tlaternet-server/modules/nginxExtensions.nix

{ config
, pkgs
, lib
, ...
}: {
  options = {
    services.nginx.domain = lib.mkOption {
      type = lib.types.str;
      description = "The base domain name to append to virtual domain names";
    };

    services.nginx.virtualHosts =
      let
        extraVirtualHostOptions =
          { name
          , config
          , ...
          }: {
            options = {
              enableHSTS = lib.mkEnableOption "Enable HSTS";

              addAccessLog = lib.mkOption {
                type = lib.types.bool;
                default = true;
                description = ''
                  Add special logging to `/var/log/nginx/''${serverName}`
                '';
              };
            };

            config = {
              extraConfig = lib.concatStringsSep "\n" [
                (lib.optionalString config.enableHSTS ''
                  add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
                '')
                (lib.optionalString config.addAccessLog ''
                  access_log /var/log/nginx/${name}/access.log upstream_time;
                '')
              ];
            };
          };
      in
      lib.mkOption {
        type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
      };
  };

  config = {
    # Don't attempt to run acme if the domain name is not tlater.net
    systemd.services =
      let
        confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
      in
      lib.mapAttrs'
        (cert: _:
          lib.nameValuePair "acme-${cert}" {
            serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
          })
        config.security.acme.certs;
  };
}
treewide: Refactor nginx config 2024-04-13 03:34:53 +01:00			`{ config`
			`, pkgs`
			`, lib`
			`, ...`
			`}: {`
			`options = {`
			`services.nginx.domain = lib.mkOption {`
			`type = lib.types.str;`
			`description = "The base domain name to append to virtual domain names";`
			`};`

			`services.nginx.virtualHosts =`
			`let`
			`extraVirtualHostOptions =`
			`{ name`
			`, config`
			`, ...`
			`}: {`
			`options = {`
			`enableHSTS = lib.mkEnableOption "Enable HSTS";`

			`addAccessLog = lib.mkOption {`
			`type = lib.types.bool;`
			`default = true;`
			`description = ''`
			Add special logging to `/var/log/nginx/''${serverName}`
			`'';`
			`};`
			`};`

			`config = {`
			`extraConfig = lib.concatStringsSep "\n" [`
			`(lib.optionalString config.enableHSTS ''`
			`add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;`
			`'')`
			`(lib.optionalString config.addAccessLog ''`
			`access_log /var/log/nginx/${name}/access.log upstream_time;`
			`'')`
			`];`
			`};`
			`};`
			`in`
			`lib.mkOption {`
			`type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);`
			`};`
			`};`

			`config = {`
			`# Don't attempt to run acme if the domain name is not tlater.net`
			`systemd.services =`
			`let`
			`confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';`
			`in`
			`lib.mapAttrs'`
			`(cert: _:`
			`lib.nameValuePair "acme-${cert}" {`
			`serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';`
			`})`
			`config.security.acme.certs;`
			`};`
			`}`