Tom Hubrecht
88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
157 lines
3.5 KiB
Nix
157 lines
3.5 KiB
Nix
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{ config, lib, ... }:
|
|
|
|
let
|
|
inherit (lib)
|
|
attrsToList
|
|
concatStringsSep
|
|
filterAttrs
|
|
getAttr
|
|
mapAttrs
|
|
mapAttrs'
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
nameValuePair
|
|
recursiveUpdate
|
|
;
|
|
|
|
inherit (lib.types)
|
|
attrs
|
|
attrsOf
|
|
bool
|
|
port
|
|
str
|
|
submodule
|
|
;
|
|
|
|
cfg = config.dgn-web;
|
|
in
|
|
{
|
|
options.dgn-web = {
|
|
enable = mkEnableOption "sane defaults for web services.";
|
|
|
|
internalPorts = mkOption {
|
|
type = attrsOf port;
|
|
default = { };
|
|
description = ''
|
|
Map from the web services to their internal ports, it should avoid port clashes.
|
|
'';
|
|
};
|
|
|
|
simpleProxies = mkOption {
|
|
type = attrsOf (submodule {
|
|
options = {
|
|
port = mkOption {
|
|
type = port;
|
|
description = ''
|
|
Port where the service will listen.
|
|
'';
|
|
};
|
|
|
|
host = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Hostname of the service.
|
|
'';
|
|
};
|
|
|
|
proxyWebsockets = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to support proxying websocket connections with HTTP/1.1.
|
|
'';
|
|
};
|
|
|
|
vhostConfig = mkOption {
|
|
type = attrs;
|
|
default = { };
|
|
description = ''
|
|
Additional virtualHost settings.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
default = { };
|
|
description = ''
|
|
A set of simple localhost redirections.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = [
|
|
(
|
|
let
|
|
duplicates = builtins.attrValues (
|
|
builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
|
|
filterAttrs (_: ls: builtins.length ls != 1) (
|
|
builtins.foldl' (
|
|
rev:
|
|
{ name, value }:
|
|
let
|
|
str = builtins.toString value;
|
|
in
|
|
rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
|
|
) { } (attrsToList cfg.internalPorts)
|
|
)
|
|
)
|
|
);
|
|
in
|
|
{
|
|
assertion = duplicates == [ ];
|
|
message = ''
|
|
Internal ports cannot be used for multiple services, the clashes are:
|
|
${concatStringsSep "\n " duplicates}
|
|
'';
|
|
}
|
|
)
|
|
];
|
|
|
|
dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies;
|
|
|
|
# Keep logs during 1 year (53 weeks)
|
|
services.logrotate.settings.nginx.rotate = 53;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts = mapAttrs' (
|
|
_:
|
|
{
|
|
host,
|
|
port,
|
|
proxyWebsockets,
|
|
vhostConfig,
|
|
}:
|
|
nameValuePair host (
|
|
recursiveUpdate {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
inherit proxyWebsockets;
|
|
};
|
|
} vhostConfig
|
|
)
|
|
) cfg.simpleProxies;
|
|
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedZstdSettings = true;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
}
|