nixos/hosts/architect/options.nix

{ config, lib, ... }:

with lib;

{
  options.architect = {
    firewall = {
      openTCP = mkOption {
        type = types.listOf types.int;
        default = [ ];
      };
      openUDP = mkOption {
        type = types.listOf types.int;
        default = [ ];
      };
    };

    networks = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          interface = mkOption {
            type = types.str;
            description = "The network interface name.";
          };

          net = mkOption {
            type = types.str;
            description = "The network address in CIDR format.";
          };

          devices = mkOption {
            type = types.attrsOf (types.submodule {
              options = {
                address = mkOption {
                  type = types.str;
                  description = "The IP address of the device.";
                };

                hostname = mkOption {
                  type = types.str;
                  description = "The hostname of the device.";
                };
              };
            });
            default = { };
            description = "An attribute set of devices with their configurations.";
          };
        };
      });
      default = { };
      description = "An attribute set of networks with their configurations.";
    };

    vhost = mkOption {
      type = types.attrsOf (types.submodule {
        options = {
          dnsInterfaces = mkOption {
            type = types.listOf types.str;
            default = [ ];
            description = "List of interfaces to add extra DNS hosts for this vhost.";
          };

          locations = mkOption {
            type = types.attrsOf (types.submodule {
              options = {
                extraConfig = mkOption {
                  type = types.str;
                  description = "Extra configuration for the location.";
                  default = "";
                };

                allowLan = mkOption {
                  type = types.bool;
                  default = false;
                };

                proxyWebsockets = mkOption {
                  type = types.bool;
                  default = false;
                };

                host = mkOption {
                  type = types.str;
                  description = "The host for the location.";
                  default = "127.0.0.1";
                };

                port = mkOption {
                  type = types.int;
                  description = "The port number for the location.";
                };

                allow = mkOption {
                  type = types.listOf types.str;
                  default = [ ];
                  description = "IP address or CIDR block to allow.";
                };

                path = mkOption {
                  type = types.str;
                  default = "";
                };

                allowWAN = mkOption {
                  type = types.bool;
                  default = false;
                  description = "If set to false, deny all WAN traffic.";
                };
              };
            });
            default = { };
            description = "An attribute set of location configurations.";
          };
        };
      });
      default = { };
      description = "An attribute set of domain configurations.";
    };
  };

  # TODO: move to nginx
  config = {
    services.nginx.virtualHosts = mapAttrs
      (domain: conf: {
        forceSSL = true;
        enableACME = true;
        locations = mapAttrs
          (path: location: {
            proxyPass = "http://${location.host}:${toString location.port}${location.path}";
            proxyWebsockets = location.proxyWebsockets;
            extraConfig = ''
              ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
              ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
              ${optionalString (!location.allowWAN) "deny all;"}
            '' + location.extraConfig;
          })
          conf.locations;
      })
      config.architect.vhost;
  };
}
architect: Refactored firewall settings. Added architect.firewall option 2023-02-14 23:19:52 +00:00			`{ config, lib, ... }:`

			`with lib;`

			`{`
architect: Added architect.networks option attribute set 2023-05-12 11:32:29 +01:00			`options.architect = {`
			`firewall = {`
			`openTCP = mkOption {`
			`type = types.listOf types.int;`
			`default = [ ];`
			`};`
			`openUDP = mkOption {`
			`type = types.listOf types.int;`
			`default = [ ];`
			`};`
architect: Refactored firewall settings. Added architect.firewall option 2023-02-14 23:19:52 +00:00			`};`
architect: Added architect.networks option attribute set 2023-05-12 11:32:29 +01:00
			`networks = mkOption {`
			`type = types.attrsOf (types.submodule {`
			`options = {`
			`interface = mkOption {`
			`type = types.str;`
			`description = "The network interface name.";`
			`};`

			`net = mkOption {`
			`type = types.str;`
			`description = "The network address in CIDR format.";`
			`};`

			`devices = mkOption {`
			`type = types.attrsOf (types.submodule {`
			`options = {`
			`address = mkOption {`
			`type = types.str;`
			`description = "The IP address of the device.";`
			`};`

			`hostname = mkOption {`
			`type = types.str;`
			`description = "The hostname of the device.";`
			`};`
			`};`
			`});`
			`default = { };`
			`description = "An attribute set of devices with their configurations.";`
			`};`
			`};`
			`});`
			`default = { };`
			`description = "An attribute set of networks with their configurations.";`
architect: Refactored firewall settings. Added architect.firewall option 2023-02-14 23:19:52 +00:00			`};`
options: added vhost attributes 2023-06-04 23:29:43 +01:00
			`vhost = mkOption {`
			`type = types.attrsOf (types.submodule {`
			`options = {`
			`dnsInterfaces = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`description = "List of interfaces to add extra DNS hosts for this vhost.";`
			`};`

			`locations = mkOption {`
			`type = types.attrsOf (types.submodule {`
			`options = {`
vhost: added attributes 2023-06-05 02:02:02 +01:00			`extraConfig = mkOption {`
			`type = types.str;`
			`description = "Extra configuration for the location.";`
			`default = "";`
			`};`

			`allowLan = mkOption {`
			`type = types.bool;`
			`default = false;`
			`};`

			`proxyWebsockets = mkOption {`
			`type = types.bool;`
			`default = false;`
			`};`

vhost: added host 2023-06-05 03:44:33 +01:00			`host = mkOption {`
			`type = types.str;`
			`description = "The host for the location.";`
			`default = "127.0.0.1";`
			`};`
architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 12:25:43 +00:00
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`port = mkOption {`
			`type = types.int;`
			`description = "The port number for the location.";`
			`};`
architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 12:25:43 +00:00
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`allow = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`description = "IP address or CIDR block to allow.";`
			`};`
architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 12:25:43 +00:00
options: added path to nginx server service 2023-06-26 20:00:40 +01:00			`path = mkOption {`
			`type = types.str;`
			`default = "";`
			`};`
options: added vhost attributes 2023-06-04 23:29:43 +01:00
architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 12:25:43 +00:00			`allowWAN = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "If set to false, deny all WAN traffic.";`
			`};`
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`};`
			`});`
			`default = { };`
			`description = "An attribute set of location configurations.";`
			`};`
			`};`
			`});`
			`default = { };`
			`description = "An attribute set of domain configurations.";`
			`};`
			`};`

options: cleanup, move dns into dns 2024-01-30 23:22:24 +00:00			`# TODO: move to nginx`
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`config = {`
			`services.nginx.virtualHosts = mapAttrs`
			`(domain: conf: {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations = mapAttrs`
			`(path: location: {`
options: added path to nginx server service 2023-06-26 20:00:40 +01:00			`proxyPass = "http://${location.host}:${toString location.port}${location.path}";`
vhost: added attributes 2023-06-05 02:02:02 +01:00			`proxyWebsockets = location.proxyWebsockets;`
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`extraConfig = ''`
			`${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}`
vhost: added attributes 2023-06-05 02:02:02 +01:00			`${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}`
options: cleanup, move dns into dns 2024-01-30 23:22:24 +00:00			`${optionalString (!location.allowWAN) "deny all;"}`
vhost: added attributes 2023-06-05 02:02:02 +01:00			`'' + location.extraConfig;`
options: added vhost attributes 2023-06-04 23:29:43 +01:00			`})`
			`conf.locations;`
			`})`
			`config.architect.vhost;`
architect: Refactored firewall settings. Added architect.firewall option 2023-02-14 23:19:52 +00:00			`};`
			`}`