blob: 3598777c53b1e133c3cfdd15c66503364cb322f6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
{ config, lib, ... }:
with lib;
let
cfg = config.modules.expose;
in
{
options.modules.expose = {
enable = mkEnableOption "expose services to network";
routes = mkOption {
type = types.attrsOf (types.submodule {
options = {
to = mkOption {
type = types.str;
example = "https://localhost:3000";
description = "Destination address";
};
ts = mkOption {
type = types.bool;
default = true;
description = "Whether to enable nginx & blocky for Tailscale routing";
};
cf = mkOption {
type = types.bool;
default = true;
description = "Whether to enable Cloudflare Tunnel for public routing";
};
configureNginx = mkOption {
type = types.bool;
default = true;
description = "Whether to configure nginx virtualHosts for this route";
};
};
});
};
ssl = {
enable = mkEnableOption "SSL on all routes";
acmeHost = mkOption {
type = types.nullOr types.str;
default = null;
description = "ACMEHost for the certificate";
};
};
webmasterEmail = mkOption { type = types.str; description = "Email of the webmaster to be contacted for ACME events"; };
tailscaleIp = mkOption { type = types.str; description = "Tailscale IP of this node"; };
cloudflareUUID = mkOption { type = types.str; description = "UUID of the Cloudflare Tunnel"; };
secrets = {
acme-credentials = mkOption { type = types.path; description = "Path to the acme environment file"; };
cloudflare-credentials = mkOption { type = types.path; description = "Path to the cloudflare tunnel credentials"; };
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.ssl.enable -> cfg.ssl.acmeHost != null;
message = "ssl.acmeHost must be set when enabling SSL";
}
];
services.nginx.virtualHosts = mapAttrs
(_: v: {
locations."/".proxyPass = v.to;
} // optionalAttrs (cfg.ssl.enable) {
forceSSL = true;
useACMEHost = cfg.ssl.acmeHost;
})
(filterAttrs (_: v: v.configureNginx) cfg.routes);
# Discard non-localhost mappings, and replace destination with tailscale IP
# Map localhost routes to tailscaleIp
services.blocky.settings.customDNS.mapping = mapAttrs
(_: v:
if (hasInfix "localhost" v.to)
then cfg.tailscaleIp
else v.to)
(filterAttrs (_: v: v.ts) cfg.routes);
services.cloudflared.tunnels."${cfg.cloudflareUUID}" = {
credentialsFile = cfg.secrets.cloudflare-credentials;
ingress = mapAttrs
(_: v:
if v.configureNginx
then "https://localhost:443"
else v.to)
(filterAttrs (_: v: v.cf) cfg.routes);
} // optionalAttrs (cfg.ssl.enable) {
# TODO: This seems to have no effect. Remove?
originRequest.originServerName = "*.${cfg.ssl.acmeHost}";
# originRequest.caPool = config.security.acme.certs.${cfg.ssl.acmeHost}.directory;
};
};
}
|
