create nginx magic module

nixos/common/modules/default.nix

@@ -1,3 +1,3 @@
 { ... }: {
-  imports = [ ./meta.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ];
+  imports = [ ./meta.nix ./nginx.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ];
 }

nixos/common/modules/meta.nix

@@ -12,6 +12,7 @@ let
       };
       port = mkOption {
         type = types.int;
+        default = 80;
         example = 4242;
         description = ''
           The port under which the service runs on the host
@@ -21,6 +22,7 @@ let
   };
 in {
   options.meta = {
+
     exposes = mkOption {
       type = with types; attrsOf (submodule exposesOpts);
       description = ''
@@ -37,6 +39,5 @@ in {
   };
 
   config = {
-
   };
 }

nixos/common/modules/nginx.nix

@@ -0,0 +1,32 @@
+{ lib, hosts, config, ... }:
+with lib;
+let cfg = config.services.v.nginx;
+in  {
+  options.services.v.nginx.generateVirtualHosts =
+    mkEnableOption "generate vhosts";
+
+  config = let
+
+    proxy = url: {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = url;
+        proxyWebsockets = true;
+      };
+    };
+
+    hosts' =
+      filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
+    exposes = { ip, exposes, ... }:
+      map ({ domain, port ? 80}: { inherit ip domain port; }) (attrValues exposes);
+    mkVhost = { ip, domain, port}: {
+      "${domain}" = proxy "http://${ip}:${toString port}";
+    };
+    vhosts = foldr (el: acc: acc // mkVhost el) { } (concatMap exposes hosts');
+  in mkIf cfg.generateVirtualHosts {
+
+    services.nginx.virtualHosts = vhosts;
+
+  };
+}

nixos/hosts/olympus/default.nix

@@ -36,6 +36,10 @@
     ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
     mac = "9E:60:78:ED:81:B4";
     nix = false;
+    exposes.ha = {
+      domain = "ha.0x76.dev";
+      port = 8123;
+    };
   };
   "nginx" = {
     ip = "10.42.42.9";
@@ -46,10 +50,19 @@
   "kubernetes" = {
     ip = "10.42.42.10";
     mac = "6E:A5:25:99:FE:68";
+    exposes = {
+      www.domain = "0x76.dev";
+      internal.domain = "internal.xirion.net";
+      blog.domain = "blog.xirion.net";
+    };
   };
   "dex" = {
     ip = "10.42.42.11";
     mac = "AE:66:7B:FA:15:72";
+    exposes.dex = {
+      domain = "dex.0x76.dev";
+      port = 5556;
+    };
   };
   "WoolooTV" = {
     ip = "10.42.42.13";
@@ -59,6 +72,10 @@
   "outline" = {
     ip = "10.42.42.14";
     mac = "52:13:EB:FD:87:F0";
+    exposes.outline = {
+      domain = "outline.0x76.dev";
+      port = 3000;
+    };
   };
   "dns-1" = {
     profile = "dns";
@@ -75,6 +92,10 @@
   "minio" = {
     ip = "10.42.42.17";
     mac = "0A:06:5E:E7:9A:0C";
+    exposes.minio = {
+      domain = "o.0x76.dev";
+      port = 9000;
+    };
   };
   "mailserver" = {
     ip = "10.42.42.18";
@@ -83,6 +104,12 @@
   "victoriametrics" = {
     ip = "10.42.42.19";
     mac = "9E:91:61:35:84:1F";
+    exposes = {
+      grafana = {
+        domain = "grafana.0x76.dev";
+        port = 2342;
+      };
+    };
   };
   "unifi" = {
     ip = "10.42.42.20";
@@ -96,21 +123,27 @@
   "gitea" = {
     ip = "10.42.42.22";
     mac = "DE:5F:B0:83:6F:34";
+    exposes.git = {
+      domain = "git.0x76.dev";
+      port = 3000;
+    };
   };
   "hedgedoc" = {
     ip = "10.42.42.23";
     mac = "86:BC:0C:18:BC:9B";
-    exposes = {
-      md = {
-        domain = "md.0x76.dev";
-        port = 3000;
-      };
+    exposes.md = {
+      domain = "md.0x76.dev";
+      port = 3000;
     };
   };
   "zmeura" = {
     ip = "10.42.42.24";
     mac = "b8:27:eb:d5:e0:f5";
     nix = false;
+    exposes.andreea = {
+      domain = "andreea.redshifts.xyz";
+      port = 8008;
+    };
   };
   "wireguard" = {
     ip = "10.42.42.25";
@@ -121,6 +154,10 @@
     ip = "10.42.42.27";
     mac = "9E:8A:6C:39:27:DE";
     nix = false;
+    exposes.books = {
+      domain = "books.meowy.tech";
+      port = 8001;
+    };
   };
   "synapse" = {
     ip = "10.42.42.28";
@@ -140,10 +177,15 @@
   "ntfy" = {
     ip = "10.42.42.32";
     mac = "7A:17:9E:80:72:01";
+    exposes.ntfy.domain = "ntfy.0x76.dev";
   };
   "woodpecker" = {
     ip = "10.42.42.33";
     mac = "1E:24:DA:DB:4A:1A";
+    exposes.ci = {
+      domain = "ci.0x76.dev";
+      port = 8000;
+    };
   };
   "nuc" = {
     ip = "10.42.42.42";

nixos/hosts/olympus/dex/configuration.nix

@@ -7,6 +7,7 @@ let
   vs = config.vault-secrets.secrets;
   db_user = "dex";
   db_name = "dex";
+  inherit (config.meta.exposes.dex) port;
 in {
   imports = [ ];
 
@@ -18,7 +19,7 @@ in {
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "23.05"; # Did you read the comment?
 
-  networking.firewall.allowedTCPPorts = [ 5556 ];
+  networking.firewall.allowedTCPPorts = [ port ];
 
   services.postgresql = {
     enable = true;
@@ -47,7 +48,7 @@ in {
           database = db_name;
         };
       };
-      web.http = "0.0.0.0:5556";
+      web.http = "0.0.0.0:${toString port}";
 
       connectors = [{
         type = "gitea";

nixos/hosts/olympus/gitea/configuration.nix

@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { lib, config, pkgs, ... }:
-let vs = config.vault-secrets.secrets;
+let
+  vs = config.vault-secrets.secrets;
+  inherit (config.meta.exposes.git) port;
 in {
   imports = [ ];
 
@@ -20,8 +22,7 @@ in {
 
   environment.noXlibs = lib.mkForce false;
 
-  networking.firewall.allowedTCPPorts =
-    [ config.services.gitea.settings.server.HTTP_PORT ];
+  networking.firewall.allowedTCPPorts = [ port ];
 
   services.openssh.startWhenNeeded = false;
 
@@ -77,6 +78,7 @@ in {
         SSH_PORT = 42;
         DOMAIN = "git.0x76.dev";
         ROOT_URL = "https://git.0x76.dev";
+        HTTP_PORT = port;
       };
       session = {
         "PROVIDER" = "db";

nixos/hosts/olympus/hedgedoc/configuration.nix

@@ -21,8 +21,7 @@ in {
 
   environment.noXlibs = lib.mkForce false;
 
-  networking.firewall.allowedTCPPorts =
-    [ config.services.hedgedoc.settings.port ];
+  networking.firewall.allowedTCPPorts = [ port ];
 
   vault-secrets.secrets.hedgedoc = { };
 

nixos/hosts/olympus/minio/configuration.nix

@@ -5,8 +5,8 @@
 { config, pkgs, ... }:
 let
   vs = config.vault-secrets.secrets;
-  listenPort = 9000;
-  consolePort = 9001;
+  listenPort = config.meta.exposes.minio.port;
+  consolePort = listenPort + 1;
 in {
   imports = [ ];
 

nixos/hosts/olympus/nginx/configuration.nix

@@ -1,16 +1,5 @@
-{ pkgs, config, hosts, lib, ... }:
+{ pkgs, ... }:
 let
-  inherit (builtins) filter hasAttr attrValues concatMap;
-
-  proxy = url: {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = url;
-      proxyWebsockets = true;
-    };
-  };
-  k8s_proxy = proxy "http://kubernetes.olympus:80/";
   clientConfig = {
     "m.homeserver" = {
       base_url = "https://chat.meowy.tech";
@@ -24,16 +13,6 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
-
-  hostsWithExposes =
-    filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
-  exposes = { ip, exposes, ... }:
-    map ({ domain, port }: { inherit ip domain port; }) (attrValues exposes);
-  mkVhost = { ip, domain, port }: {
-    "${domain}" = proxy "http://${ip}:${toString port}";
-  };
-  vhosts = lib.foldr (el: acc: acc // mkVhost el) { }
-    (concatMap exposes hostsWithExposes);
 in {
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
@@ -45,6 +24,9 @@ in {
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  # Generates vhosts for all hosts that have an `exposes` section
+  services.v.nginx.generateVirtualHosts = true;
+
   services.nginx = {
     enable = true;
     statusPage = true;
@@ -57,16 +39,7 @@ in {
     package = pkgs.nginxMainline;
 
     # Templated
-    virtualHosts = vhosts // {
-      # 0x76.dev
-      "ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
-      "git.0x76.dev" = proxy "http://gitea.olympus:3000";
-      "o.0x76.dev" = proxy "http://minio.olympus:9000";
-      "grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
-      "outline.0x76.dev" = proxy "http://outline.olympus:3000";
-      "ntfy.0x76.dev" = proxy "http://ntfy.olympus:80";
-      "ci.0x76.dev" = proxy "http://woodpecker.olympus:8000";
-      "dex.0x76.dev" = proxy "http://dex.olympus:5556";
+    virtualHosts = {
       "pass.0x76.dev" = {
         enableACME = true;
         forceSSL = true;
@@ -84,9 +57,6 @@ in {
         };
       };
 
-      # Redshifts
-      "andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008";
-
       # Meow
       "meowy.tech" = {
         enableACME = true;
@@ -150,12 +120,6 @@ in {
         forceSSL = true;
         root = pkgs.synapse-admin;
       };
-      "books.meowy.tech" = proxy "http://bookwyrm.olympus:8001";
-
-      # Kubernetes endpoints
-      "0x76.dev" = k8s_proxy;
-      "internal.xirion.net" = k8s_proxy;
-      "blog.xirion.net" = k8s_proxy;
     };
   };
 

nixos/hosts/olympus/outline/configuration.nix

@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, ... }:
-let vs = config.vault-secrets.secrets;
+let
+  vs = config.vault-secrets.secrets;
+  inherit (config.meta.exposes.outline) port;
 in {
   imports = [ ];
 
@@ -16,16 +18,17 @@ in {
   system.stateVersion = "22.11"; # Did you read the comment?
 
   # Additional packages
-  networking.firewall.allowedTCPPorts = [ config.services.outline.port ];
+  networking.firewall.allowedTCPPorts = [ port ];
 
   vault-secrets.secrets.outline = {
     inherit (config.services.outline) user group;
   };
 
   services.outline = {
+    inherit port;
+
     enable = true;
     concurrency = 1;
-    port = 3000;
     redisUrl = "local";
     databaseUrl = "local";
     publicUrl = "https://outline.0x76.dev";

nixos/hosts/olympus/victoriametrics/configuration.nix

@@ -5,6 +5,7 @@
 { config, pkgs, ... }:
 let
   vmPort = 8428;
+  grafanaPort = config.meta.exposes.grafana.port;
   vs = config.vault-secrets.secrets;
 in {
   imports = [ ];
@@ -78,7 +79,7 @@ in {
         domain = "grafana.0x76.dev";
         root_url = "https://grafana.0x76.dev";
         http_addr = "0.0.0.0";
-        http_port = 2342;
+        http_port = grafanaPort;
       };
       security.admin_password = "$__file{${vs.grafana}/password}";
     };

nixos/hosts/olympus/woodpecker/configuration.nix

@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let vs = config.vault-secrets.secrets;
+let
+  inherit (config.meta.exposes.ci) port;
+  vs = config.vault-secrets.secrets;
 in {
   imports = [ ];
 
@@ -18,7 +20,7 @@ in {
   # Additional packages
   environment.systemPackages = with pkgs; [ ];
 
-  networking.firewall.allowedTCPPorts = [ 8000 9000 ];
+  networking.firewall.allowedTCPPorts = [ port 9000 ];
 
   vault-secrets.secrets.woodpecker = {
     services = [ "woodpecker-server" "woodpecker-agent-docker" ];
@@ -46,7 +48,7 @@ in {
       WOODPECKER_GITEA_URL = "https://git.0x76.dev";
       WOODPECKER_ADMIN = "v";
       WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true";
-      WOODPECKER_SERVER_ADDR = "10.42.42.33:8000";
+      WOODPECKER_SERVER_ADDR = "10.42.42.33:${toString port}";
     };
     environmentFile = "${vs.woodpecker}/environment";
   };