nixos-config/modules/static-webserver.nix

87 lines
2.6 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.static-webserver;
in
{
options.sbruder.static-webserver = {
root = lib.mkOption {
type = lib.types.str;
default = "/var/www";
};
vhosts = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, vhostCfg, ... }: {
options = {
redirects = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "www.${name}" ];
};
root = lib.mkOption {
type = lib.types.str;
default = "${cfg.root}/${name}";
};
user = {
name = lib.mkOption {
type = lib.types.str;
};
keys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = config.sbruder.pubkeys.trustedKeys;
};
};
imprint = {
enable = lib.mkEnableOption "a location making the imprint available";
location = lib.mkOption {
type = lib.types.str;
default = "/imprint/";
};
};
};
}));
default = { };
};
};
config = lib.mkIf (cfg.vhosts != { }) {
users.users = lib.mapAttrs'
(_: { user, root, ... }: lib.nameValuePair user.name {
isSystemUser = true;
group = user.name;
shell = "/bin/sh";
openssh.authorizedKeys.keys = map
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo ${root}\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
user.keys;
})
cfg.vhosts;
users.groups = lib.mapAttrs' (_: { user, ... }: lib.nameValuePair user.name { }) cfg.vhosts;
systemd.tmpfiles.rules = map
({ root, user, ... }: "d ${root} 0755 ${user.name} ${user.name} -")
(lib.attrValues cfg.vhosts);
services.nginx.virtualHosts = lib.attrsets.mergeAttrsList
(lib.mapAttrsToList
(primaryDomain: vhostCfg:
({
${primaryDomain} = lib.mkMerge [
{
enableACME = true;
forceSSL = true;
root = vhostCfg.root;
}
(lib.mkIf vhostCfg.imprint.enable {
locations.${vhostCfg.imprint.location}.alias = "${pkgs.sbruder.imprint}/";
})
];
} // (lib.listToAttrs (map
(domain: lib.nameValuePair domain {
enableACME = true;
forceSSL = true;
globalRedirect = primaryDomain;
})
vhostCfg.redirects)))
)
cfg.vhosts);
};
}