dotfiles/modules/services/nix-serve/default.nix

{
  options,
  config,
  lib,
  pkgs,
  format,
  ...
}:
with lib; let
  cfg = config.aa.services.nix-serve;
in {
  options.aa.services.nix-serve = with types; {
    enable = mkEnableOption "nix-serve";
    domain_name = mkOption {
      type = str;
      description = "The domain to use.";
    };
    subdomain_name = mkOption {
      type = str;
      description = "The subdomain to use.";
    };
    acmeCertName = mkOption {
      type = str;
      default = "";
      description = ''
        If set to a non-empty string, forces SSL with the supplied acme
        certificate.
      '';
    };
  };

  config = mkIf cfg.enable {
    nix.settings = {
      allowed-users = ["nix-serve"];
      trusted-users = ["nix-serve"];
    };

    environment.systemPackages = [pkgs.nix-serve];

    services = {
      nix-serve = {
        enable = true;
        # TODO: Document this or automate the inital creation.
        secretKeyFile = "/var/gospelCache";
      };

      nginx = {
        enable = true;
        virtualHosts."${cfg.subdomain_name}.${cfg.domain_name}" =
          {
            serverAliases = ["${cfg.subdomain_name}"];
            locations."/".extraConfig = ''
              proxy_pass http://localhost:${toString config.services.nix-serve.port};
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            '';
          }
          // lib.optionalAttrs (cfg.acmeCertName != "") {
            forceSSL = true;
            useACMEHost = cfg.acmeCertName;
          };
      };
    };

    networking.firewall = {
      allowedTCPPorts = [80 443];
    };
  };
}
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`{`
			`options,`
			`config,`
			`lib,`
			`pkgs,`
			`format,`
			`...`
			`}:`
			`with lib; let`
			`cfg = config.aa.services.nix-serve;`
			`in {`
			`options.aa.services.nix-serve = with types; {`
			`enable = mkEnableOption "nix-serve";`
			`domain_name = mkOption {`
			`type = str;`
			`description = "The domain to use.";`
			`};`
			`subdomain_name = mkOption {`
			`type = str;`
			`description = "The subdomain to use.";`
			`};`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`acmeCertName = mkOption {`
			`type = str;`
			`default = "";`
			`description = ''`
			`If set to a non-empty string, forces SSL with the supplied acme`
			`certificate.`
			`'';`
			`};`
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`};`

			`config = mkIf cfg.enable {`
Fixed issue with internal server error Seems like I should have added the nix-serve user to both allowed-users and trusted-users. 2023-06-15 03:30:26 +00:00			`nix.settings = {`
			`allowed-users = ["nix-serve"];`
			`trusted-users = ["nix-serve"];`
			`};`

			`environment.systemPackages = [pkgs.nix-serve];`
Configured remote deployments Also includes some misc fixes for bugs I ran into along the way. 2023-04-16 17:07:42 +00:00
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`services = {`
			`nix-serve = {`
			`enable = true;`
			`# TODO: Document this or automate the inital creation.`
			`secretKeyFile = "/var/gospelCache";`
			`};`

			`nginx = {`
			`enable = true;`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`virtualHosts."${cfg.subdomain_name}.${cfg.domain_name}" =`
			`{`
Fixed build error 2023-03-25 16:19:01 +00:00			`serverAliases = ["${cfg.subdomain_name}"];`
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`locations."/".extraConfig = ''`
			`proxy_pass http://localhost:${toString config.services.nix-serve.port};`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`'';`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`}`
			`// lib.optionalAttrs (cfg.acmeCertName != "") {`
			`forceSSL = true;`
			`useACMEHost = cfg.acmeCertName;`
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`};`
			`};`
			`};`

			`networking.firewall = {`
Refactored how SSL certs are configured for nginx Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility). 2023-07-16 17:53:02 +00:00			`allowedTCPPorts = [80 443];`
Added nix-serve config Could use some work, but it works for now. 2023-03-25 04:04:13 +00:00			`};`
			`};`
			`}`