{ cluster, config, lib, pkgs, ... }: let externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways; internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways; consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways; in { services.nginx = { virtualHosts = lib.mapAttrs' (name: cfg: { name = cfg.name; value = { ... }: { imports = [ cfg.extras { listenAddresses = lib.mkIf cfg.internal [ config.reflection.interfaces.vstub.addr ]; forceSSL = true; enableACME = !cfg.internal && !cfg.wildcard; useACMEHost = lib.mkMerge [ (lib.mkIf cfg.internal cfg.domainSuffixInternal) (lib.mkIf cfg.wildcard "${name}.${cfg.domainSuffix}") ]; locations = lib.mkMerge [ { "/" = if cfg.grpc then { extraConfig = '' set $nix_proxy_grpc_target ${cfg.target}; grpc_pass $nix_proxy_grpc_target; ''; } else { proxyPass = cfg.target; }; "${cfg.healthCheckPath}".extraConfig = "access_log off;"; } { "/.well-known/ways/internal-health-check" = { return = ''200 "INTERNAL_OK\n"''; extraConfig = "access_log off;"; }; } ]; } ]; }; }) cluster.config.ways; appendHttpConfig = lib.mkIf (consulServiceWays != {}) '' include /run/consul-template/nginx-ways-*.conf; ''; }; security.acme.certs = lib.mapAttrs' (name: cfg: { name = "${name}.${cfg.domainSuffix}"; value = { domain = lib.mkIf cfg.wildcard "*.${name}.${cfg.domainSuffix}"; dnsProvider = "exec"; webroot = lib.mkForce null; group = "nginx"; }; }) externalWays; systemd.services = lib.mapAttrs' (name: cfg: { name = "acme-${name}.${cfg.domainSuffix}"; value.distributed.enable = true; }) externalWays; services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) { user = "nginx"; group = "nginx"; settings = { consul.address = config.links.consulAgent.url; template = [ { source = let upstreams = lib.mapAttrsToList (_: cfg: '' {{ if ne (len (service "${cfg.consulService}~_agent")) 0 }} # ${cfg.consulService} upstream ${cfg.nginxUpstreamName} { {{ range $i, $e := service "${cfg.consulService}~_agent" -}} server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }}; {{ end }} } {{ else }} # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available {{ end }} '') consulServiceWays; in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams)); destination = "/run/consul-template/nginx-ways-upstreams.conf"; exec.command = lib.singleton (pkgs.writeShellScript "ways-reload" '' if ${config.systemd.package}/bin/systemctl is-active nginx.service; then exec ${config.services.nginx.package}/bin/nginx -s reload -g 'pid /run/nginx/nginx.pid;' fi ''); } ]; }; }; consul.services = { ways-proxy = { unit = "nginx"; mode = "external"; definition = { name = "ways-proxy"; address = config.reflection.interfaces.primary.addrPublic; port = 443; checks = lib.singleton { interval = "60s"; tcp = "127.0.0.1:80"; }; tags = lib.attrNames externalWays; }; }; ways-proxy-internal = { unit = "nginx"; mode = "external"; definition = { name = "ways-proxy-internal"; address = config.reflection.interfaces.vstub.addr; port = 443; checks = lib.singleton { interval = "60s"; tcp = "127.0.0.1:80"; }; tags = lib.attrNames internalWays; }; }; }; }