1 { config, lib, pkgs, ... }:
3 cfg = config.helpers.webservices;
6 options.helpers.webservices = lib.mkOption {
7 description = "Webservice helper";
9 type = with lib.types; attrsOf (submodule {
14 # fqdn = lib.mkOption {
18 # localOnly = lib.mkOption {
29 config = { # lib.attrsets.mapAttrs (fqdn: name: {
31 # helpers.webservices = (lib.mapAttrs (name: nameAttrs: lib.mkIf nameAttrs.fqdn {
34 # networking.hosts."127.0.0.1" = (lib.attrsets.mapAttrsToList (name: nameattrs: "${name}") cfg) ++ (lib.attrsets.mapAttrsToList (name: nameattrs: if nameattrs.fqdn then "${name}.${config.networking.fqdn}" else "" ) cfg);
35 # networking.hosts."127.0.0.1" = builtins.attrNames cfg ++ (lib.mapAttrsToList (name: nameattrs: lib.mkIf nameattrs.fqdn "${name}.${config.networking.fqdn}") cfg);
36 networking.hosts."127.0.0.1" = builtins.attrNames cfg;
37 # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM
38 # also https://github.com/NixOS/nixpkgs/issues/117578
39 # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam.
40 # Maybe copy /etc/shadow to /run/keys via colmena?
41 # security.pam.services.nginx.setEnvironment = false;
42 # systemd.services.nginx.serviceConfig = {
43 # SupplementaryGroups = [ "shadow" ];
44 # NoNewPrivileges = lib.mkForce false;
45 # PrivateDevices = lib.mkForce false;
46 # ProtectHostname = lib.mkForce false;
47 # ProtectKernelTunables = lib.mkForce false;
48 # ProtectKernelModules = lib.mkForce false;
49 # RestrictAddressFamilies = lib.mkForce [ ];
50 # LockPersonality = lib.mkForce false;
51 # MemoryDenyWriteExecute = lib.mkForce false;
52 # RestrictRealtime = lib.mkForce false;
53 # RestrictSUIDSGID = lib.mkForce false;
54 # SystemCallArchitectures = lib.mkForce "";
55 # ProtectClock = lib.mkForce false;
56 # ProtectKernelLogs = lib.mkForce false;
57 # RestrictNamespaces = lib.mkForce false;
58 # SystemCallFilter = lib.mkForce "";
62 # services.nginx.virtualHosts."nfo".locations."/subdomain"
64 enable = lib.mkDefault true;
65 additionalModules = [ pkgs.nginxModules.pam ];
66 virtualHosts = lib.attrsets.mapAttrs (fqdn: name: {
67 enableACME = config.security.acme.acceptTerms;
68 forceSSL = config.security.acme.acceptTerms;
70 proxyPass = "http://127.0.0.1:${toString name.port}";
71 # extraConfig = lib.mkIf name.localOnly ''
75 proxyWebsockets = true;
77 # extraConfig = lib.mkIf name.auth ''
78 # auth_pam "Password Required";
79 # auth_pam_service_name "nginx";