NixOS/modules/factories/mkserver.nix

{ lib, config, ... }:
let
  mkOptions = name: subdomain: port: {
    enable = lib.mkEnableOption "this server service";
    enableCron = lib.mkEnableOption "enable cronjob";
    enableProxy = lib.mkEnableOption "enable reverse proxy";
    port = lib.mkOption {
      type = lib.types.int;
      default = port;
    };
    name = lib.mkOption {
      type = lib.types.str;
      default = name;
    };
    domain = lib.mkOption {
      type = lib.types.str;
      default = config.my.domain;
    };
    host = lib.mkOption {
      type = lib.types.str;
      default = "${subdomain}.${config.my.servers.${name}.domain}";
    };
    hostName = lib.mkOption {
      type = lib.types.str;
      default = config.networking.hostName;
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "https://${config.my.servers.${name}.host}";
    };
    ip = lib.mkOption {
      type = lib.types.str;
      default =
        if config.my.servers."${name}".isLocal then
          config.my.localhost
        else
          config.my.ips."${config.my.servers.${name}.hostName}";
    };
    local = lib.mkOption {
      type = lib.types.str;
      default = "http://${config.my.servers.${name}.ip}:${toString port}";
    };
    isLocal = lib.mkOption {
      type = lib.types.bool;
      default = "${config.my.servers.${name}.hostName}" == config.my.mainServer;
    };
    enableSocket = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
    certPath = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
    };
  };
  proxy = locations: {
    inherit locations;
    forceSSL = true;
    enableACME = true;
    http2 = true;
  };
  proxyReverse =
    cfg:
    proxy {
      "/" = {
        proxyPass = "http://${cfg.ip}:${toString cfg.port}/";
        proxyWebsockets = cfg.enableSocket;
      };
    };
  proxyReverseFix =
    cfg:
    let
      useLocalhost = cfg.hostName == config.networking.hostName;
      localHeaders = ''
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
      '';
    in
    proxyReverse cfg
    // {
      extraConfig = ''
        ${if useLocalhost then localHeaders else ""}
        proxy_set_header   X-Forwarded-Host $host;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection $http_connection;
        proxy_redirect     off;
        proxy_http_version 1.1;
      '';
    };
  proxyReversePrivate =
    cfg:
    proxyReverse cfg
    // {
      extraConfig = ''
        ssl_verify_client on;
        ssl_client_certificate ${cfg.certPath};
        error_page 403 /403.html;
      '';
    };
in
{
  inherit
    mkOptions
    proxy
    proxyReverse
    proxyReverseFix
    proxyReversePrivate
    ;
  mkServerOptions = mkOptions;
}