snowfield/modules/nginx/default.nix

systemArgs@{ lib, config, ... }:
with lib;
let
  cfg = config.luj.nginx;
  mergeSub =
    f:
    lib.mkMerge (
      map (sub: f (sub.systemConfig systemArgs)) (lib.attrValues config.services.nginx.virtualHosts)
    );

  recordsFromDomain =
    domain:
    mapAttrs' (
      n: v:
      nameValuePair (dns.domainToZone dns.allowedDomains n) (
        let
          subdomain = dns.getDomainPrefix dns.allowedDomains n;
        in
        if elem subdomain dns.allowedDomains then v else { subdomains."${subdomain}" = v; }
      )
    ) (dns.domainToRecords domain config.machine.meta (dns.isVPNDomain domain));

in
{

  options = {
    luj.nginx = {
      enable = mkEnableOption "activate nginx service";
      email = mkOption {
        type = types.str;
        default = "julien@malka.sh";
      };
    };

    # Awesome NixOS crimes
    services.nginx.virtualHosts = lib.mkOption {
      type = lib.types.attrsOf (
        lib.types.submodule (
          {
            name,
            ...
          }:
          {
            options = {
              systemConfig = lib.mkOption {
                internal = true;
                type = types.unspecified; # A function from module arguments to config.
              };
            };
            config = {
              locations."/".extraConfig = lib.mkIf (lib.hasSuffix "luj" name) ''
                allow 100.100.45.0/24;
                allow fd7a:115c:a1e0::/48;
                deny all;
              '';
              extraConfig = ''
                ssl_stapling off;
              '';

              systemConfig = _: {
                security.acme.certs = lib.optionalAttrs (hasSuffix "luj" name) {
                  "${name}".server = lib.mkIf (hasSuffix "luj" name) "https://ca.luj/acme/acme/directory";
                };

                machine.meta.zones = lib.optionalAttrs (name != "default") (recordsFromDomain name);

              };
            };
          }
        )
      );
    };
  };

  config = mkIf cfg.enable {

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];

    users.groups.nginx = {
      name = "nginx";
    };

    services.nginx = {
      enable = true;

      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
        server_names_hash_bucket_size 128;
      '';
      virtualHosts.default = {
        default = true;
        addSSL = true;
        enableACME = false;
        sslCertificate = "/var/lib/acme/default/cert.pem";
        sslCertificateKey = "/var/lib/acme/default/key.pem";
        extraConfig = ''
          return 444;
        '';
      };
    };

    security.acme.certs = mergeSub (c: c.security.acme.certs);
    security.acme.defaults.email = "${cfg.email}";
    security.acme.acceptTerms = true;

    age.secrets.nginx-cert = {
      file = ../../secrets/404-ssl-certificate-cert.age;
      path = "/var/lib/acme/default/cert.pem";
      owner = "acme";
      group = "nginx";
      mode = "0640";
      symlink = false;
    };

    age.secrets.nginx-key = {
      file = ../../secrets/404-ssl-certificate-key.age;
      path = "/var/lib/acme/default/key.pem";
      owner = "acme";
      group = "nginx";
      mode = "0640";
      symlink = false;
    };

    systemd.tmpfiles.rules = [
      "d /var/lib/acme/default 0750 acme nginx - -"
    ];

    machine = mergeSub (c: c.machine);

  };
}