cluster/services/ways: init

cluster/services/ways/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./options
+  ];
+
+  services.ways = {
+    nodes.host = config.services.websites.nodes.host;
+    nixos.host = ./host.nix;
+  };
+
+  dns.records = lib.mapAttrs (name: cfg: {
+    consulService = "${name}.ways-proxy";
+  }) (lib.filterAttrs (_: cfg: !cfg.internal) config.ways);
+}

cluster/services/ways/host.nix

@@ -0,0 +1,58 @@
+{ cluster, depot, lib, ... }:
+
+let
+  inherit (depot.lib.meta) domain;
+
+  externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
+in
+
+{
+  services.nginx.virtualHosts = lib.mapAttrs' (name: cfg: {
+    name = if cfg.internal then "${name}.internal.${domain}" else "${name}.${domain}";
+    value = { ... }: {
+      imports = [
+        cfg.extras
+        {
+          forceSSL = true;
+          enableACME = !cfg.internal;
+          useACMEHost = lib.mkIf cfg.internal "internal.${domain}";
+          locations = lib.mkMerge [
+            {
+              "/".proxyPass = cfg.target;
+              "${cfg.healthCheckPath}".extraConfig = "access_log off;";
+            }
+            {
+              "/.well-known/ways/internal-health-check" = {
+                return = ''200 "INTERNAL_OK\n"'';
+                extraConfig = "access_log off;";
+              };
+            }
+          ];
+        }
+      ];
+    };
+  }) cluster.config.ways;
+
+  security.acme.certs = lib.mapAttrs' (name: cfg: {
+    name = "${name}.${domain}";
+    value = {
+      dnsProvider = "exec";
+      webroot = lib.mkForce null;
+    };
+  }) externalWays;
+
+  consul.services.ways-proxy = {
+    unit = "nginx";
+    mode = "external";
+    definition = {
+      name = "ways-proxy";
+      address = depot.reflection.interfaces.primary.addrPublic;
+      port = 443;
+      checks = lib.singleton {
+        interval = "60s";
+        tcp = "127.0.0.1:80";
+      };
+      tags = lib.attrNames externalWays;
+    };
+  };
+}

cluster/services/ways/options/default.nix

@@ -0,0 +1,8 @@
+{ lib, ... }:
+
+{
+  options.ways = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule ./way.nix);
+    default = {};
+  };
+}

cluster/services/ways/options/way.nix

@@ -0,0 +1,34 @@
+{ lib, name, ... }:
+
+with lib;
+
+{
+  options = {
+    internal = mkOption {
+      description = "Whether to only make this Way available internally. Will use the internal subdomain.";
+      type = types.bool;
+      default = false;
+    };
+
+    name = mkOption {
+      description = "Subdomain name to use.";
+      type = types.str;
+      default = name;
+    };
+
+    target = mkOption {
+      type = types.str;
+    };
+
+    healthCheckPath = mkOption {
+      type = types.path;
+      default = "/.well-known/ways/internal-health-check";
+    };
+
+    extras = mkOption {
+      description = "Extra configuration to pass to the nginx virtual host submodule.";
+      type = types.deferredModule;
+      default = {};
+    };
+  };
+}