depot/cluster/services/ways/host.nix

{ cluster, config, lib, pkgs, ... }:

let
  externalWays = lib.filterAttrs (_: cfg: !cfg.internal) cluster.config.ways;

  internalWays = lib.filterAttrs (_: cfg: cfg.internal) cluster.config.ways;

  consulServiceWays = lib.filterAttrs (_: cfg: cfg.useConsul) cluster.config.ways;
in

{
  services.nginx = {
    virtualHosts = lib.mapAttrs' (name: cfg: {
      name = cfg.name;
      value = { ... }: {
        imports = [
          cfg.extras
          {
            listenAddresses = lib.mkIf cfg.internal [ config.reflection.interfaces.vstub.addr ];
            forceSSL = true;
            enableACME = !cfg.internal && !cfg.wildcard;
            useACMEHost = lib.mkMerge [
              (lib.mkIf cfg.internal cfg.domainSuffixInternal)
              (lib.mkIf cfg.wildcard "${name}.${cfg.domainSuffix}")
            ];
            locations = lib.mkMerge [
              {
                "/".proxyPass = cfg.target;
                "${cfg.healthCheckPath}".extraConfig = "access_log off;";
              }
              {
                "/.well-known/ways/internal-health-check" = {
                  return = ''200 "INTERNAL_OK\n"'';
                  extraConfig = "access_log off;";
                };
              }
            ];
          }
        ];
      };
    }) cluster.config.ways;

    appendHttpConfig = lib.mkIf (consulServiceWays != {}) ''
      include /run/consul-template/nginx-ways-*.conf;
    '';
  };

  security.acme.certs = lib.mapAttrs' (name: cfg: {
    name = "${name}.${cfg.domainSuffix}";
    value = {
      domain = lib.mkIf cfg.wildcard "*.${name}.${cfg.domainSuffix}";
      dnsProvider = "exec";
      webroot = lib.mkForce null;
      group = "nginx";
    };
  }) externalWays;

  systemd.services = lib.mapAttrs' (name: cfg: {
    name = "acme-${name}.${cfg.domainSuffix}";
    value.distributed.enable = true;
  }) externalWays;

  services.consul-template.instances.ways = lib.mkIf (consulServiceWays != {}) {
    user = "nginx";
    group = "nginx";
    settings = {
      consul.address = config.links.consulAgent.url;
      template = [
        {
          source = let
            upstreams = lib.mapAttrsToList (_: cfg: ''
              {{ if ne (len (service "${cfg.consulService}~_agent")) 0 }}
              # ${cfg.consulService}
              upstream ${cfg.nginxUpstreamName} {
                {{ range $i, $e := service "${cfg.consulService}~_agent" -}}
                server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }};
                {{ end }}
              }
              {{ else }}
              # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
              {{ end }}
            '') consulServiceWays;
          in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
          destination = "/run/consul-template/nginx-ways-upstreams.conf";
          exec.command = [
            "${config.services.nginx.package}/bin/nginx"
            "-s" "reload"
            "-g" "pid /run/nginx/nginx.pid;"
          ];
        }
      ];
    };
  };

  consul.services = {
    ways-proxy = {
      unit = "nginx";
      mode = "external";
      definition = {
        name = "ways-proxy";
        address = config.reflection.interfaces.primary.addrPublic;
        port = 443;
        checks = lib.singleton {
          interval = "60s";
          tcp = "127.0.0.1:80";
        };
        tags = lib.attrNames externalWays;
      };
    };
    ways-proxy-internal = {
      unit = "nginx";
      mode = "external";
      definition = {
        name = "ways-proxy-internal";
        address = config.reflection.interfaces.vstub.addr;
        port = 443;
        checks = lib.singleton {
          interval = "60s";
          tcp = "127.0.0.1:80";
        };
        tags = lib.attrNames internalWays;
      };
    };
  };
}