diff options
Diffstat (limited to 'modules/services/nginx')
| -rw-r--r-- | modules/services/nginx/default.nix | 49 | ||||
| -rw-r--r-- | modules/services/nginx/sso/default.nix | 80 |
2 files changed, 129 insertions, 0 deletions
diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix new file mode 100644 index 0000000..e37e9b3 --- /dev/null +++ b/modules/services/nginx/default.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: +let cfg = config.my.services.nginx; +in { + options.my.services.nginx = with lib; { enable = mkEnableOption "Nginx"; }; + config = lib.mkIf cfg.enable { + services.nginx = { + enable = true; + statusPage = true; # For monitoring scraping. + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Nginx needs to be able to read the certificates + users.users.nginx.extraGroups = [ "acme" ]; + + security.acme = { + email = "franck@fcuny.net"; + acceptTerms = true; + }; + + services.prometheus = { + exporters.nginx = { + enable = true; + listenAddress = "127.0.0.1"; + }; + scrapeConfigs = [{ + job_name = "nginx"; + static_configs = [{ + targets = [ + "127.0.0.1:${ + toString config.services.prometheus.exporters.nginx.port + }" + ]; + labels = { instance = config.networking.hostName; }; + }]; + }]; + }; + + services.grafana.provision.dashboards = [{ + name = "NGINX"; + options.path = pkgs.nur.repos.alarsyo.grafanaDashboards.nginx; + disableDeletion = true; + }]; + }; +} diff --git a/modules/services/nginx/sso/default.nix b/modules/services/nginx/sso/default.nix new file mode 100644 index 0000000..27ed7d6 --- /dev/null +++ b/modules/services/nginx/sso/default.nix @@ -0,0 +1,80 @@ +# I must override the module to allow having runtime secrets +{ config, lib, pkgs, utils, ... }: +let + cfg = config.services.nginx.sso; + pkg = lib.getBin cfg.package; + confPath = "/var/lib/nginx-sso/config.json"; +in { + disabledModules = [ "services/security/nginx-sso.nix" ]; + options.services.nginx.sso = with lib; { + enable = mkEnableOption "nginx-sso service"; + package = mkOption { + type = types.package; + default = pkgs.nginx-sso; + defaultText = "pkgs.nginx-sso"; + description = '' + The nginx-sso package that should be used. + ''; + }; + configuration = mkOption { + type = types.attrsOf types.unspecified; + default = { }; + example = literalExample '' + { + listen = { addr = "127.0.0.1"; port = 8080; }; + providers.token.tokens = { + myuser = "MyToken"; + }; + acl = { + rule_sets = [ + { + rules = [ { field = "x-application"; equals = "MyApp"; } ]; + allow = [ "myuser" ]; + } + ]; + }; + } + ''; + description = '' + nginx-sso configuration + (<link xlink:href="https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration">documentation</link>) + as a Nix attribute set. + ''; + }; + }; + config = lib.mkIf cfg.enable { + systemd.services.nginx-sso = { + description = "Nginx SSO Backend"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + StateDirectory = "nginx-sso"; + WorkingDirectory = "/var/lib/nginx-sso"; + # The files to be merged might not have the correct permissions + ExecStartPre = "+${ + pkgs.writeScript "merge-nginx-sso-config" '' + #!${pkgs.bash}/bin/bash + rm -f '${confPath}' + ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath} + # Fix permissions + chown nginx-sso:nginx-sso ${confPath} + chmod 0600 ${confPath} + '' + }"; + ExecStart = lib.mkForce '' + ${pkg}/bin/nginx-sso \ + --config ${confPath} \ + --frontend-dir ${pkg}/share/frontend + ''; + Restart = "always"; + User = "nginx-sso"; + Group = "nginx-sso"; + }; + }; + users.users.nginx-sso = { + isSystemUser = true; + group = "nginx-sso"; + }; + users.groups.nginx-sso = { }; + }; +} |