static-webserver: Init

This module makes it easier to configure static websites.
This commit is contained in:
Simon Bruder 2023-11-25 12:33:26 +01:00
parent 47aa4a11d4
commit f39ce20c60
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
5 changed files with 88 additions and 33 deletions

View file

@ -5,7 +5,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
../../modules ../../modules
./services/maggus.bayern.nix ./services/static-sites.nix
./services/proxy.nix ./services/proxy.nix
]; ];

View file

@ -1,32 +0,0 @@
{ pkgs, ... }:
{
users.users.maggus = {
isSystemUser = true;
group = "maggus";
shell = "/bin/sh";
openssh.authorizedKeys.keys = map (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/maggus.bayern/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}") [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
];
};
users.groups.maggus = { };
systemd.tmpfiles.rules = [
"d /var/www/maggus.bayern 0755 maggus root -"
];
services.nginx.virtualHosts = {
"maggus.bayern" = {
enableACME = true;
forceSSL = true;
root = "/var/www/maggus.bayern";
};
"www.maggus.bayern" = {
enableACME = true;
forceSSL = true;
globalRedirect = "maggus.bayern";
};
};
}

View file

@ -0,0 +1,13 @@
{ config, ... }:
{
sbruder.static-webserver.vhosts = {
"maggus.bayern".user = {
name = "maggus";
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAWGXaMijpnm3RSH/PIVxkBRDIi1f5nMW/aS26g3b71M nils"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEF8o2ezSEXwWoAcdoeJs+wsZM/u8x+vtRNU3FXOMIT nils"
] ++ config.sbruder.pubkeys.trustedKeys;
};
};
}

View file

@ -47,6 +47,7 @@
./restic ./restic
./secrets.nix ./secrets.nix
./ssh.nix ./ssh.nix
./static-webserver.nix
./syncthing.nix ./syncthing.nix
./tmux.nix ./tmux.nix
./tools.nix ./tools.nix

View file

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.static-webserver;
in
{
options.sbruder.static-webserver = {
root = lib.mkOption {
type = lib.types.str;
default = "/var/www";
};
vhosts = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, vhostCfg, ... }: {
options = {
redirects = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "www.${name}" ];
};
root = lib.mkOption {
type = lib.types.str;
default = "${cfg.root}/${name}";
};
user = {
name = lib.mkOption {
type = lib.types.str;
};
keys = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
};
};
}));
default = { };
};
};
config = lib.mkIf (cfg.vhosts != { }) {
users.users = lib.mapAttrs'
(_: { user, root, ... }: lib.nameValuePair user.name {
isSystemUser = true;
group = user.name;
shell = "/bin/sh";
openssh.authorizedKeys.keys = map
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo ${root}\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
user.keys;
})
cfg.vhosts;
users.groups = lib.mapAttrs' (_: { user, ... }: lib.nameValuePair user.name { }) cfg.vhosts;
systemd.tmpfiles.rules = map
({ root, user, ... }: "d ${root} 0755 ${user.name} ${user.name} -")
(lib.attrValues cfg.vhosts);
services.nginx.virtualHosts = lib.attrsets.mergeAttrsList
(lib.mapAttrsToList
(primaryDomain: vhostCfg:
({
${primaryDomain} = {
enableACME = true;
forceSSL = true;
root = vhostCfg.root;
};
} // (lib.listToAttrs (map
(domain: lib.nameValuePair domain {
enableACME = true;
forceSSL = true;
globalRedirect = primaryDomain;
})
vhostCfg.redirects)))
)
cfg.vhosts);
};
}