refactor

modules/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./vlans.nix
     ./firewall.nix
+    ./webserver.nix
   ];
 }

modules/firewall.nix

@@ -16,18 +16,25 @@ let
       { allowedUDPPorts = [ ]; allowedTCPPorts = [ ]; }
       enabledServices;
 
-  cfg = config.modules.firewall.rules;
+  cfg = config.modules.firewall;
 in
 {
-  options.modules.firewall.rules = lib.mkOption {
-    type = lib.types.attrsOf (lib.types.listOf (lib.types.enum (lib.attrNames services)));
-    default = { };
-  };
-
-  config = lib.mkIf (lib.length (lib.attrNames cfg) > 0) {
-    networking.firewall = {
-      enable = lib.mkDefault true;
-      interfaces = lib.mapAttrs (_: enabledServices: rulesForServices enabledServices) cfg;
+  options.modules.firewall = {
+    enable = lib.mkEnableOption "Enable the firewall";
+    interfaces = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.listOf (lib.types.enum (lib.attrNames services)));
+      default = { };
+    };
+    allInterfaces = lib.mkOption {
+      type = lib.types.listOf (lib.types.enum (lib.attrNames services));
+      default = [ ];
     };
   };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      enable = true;
+      interfaces = lib.mapAttrs (_: enabledServices: rulesForServices enabledServices) cfg.interfaces;
+    } // rulesForServices cfg.allInterfaces;
+  };
 }

modules/webserver.nix

@@ -0,0 +1,99 @@
+{ lib, config, ... }:
+let
+  cfg = config.modules.webserver;
+
+  nginxVhost = options: {
+    http2 = true;
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+  } // options;
+
+  nginxProxy = options: {
+    proxyWebsockets = true;
+  } // options;
+
+  types = {
+    location = lib.types.submodule {
+      options = {
+        proxy = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+        extraConfig = lib.mkOption {
+          type = lib.types.str;
+          default = "";
+        };
+      };
+    };
+
+    vhost = lib.types.submodule {
+      options = {
+        proxyBuffering = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+        };
+        locations = lib.mkOption {
+          type = lib.types.attrsOf types.location;
+        };
+      };
+    };
+  };
+in
+{
+  options.modules.webserver = {
+    enable = lib.mkEnableOption "Enable nginx";
+    acme = {
+      dnsChallenge = lib.mkEnableOption "Enable DNS challenge";
+      dnsProvider = lib.mkOption {
+        type = lib.types.str;
+        default = "hetzner";
+      };
+      environmentFile = lib.mkOption {
+        type = lib.types.str;
+        default = "/var/secrets/lego";
+      };
+    };
+    vHosts = lib.mkOption {
+      type = lib.types.attrsOf types.vhost;
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = lib.mkDefault true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedZstdSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts = lib.mapAttrs
+        (_: { proxyBuffering, locations }: nginxVhost {
+          extraConfig = lib.mkIf (!proxyBuffering) ''
+            proxy_buffering off;
+          '';
+          locations = lib.mapAttrs
+            (_: { proxy, extraConfig }: lib.mergeAttrsList [
+              { inherit extraConfig; }
+              (if (lib.isString proxy) then (nginxProxy { proxyPass = proxy; }) else { })
+            ])
+            locations;
+        })
+        cfg.vHosts;
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "admin@j.repomaa.com";
+        dnsProvider = lib.mkIf cfg.acme.dnsChallenge cfg.acme.dnsProvider;
+        webroot = lib.mkIf (!cfg.acme.dnsChallenge) "/var/lib/acme/";
+      };
+    };
+
+    modules.firewall.allInterfaces = lib.mkDefault [ "web" ];
+  };
+}