machines/compute01/pages.nix

@@ -36,70 +36,80 @@ let
 in
 
 {
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config.extraConfig = ''
+          real_ip_header proxy_protocol;
+          set_real_ip_from 127.0.0.1;
+        '';
+      }
+    );
+  };
 
-  systemd.services.codeberg-pages = {
+  config = {
-    inherit environment;
+    systemd.services.codeberg-pages = {
-    description = "Codeberg pages server";
+      inherit environment;
-    after = [ "network.target" ];
+      description = "Codeberg pages server";
-    wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
-    serviceConfig = {
+      wantedBy = [ "multi-user.target" ];
-      Type = "simple";
+      serviceConfig = {
-      StateDirectory = "codeberg-pages";
+        Type = "simple";
-      EnvironmentFile = config.age.secrets."pages-environment_file".path;
+        StateDirectory = "codeberg-pages";
-      WorkingDirectory = "/var/lib/codeberg-pages";
+        EnvironmentFile = config.age.secrets."pages-environment_file".path;
-      DynamicUser = true;
+        WorkingDirectory = "/var/lib/codeberg-pages";
-      ExecStart = lib.getExe package;
+        DynamicUser = true;
-      Restart = "on-failure";
+        ExecStart = lib.getExe package;
-      ProtectHome = true;
+        Restart = "on-failure";
-      ProtectSystem = "strict";
+        ProtectHome = true;
-      PrivateTmp = true;
+        ProtectSystem = "strict";
-      PrivateDevices = true;
+        PrivateTmp = true;
-      ProtectHostname = true;
+        PrivateDevices = true;
-      ProtectClock = true;
+        ProtectHostname = true;
-      ProtectKernelTunables = true;
+        ProtectClock = true;
-      ProtectKernelModules = true;
+        ProtectKernelTunables = true;
-      ProtectKernelLogs = true;
+        ProtectKernelModules = true;
-      ProtectControlGroups = true;
+        ProtectKernelLogs = true;
-      NoNewPrivileges = true;
+        ProtectControlGroups = true;
-      RestrictRealtime = true;
+        NoNewPrivileges = true;
-      RestrictSUIDSGID = true;
+        RestrictRealtime = true;
-      RemoveIPC = true;
+        RestrictSUIDSGID = true;
-      PrivateMounts = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+      };
+    };
+
+    services.nginx = {
+      defaultListen = [
+        {
+          addr = "127.0.0.1";
+          port = 8446;
+          ssl = true;
+          proxyProtocol = true;
+        }
+        {
+          addr = "0.0.0.0";
+          ssl = false;
+        }
+      ];
+
+      streamConfig = ''
+        map $ssl_preread_server_name $sni_upstream {
+          default 127.0.0.1:8010;
+          ${
+            lib.concatMapStringsSep "\n  " (vhost: "${vhost} 127.0.0.1:8446;") (
+              lib.attrNames config.services.nginx.virtualHosts
+            )
+          }
+        }
+
+        server {
+          listen 443;
+          ssl_preread on;
+          proxy_pass $sni_upstream;
+          proxy_protocol on;
+        }
+      '';
     };
   };
-
-  services.nginx = {
-    defaultListen = [
-      {
-        addr = "127.0.0.1";
-        port = 8446;
-        ssl = true;
-        proxyProtocol = true;
-      }
-      {
-        addr = "0.0.0.0";
-        ssl = false;
-      }
-    ];
-    streamConfig = ''
-      map $ssl_preread_server_name $sni_upstream {
-        default 127.0.0.1:8010;
-        ${
-          lib.concatMapStringsSep "\n  " (vhost: "${vhost} 127.0.0.1:8446;") (
-            lib.attrNames config.services.nginx.virtualHosts
-          )
-        }
-      }
-
-      server {
-        listen 443;
-        ssl_preread on;
-        proxy_pass $sni_upstream;
-        proxy_protocol on;
-      }
-
-    '';
-    defaultSSLListenPort = 8446;
-  };
-
 }