feat(refactor): WIP refactor server modules

2025-10-12 21:07:30 +02:00
parent 57cb48a11c
commit d2bd385367
43 changed files with 1004 additions and 1414 deletions
--- a/modules/server/infra/www/default.nix
+++ b/modules/server/infra/www/default.nix
@@ -0,0 +1,135 @@
+{
+  lib,
+  config,
+  self,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+  cfg = config.server.infra.www;
+in {
+  options.server.infra.www = {
+    enable = mkEnableOption {
+      description = "Enable personal website";
+    };
+    url = mkOption {
+      default = "";
+      type = types.str;
+      description = ''
+        Public domain name to be used to access the server services via Traefik reverse proxy
+      '';
+    };
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 8283;
+      description = "The port to host webservice on.";
+    };
+
+    cloudflared = {
+      credentialsFile = lib.mkOption {
+        type = lib.types.str;
+        example = lib.literalExpression ''
+          pkgs.writeText "cloudflare-credentials.json" '''
+          {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
+          '''
+        '';
+      };
+      tunnelId = lib.mkOption {
+        type = lib.types.str;
+        example = "00000000-0000-0000-0000-000000000000";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets = {
+      wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
+    };
+
+    server.infra = {
+      fail2ban = {
+        jails = {
+          nginx-404 = {
+            serviceName = "nginx";
+            failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
+            ignoreRegex = '''';
+            maxRetry = 5;
+          };
+        };
+      };
+    };
+
+    services = {
+      nginx = {
+        enable = true;
+        defaultListen = [
+          {
+            addr = "127.0.0.1";
+            port = 8283;
+          }
+        ];
+        virtualHosts."webfinger" = {
+          forceSSL = false;
+          serverName = cfg.url;
+          root = "/var/www/webfinger";
+
+          locations."= /.well-known/webfinger" = {
+            root = "/var/www/webfinger";
+            extraConfig = ''
+              default_type application/jrd+json;
+              try_files /.well-known/webfinger =404;
+            '';
+          };
+
+          locations."= /robots.txt" = {
+            root = "/var/www/webfinger";
+            extraConfig = ''
+              default_type text/plain;
+              try_files /robots.txt =404;
+            '';
+          };
+        };
+      };
+
+      cloudflared = {
+        enable = true;
+        tunnels.${cfg.cloudflared.tunnelId} = {
+          credentialsFile = cfg.cloudflared.credentialsFile;
+          default = "http_status:404";
+          ingress."${cfg.url}".service = "http://127.0.0.1:8283";
+        };
+      };
+    };
+
+    environment.etc = {
+      "webfinger/.well-known/webfinger".text = ''
+        {
+          "subject": "acct:adam@${cfg.url}",
+          "links": [
+            {
+              "rel": "http://openid.net/specs/connect/1.0/issuer",
+              "href": "https://auth.${cfg.url}/application/o/tailscale/"
+            }
+          ]
+        }
+      '';
+
+      "webfinger/robots.txt".text = ''
+        User-agent: *
+        Disallow: /
+      '';
+    };
+
+    services.traefik.dynamicConfigOptions.http = {
+      routers.webfinger = {
+        entryPoints = ["websecure"];
+        rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
+        service = "webfinger";
+        tls.certResolver = "letsencrypt";
+      };
+
+      services.webfinger.loadBalancer.servers = [
+        {url = "http://127.0.0.1:8283";}
+      ];
+    };
+  };
+}