Tom Hubrecht
b23312dcaa
All checks were successful
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m2s
Build all the nodes / geo02 (pull_request) Successful in 1m43s
Build all the nodes / geo01 (pull_request) Successful in 1m49s
Build all the nodes / bridge01 (pull_request) Successful in 1m56s
Build all the nodes / compute01 (pull_request) Successful in 2m35s
Build all the nodes / rescue01 (pull_request) Successful in 2m16s
Build all the nodes / vault01 (pull_request) Successful in 1m51s
Build all the nodes / storage01 (pull_request) Successful in 1m59s
Run pre-commit on all files / check (pull_request) Successful in 24s
Build all the nodes / web02 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m29s
Build all the nodes / web03 (pull_request) Successful in 1m41s
Build all the nodes / ap01 (push) Successful in 1m17s
Build all the nodes / bridge01 (push) Successful in 2m0s
Build all the nodes / geo02 (push) Successful in 2m9s
Build all the nodes / compute01 (push) Successful in 2m24s
Build all the nodes / rescue01 (push) Successful in 2m29s
Build all the nodes / geo01 (push) Successful in 3m3s
Build all the nodes / storage01 (push) Successful in 2m3s
Run pre-commit on all files / check (push) Successful in 36s
Build all the nodes / vault01 (push) Successful in 1m53s
Build all the nodes / web02 (push) Successful in 1m47s
Build all the nodes / web03 (push) Successful in 1m50s
Build all the nodes / web01 (push) Successful in 2m23s
153 lines
3.4 KiB
Nix
153 lines
3.4 KiB
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
inherit (lib)
|
|
attrsToList
|
|
concatStringsSep
|
|
filterAttrs
|
|
getAttr
|
|
mapAttrs
|
|
mapAttrs'
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
nameValuePair
|
|
recursiveUpdate
|
|
;
|
|
|
|
inherit (lib.types)
|
|
attrs
|
|
attrsOf
|
|
bool
|
|
port
|
|
str
|
|
submodule
|
|
;
|
|
|
|
cfg = config.dgn-web;
|
|
in
|
|
{
|
|
options.dgn-web = {
|
|
enable = mkEnableOption "sane defaults for web services.";
|
|
|
|
internalPorts = mkOption {
|
|
type = attrsOf port;
|
|
default = { };
|
|
description = ''
|
|
Map from the web services to their internal ports, it should avoid port clashes.
|
|
'';
|
|
};
|
|
|
|
simpleProxies = mkOption {
|
|
type = attrsOf (submodule {
|
|
options = {
|
|
port = mkOption {
|
|
type = port;
|
|
description = ''
|
|
Port where the service will listen.
|
|
'';
|
|
};
|
|
|
|
host = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Hostname of the service.
|
|
'';
|
|
};
|
|
|
|
proxyWebsockets = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to support proxying websocket connections with HTTP/1.1.
|
|
'';
|
|
};
|
|
|
|
vhostConfig = mkOption {
|
|
type = attrs;
|
|
default = { };
|
|
description = ''
|
|
Additional virtualHost settings.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
default = { };
|
|
description = ''
|
|
A set of simple localhost redirections.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = [
|
|
(
|
|
let
|
|
duplicates = builtins.attrValues (
|
|
builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
|
|
filterAttrs (_: ls: builtins.length ls != 1) (
|
|
builtins.foldl' (
|
|
rev:
|
|
{ name, value }:
|
|
let
|
|
str = builtins.toString value;
|
|
in
|
|
rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
|
|
) { } (attrsToList cfg.internalPorts)
|
|
)
|
|
)
|
|
);
|
|
in
|
|
{
|
|
assertion = duplicates == [ ];
|
|
message = ''
|
|
Internal ports cannot be used for multiple services, the clashes are:
|
|
${concatStringsSep "\n " duplicates}
|
|
'';
|
|
}
|
|
)
|
|
];
|
|
|
|
dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies;
|
|
|
|
# Keep logs during 1 year (53 weeks)
|
|
services.logrotate.settings.nginx.rotate = 53;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts = mapAttrs' (
|
|
_:
|
|
{
|
|
host,
|
|
port,
|
|
proxyWebsockets,
|
|
vhostConfig,
|
|
}:
|
|
nameValuePair host (
|
|
recursiveUpdate {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
inherit proxyWebsockets;
|
|
};
|
|
} vhostConfig
|
|
)
|
|
) cfg.simpleProxies;
|
|
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedZstdSettings = true;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
}
|