cluster/services/ways: support wildcards

This commit is contained in:
Max Headroom 2024-07-04 18:12:52 +02:00
parent a2cbfb9c25
commit ac047b189d
4 changed files with 61 additions and 14 deletions

View file

@ -10,7 +10,7 @@
nixos.host = ./host.nix;
};
dns.records = lib.mapAttrs (name: cfg: {
consulService = "${name}.ways-proxy";
}) (lib.filterAttrs (_: cfg: !cfg.internal) config.ways);
dns.records = lib.mapAttrs'
(_: cfg: lib.nameValuePair cfg.dnsRecord.name ({ ... }: { imports = [ cfg.dnsRecord.value ]; }))
config.ways;
}

View file

@ -1,8 +1,6 @@
{ cluster, config, depot, lib, pkgs, ... }:
let
inherit (depot.lib.meta) domain;
externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;
consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
@ -13,14 +11,17 @@ in
{
services.nginx = {
virtualHosts = lib.mapAttrs' (name: cfg: {
name = if cfg.internal then "${name}.internal.${domain}" else "${name}.${domain}";
name = cfg.name;
value = { ... }: {
imports = [
cfg.extras
{
forceSSL = true;
enableACME = !cfg.internal;
useACMEHost = lib.mkIf cfg.internal "internal.${domain}";
enableACME = !cfg.internal && !cfg.wildcard;
useACMEHost = lib.mkMerge [
(lib.mkIf cfg.internal cfg.domainSuffixInternal)
(lib.mkIf cfg.wildcard "${name}.${cfg.domainSuffix}")
];
locations = lib.mkMerge [
{
"/".proxyPass = cfg.target;
@ -44,10 +45,12 @@ in
};
security.acme.certs = lib.mapAttrs' (name: cfg: {
name = "${name}.${domain}";
name = "${name}.${cfg.domainSuffix}";
value = {
domain = lib.mkIf cfg.wildcard "*.${name}.${cfg.domainSuffix}";
dnsProvider = "exec";
webroot = lib.mkForce null;
group = "nginx";
};
}) externalWays;

View file

@ -1,8 +1,12 @@
{ lib, ... }:
{ lib, depot, ... }:
{
options.ways = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ./way.nix);
type = lib.types.attrsOf (lib.types.submodule {
imports = [ ./way.nix ];
domainSuffixExternal = depot.lib.meta.domain;
domainSuffixInternal = "internal.${depot.lib.meta.domain}";
});
default = {};
};
}

View file

@ -1,4 +1,4 @@
{ lib, name, options, ... }:
{ config, lib, name, options, ... }:
with lib;
@ -11,15 +11,39 @@ with lib;
};
name = mkOption {
description = "Subdomain name to use.";
description = "Domain name to use.";
type = types.str;
default = name;
default = let
basename = "${name}.${config.domainSuffix}";
in if config.wildcard then "~^(.+)\.${lib.escapeRegex basename}$" else basename;
};
dnsRecord = {
name = mkOption {
description = "DNS record name for this Way.";
type = types.str;
default = if config.wildcard then "^[^_].+\\.${lib.escapeRegex name}" else name;
};
value = mkOption {
description = "DNS record value for this Way.";
type = types.deferredModule;
default = {
consulService = "${name}.ways-proxy";
rewrite.type = lib.mkIf config.wildcard "regex";
};
};
};
target = mkOption {
type = types.str;
};
wildcard = mkOption {
type = types.bool;
default = false;
};
consulService = mkOption {
type = types.str;
};
@ -40,6 +64,22 @@ with lib;
internal = true;
};
domainSuffixInternal = mkOption {
type = types.str;
internal = true;
};
domainSuffixExternal = mkOption {
type = types.str;
internal = true;
};
domainSuffix = mkOption {
type = types.str;
internal = true;
default = if config.internal then config.domainSuffixInternal else config.domainSuffixExternal;
};
extras = mkOption {
description = "Extra configuration to pass to the nginx virtual host submodule.";
type = types.deferredModule;