + inherit proxyWebsockets; + }; + } vhostConfig + ) + ) cfg.simpleProxies; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true;