diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index fd0b5ab..8f807b6 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -2,6 +2,10 @@ with lib; +let + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; +in { options.architect = { firewall = { @@ -58,5 +62,70 @@ with lib; default = { }; description = "An attribute set of networks with their configurations."; }; + + vhost = mkOption { + type = types.attrsOf (types.submodule { + options = { + dnsInterfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of interfaces to add extra DNS hosts for this vhost."; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule { + options = { + port = mkOption { + type = types.int; + description = "The port number for the location."; + }; + + allow = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to allow."; + }; + + deny = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to deny."; + }; + }; + }); + default = { }; + description = "An attribute set of location configurations."; + }; + }; + }); + default = { }; + description = "An attribute set of domain configurations."; + }; + }; + + config = { + services.nginx.virtualHosts = mapAttrs + (domain: conf: { + forceSSL = true; + enableACME = true; + locations = mapAttrs + (path: location: { + proxyPass = "http://127.0.0.1:${toString location.port}"; + extraConfig = '' + ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} + ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} + ''; + }) + conf.locations; + }) + config.architect.vhost; + + networking.extraHosts = concatStringsSep "\n" ( + mapAttrsToList + (domain: conf: concatMapStringsSep "\n" + (iface: "${architectInterfaceAddress iface} ${domain}") + conf.dnsInterfaces) + config.architect.vhost + ); }; }