From 0c2895de1b1296a34b6448a21c7b6bbda105f34e Mon Sep 17 00:00:00 2001 From: reidlab Date: Sun, 4 Feb 2024 17:33:38 -0800 Subject: [PATCH] sitev2 prog and static sites mod --- hosts/server/webapps/default.nix | 7 +++ modules/services/staticSites.nix | 88 ++++++++++++++++++++++++++++++++ readme.md | 5 ++ 3 files changed, 100 insertions(+) create mode 100644 modules/services/staticSites.nix diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix index c85749d..8a6e180 100755 --- a/hosts/server/webapps/default.nix +++ b/hosts/server/webapps/default.nix @@ -12,10 +12,17 @@ in { port = 3000; }; + # you should probably keep this on + # configures acme, gzip, optimization, proxy, and ssl config + # opens ports and adds some Headers nginx-config = { enable = true; defaultLuaPackagePath = /var/www/reidlab.online/lua; }; + + staticSites = { + "v2.reidlab.online" = "/var/www/v2.reidlab.online"; + }; }; }; diff --git a/modules/services/staticSites.nix b/modules/services/staticSites.nix new file mode 100644 index 0000000..b6abee0 --- /dev/null +++ b/modules/services/staticSites.nix @@ -0,0 +1,88 @@ +{ pkgs, lib, config, options, ... }: + +with lib; +let + sites = config.modules.services.staticSites; + staticSiteModule.options = { + dataDir = mkOption { + type = types.oneOf [ types.str types.path ]; + default = null; + }; + + auth = mkOption { + type = types.attrsOf types.str; + description = "Basic authentication options. Defines a set of user = password pairs."; + example = literalExpr '' + { + user = "password"; + anotherUser = "anotherPassword"; + /* ... */ + } + ''; + default = {}; + }; + + disableLogsForMisc = mkOption { + type = types.bool; + description = "Disables access logs for /favicon.ico and /robots.txt"; + default = true; + }; + + denySensitivePaths = mkOption { + type = types.bool; + description = "Disables access to paths starting with a . (except well-known) to prevent leaking potentially sensitive data"; + default = true; + }; + + forceSSL = mkOption { + type = types.bool; + description = "Redirects HTTP requests to HTTPS."; + default = true; + }; + }; +in { + options.modules.services.staticSites = mkOption { + type = types.attrsOf (types.submodule staticSiteModule); + example = literalExpression '' + { + "goop.network".dataDir = /var/www/goop.network; + "reidlab.online".dataDir = /etc/secret/private/reidlab-online; + } + ''; + default = {}; + }; + + config = { + assertions = mapAttrsToList (domain: _@{dataDir, ...}: + { assertion = dataDir != null; + description = "${domain} must specify a dataDir."; + }) sites; + + services.nginx.virtualHosts = mkMerge (mapAttrsToList (domain: site: { + ${domain} = { + locations = mkMerge [ + { "/".basicAuth = site.auth; } + + ( mkIf site.disableLogsForMisc { + "= /favicon.ico".extraConfig = '' + access_log off; + log_not_found off; + ''; + "= /robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + }) + + ( mkIf site.denySensitivePaths { + "${''~ /\.(?!well-known).*''}".extraConfig = ''deny all;''; + }) + ]; + forceSSL = site.forceSSL; + addSSL = !site.forceSSL; + enableACME = true; + root = site.dataDir; + }; + }) sites); + }; +} diff --git a/readme.md b/readme.md index ee86baf..a8d3650 100755 --- a/readme.md +++ b/readme.md @@ -15,3 +15,8 @@ to build the system, run `sudo nixos-rebuild switch --flake ".#server"` please periodically run `nix flake update` to make sure we arent slacking on package versions before committing, please run `nix flake check` and make sure everything is ok + +## todo + +- php support in staticsites +- no more luapackagepath. please stop.