2023-02-14 23:19:52 +00:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
2023-06-04 23:29:43 +01:00
|
|
|
let
|
|
|
|
|
utilities = import ./utilities.nix { inherit lib config; };
|
|
|
|
|
inherit (utilities) architectInterfaceAddress;
|
|
|
|
|
in
|
2023-02-14 23:19:52 +00:00
|
|
|
{
|
2023-05-12 11:32:29 +01:00
|
|
|
options.architect = {
|
|
|
|
|
firewall = {
|
|
|
|
|
openTCP = mkOption {
|
|
|
|
|
type = types.listOf types.int;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
|
|
|
|
openUDP = mkOption {
|
|
|
|
|
type = types.listOf types.int;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
|
|
|
|
openTCPVPN = mkOption {
|
|
|
|
|
type = types.listOf types.int;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
|
|
|
|
openUDPVPN = mkOption {
|
|
|
|
|
type = types.listOf types.int;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
2023-02-14 23:19:52 +00:00
|
|
|
};
|
2023-05-12 11:32:29 +01:00
|
|
|
|
|
|
|
|
networks = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
interface = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "The network interface name.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
net = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "The network address in CIDR format.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
devices = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
address = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "The IP address of the device.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
hostname = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "The hostname of the device.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = { };
|
|
|
|
|
description = "An attribute set of devices with their configurations.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = { };
|
|
|
|
|
description = "An attribute set of networks with their configurations.";
|
2023-02-14 23:19:52 +00:00
|
|
|
};
|
2023-06-04 23:29:43 +01:00
|
|
|
|
|
|
|
|
vhost = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
dnsInterfaces = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = "List of interfaces to add extra DNS hosts for this vhost.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
locations = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule {
|
|
|
|
|
options = {
|
2023-06-05 02:02:02 +01:00
|
|
|
extraConfig = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "Extra configuration for the location.";
|
|
|
|
|
default = "";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
allowLan = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
proxyWebsockets = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
|
2023-06-05 03:44:33 +01:00
|
|
|
host = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "The host for the location.";
|
|
|
|
|
default = "127.0.0.1";
|
|
|
|
|
};
|
2023-11-16 12:25:43 +00:00
|
|
|
|
2023-06-04 23:29:43 +01:00
|
|
|
port = mkOption {
|
|
|
|
|
type = types.int;
|
|
|
|
|
description = "The port number for the location.";
|
|
|
|
|
};
|
2023-11-16 12:25:43 +00:00
|
|
|
|
2023-06-04 23:29:43 +01:00
|
|
|
allow = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = "IP address or CIDR block to allow.";
|
|
|
|
|
};
|
2023-11-16 12:25:43 +00:00
|
|
|
|
2023-06-26 20:00:40 +01:00
|
|
|
path = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "";
|
|
|
|
|
};
|
2023-06-04 23:29:43 +01:00
|
|
|
|
2023-11-16 12:25:43 +00:00
|
|
|
allowWAN = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = "If set to false, deny all WAN traffic.";
|
|
|
|
|
};
|
|
|
|
|
|
2023-06-04 23:29:43 +01:00
|
|
|
deny = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = "IP address or CIDR block to deny.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = { };
|
|
|
|
|
description = "An attribute set of location configurations.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = { };
|
|
|
|
|
description = "An attribute set of domain configurations.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
services.nginx.virtualHosts = mapAttrs
|
|
|
|
|
(domain: conf: {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
locations = mapAttrs
|
|
|
|
|
(path: location: {
|
2023-06-26 20:00:40 +01:00
|
|
|
proxyPass = "http://${location.host}:${toString location.port}${location.path}";
|
2023-06-05 02:02:02 +01:00
|
|
|
proxyWebsockets = location.proxyWebsockets;
|
2023-06-04 23:29:43 +01:00
|
|
|
extraConfig = ''
|
|
|
|
|
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
|
2023-11-16 12:25:43 +00:00
|
|
|
${optionalString (!location.allowWAN) "deny all;"}
|
|
|
|
|
${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
|
2023-06-05 02:02:02 +01:00
|
|
|
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
|
|
|
|
|
'' + location.extraConfig;
|
2023-06-04 23:29:43 +01:00
|
|
|
})
|
|
|
|
|
conf.locations;
|
|
|
|
|
})
|
|
|
|
|
config.architect.vhost;
|
|
|
|
|
|
|
|
|
|
networking.extraHosts = concatStringsSep "\n" (
|
|
|
|
|
mapAttrsToList
|
|
|
|
|
(domain: conf: concatMapStringsSep "\n"
|
|
|
|
|
(iface: "${architectInterfaceAddress iface} ${domain}")
|
|
|
|
|
conf.dnsInterfaces)
|
|
|
|
|
config.architect.vhost
|
|
|
|
|
);
|
2023-02-14 23:19:52 +00:00
|
|
|
};
|
|
|
|
|
}
|
