2024-07-16 15:06:08 +03:00
|
|
|
{ cluster, config, lib, pkgs, ... }:
|
2024-07-04 02:57:36 +03:00
|
|
|
|
|
|
|
let
|
|
|
|
externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
|
2024-07-04 18:03:39 +03:00
|
|
|
|
2024-08-03 00:26:46 +03:00
|
|
|
internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;
|
|
|
|
|
2024-07-04 18:03:39 +03:00
|
|
|
consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
|
2024-07-04 02:57:36 +03:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
2024-07-04 18:03:39 +03:00
|
|
|
services.nginx = {
|
|
|
|
virtualHosts = lib.mapAttrs' (name: cfg: {
|
2024-07-04 19:12:52 +03:00
|
|
|
name = cfg.name;
|
2024-07-04 18:03:39 +03:00
|
|
|
value = { ... }: {
|
|
|
|
imports = [
|
|
|
|
cfg.extras
|
|
|
|
{
|
2024-08-03 00:26:46 +03:00
|
|
|
listenAddresses = lib.mkIf cfg.internal [ config.reflection.interfaces.vstub.addr ];
|
2024-07-04 18:03:39 +03:00
|
|
|
forceSSL = true;
|
2024-07-04 19:12:52 +03:00
|
|
|
enableACME = !cfg.internal && !cfg.wildcard;
|
|
|
|
useACMEHost = lib.mkMerge [
|
|
|
|
(lib.mkIf cfg.internal cfg.domainSuffixInternal)
|
|
|
|
(lib.mkIf cfg.wildcard "${name}.${cfg.domainSuffix}")
|
|
|
|
];
|
2024-07-04 18:03:39 +03:00
|
|
|
locations = lib.mkMerge [
|
|
|
|
{
|
|
|
|
"/".proxyPass = cfg.target;
|
|
|
|
"${cfg.healthCheckPath}".extraConfig = "access_log off;";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
"/.well-known/ways/internal-health-check" = {
|
|
|
|
return = ''200 "INTERNAL_OK\n"'';
|
|
|
|
extraConfig = "access_log off;";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}) cluster.config.ways;
|
|
|
|
|
|
|
|
appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
|
|
|
|
include /run/consul-template/nginx-ways-*.conf;
|
|
|
|
'';
|
|
|
|
};
|
2024-07-04 02:57:36 +03:00
|
|
|
|
|
|
|
security.acme.certs = lib.mapAttrs' (name: cfg: {
|
2024-07-04 19:12:52 +03:00
|
|
|
name = "${name}.${cfg.domainSuffix}";
|
2024-07-04 02:57:36 +03:00
|
|
|
value = {
|
2024-07-04 19:12:52 +03:00
|
|
|
domain = lib.mkIf cfg.wildcard "*.${name}.${cfg.domainSuffix}";
|
2024-07-04 02:57:36 +03:00
|
|
|
dnsProvider = "exec";
|
|
|
|
webroot = lib.mkForce null;
|
2024-07-04 19:12:52 +03:00
|
|
|
group = "nginx";
|
2024-07-04 02:57:36 +03:00
|
|
|
};
|
|
|
|
}) externalWays;
|
|
|
|
|
2024-07-04 20:57:05 +03:00
|
|
|
systemd.services = lib.mapAttrs' (name: cfg: {
|
|
|
|
name = "acme-${name}.${cfg.domainSuffix}";
|
|
|
|
value.distributed.enable = true;
|
|
|
|
}) externalWays;
|
|
|
|
|
2024-07-04 18:03:39 +03:00
|
|
|
services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
|
|
|
|
user = "nginx";
|
|
|
|
group = "nginx";
|
|
|
|
settings = {
|
2024-07-17 03:53:36 +03:00
|
|
|
consul.address = config.links.consulAgent.url;
|
2024-07-04 18:03:39 +03:00
|
|
|
template = [
|
|
|
|
{
|
|
|
|
source = let
|
|
|
|
upstreams = lib.mapAttrsToList (_: cfg: ''
|
|
|
|
upstream ${cfg.nginxUpstreamName} {
|
|
|
|
{{ range $i, $e := service "${cfg.consulService}~_agent" -}}
|
|
|
|
server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }};
|
|
|
|
{{end}}
|
|
|
|
}
|
|
|
|
'') consulServiceWays;
|
2024-07-04 20:42:08 +03:00
|
|
|
in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
|
2024-07-04 18:03:39 +03:00
|
|
|
destination = "/run/consul-template/nginx-ways-upstreams.conf";
|
|
|
|
exec.command = [
|
|
|
|
"${config.services.nginx.package}/bin/nginx"
|
|
|
|
"-s" "reload"
|
|
|
|
"-g" "pid /run/nginx/nginx.pid;"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-08-03 00:26:46 +03:00
|
|
|
consul.services = {
|
|
|
|
ways-proxy = {
|
|
|
|
unit = "nginx";
|
|
|
|
mode = "external";
|
|
|
|
definition = {
|
|
|
|
name = "ways-proxy";
|
|
|
|
address = config.reflection.interfaces.primary.addrPublic;
|
|
|
|
port = 443;
|
|
|
|
checks = lib.singleton {
|
|
|
|
interval = "60s";
|
|
|
|
tcp = "127.0.0.1:80";
|
|
|
|
};
|
|
|
|
tags = lib.attrNames externalWays;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
ways-proxy-internal = {
|
|
|
|
unit = "nginx";
|
|
|
|
mode = "external";
|
|
|
|
definition = {
|
|
|
|
name = "ways-proxy-internal";
|
|
|
|
address = config.reflection.interfaces.vstub.addr;
|
|
|
|
port = 443;
|
|
|
|
checks = lib.singleton {
|
|
|
|
interval = "60s";
|
|
|
|
tcp = "127.0.0.1:80";
|
|
|
|
};
|
|
|
|
tags = lib.attrNames internalWays;
|
2024-07-04 02:57:36 +03:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|