tmp: Remove options in host-specific services (ahmed)reorg

author: Linnnus <[email protected]> 2024-02-20 18:16:42 +0100
committer: Linnnus <[email protected]> 2024-02-20 18:16:42 +0100
commit: b63d45d4bb3d9a49ac196acb3bf19aab35cb6b97 (patch)
tree: c25952ac8a3f9e6cee508c184d9d2af4dddce9e7 /hosts
parent: 1f675d8a4f90ea5e043a281f5b2a748033ada082 (diff)
8 files changed, 56 insertions, 157 deletions
diff --git a/hosts/ahmed/cloudflare-proxy/default.nix b/hosts/ahmed/cloudflare-proxy/default.nix
index 657722d..07489db 100644
--- a/hosts/ahmed/cloudflare-proxy/default.nix
+++ b/hosts/ahmed/cloudflare-proxy/default.nix
@@ -1,15 +1,13 @@
 # This module adds some extra configuration useful when running behid a Cloudflare Proxy.
-#
+# Mainly, it blocks all incomming conncections on relevant ports that aren't
+# coming from an official CloudFlare domain.
 {
   config,
   lib,
   pkgs,
+  metadata,
   ...
 }: let
-  inherit (lib.options) mkEnableOption mkOption;
-  inherit (lib.modules) mkIf;
-  inherit (lib.types) listOf nonEmptyStr port;
-
   # TODO: What happens when these get out of date??? Huh??? You little pissbaby
   fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
   cfipv4 = fileToList (pkgs.fetchurl {
@@ -21,27 +19,10 @@
     hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk=";
   });
 
-  cfg = config.modules.cloudflare-proxy;
+  IPv4Whitelist = [];
+  IPv6Whitelist = [metadata.hosts.muhammed.ipAddress];
 in {
-  options.modules.cloudflare-proxy = {
-    enable = mkEnableOption "Cloudflare proxy IP extraction for NGINX";
-
-    firewall = {
-      IPv4Whitelist = mkOption {
-        description = "List of IPv4 addresses (or ranges) added to the whitelist.";
-        type = listOf nonEmptyStr;
-        default = [];
-      };
-
-      IPv6Whitelist = mkOption {
-        description = "List of IPv6 addresses (or ranges) added to the whitelist.";
-        type = listOf nonEmptyStr;
-        default = [];
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
+  config = {
     # Teach NGINX how to extract the proxied IP from proxied requests.
     #
     # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN
@@ -76,8 +57,8 @@ in {
         ${allow-interface config.networking.firewall.trustedInterfaces}
 
         # Allow local whitelisted IPs through
-        ${allow-ip "iptables" cfg.firewall.IPv4Whitelist}
-        ${allow-ip "ip6tables" cfg.firewall.IPv6Whitelist}
+        ${allow-ip "iptables" IPv4Whitelist}
+        ${allow-ip "ip6tables" IPv6Whitelist}
 
         # Allow Cloudflare's IP ranges through.
         ${allow-ip "iptables" cfipv4}
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 43a170c..27c35eb 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -3,7 +3,6 @@
 {
   config,
   pkgs,
-  metadata,
   ...
 }: {
   imports = [
@@ -57,31 +56,11 @@
   };
   services.cloudflare-dyndns.domains = ["minecraft.linus.onl"];
 
-  # Set up dukse server. Det er satme hårdt at være overduksepåmindelsesansvarlig.
-  services.duksebot.enable = true;
-
   # Virtual hosts.
+  # Each module for a HTTP service will register a virtual host.
   services.nginx.enable = true;
-  modules."linus.onl" = {
-    enable = true;
-    useACME = true;
-  };
-  modules."notifications.linus.onl" = {
-    enable = true;
-    useACME = true;
-  };
-  modules."git.linus.onl" = {
-    enable = true;
-    useACME = true;
-  };
-  modules."hellohtml.linus.onl" = {
-    enable = true;
-    useACME = true;
-  };
-
-  services.forsvarsarper.enable = true;
 
-  # Configure ACME for various HTTPS services.
+  # Configure ACME. This is used by various HTTP services through the NGINX virtual hosts.
   security.acme = {
     acceptTerms = true;
     defaults.email = "linusvejlo+${config.networking.hostName}[email protected]";
@@ -104,12 +83,6 @@
   # Listen for HTTP connections.
   networking.firewall.allowedTCPPorts = [80 443];
 
-  # We are running behind CF proxy.
-  modules.cloudflare-proxy = {
-    enable = true;
-    firewall.IPv4Whitelist = [metadata.hosts.muhammed.ipAddress];
-  };
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave
diff --git a/hosts/ahmed/duksebot/default.nix b/hosts/ahmed/duksebot/default.nix
index 4c10cd8..f15b0ff 100644
--- a/hosts/ahmed/duksebot/default.nix
+++ b/hosts/ahmed/duksebot/default.nix
@@ -1,27 +1,16 @@
-# This module defines an on-demand minecraft server service which turns off the
-# server when it's not being used.
+# This module defines systemd unit which runs a script that sends Discrord
+# messages. I use it to notify my classmates about who's on cleaning duty. You
+# are probably not interested in this.
+
 {
   config,
-  lib,
   pkgs,
-  modulesPath,
   ...
 }: let
-  inherit (lib) mkIf mkOption mkEnableOption types;
-
-  cfg = config.services.duksebot;
+  # What script to run.
+  package = pkgs.duksebot;
 in {
-  options.services.duksebot = {
-    enable = mkEnableOption "duksebot daily reminder";
-
-    package = mkOption {
-      description = "What package to use";
-      default = pkgs.duksebot;
-      type = types.package;
-    };
-  };
-
-  config = mkIf cfg.enable {
+  config = {
     # Create a user to run the server under.
     users.users.duksebot = {
       description = "Runs daily dukse reminder";
@@ -53,7 +42,7 @@ in {
         # Load the secret environment variables.
         export $(grep -v '^#' ${config.age.secrets.duksebot-env.path} | xargs)
         # Kick off.
-        exec "${cfg.package}"/bin/duksebot
+        exec "${package}"/bin/duksebot
       '';
     };
 
diff --git a/hosts/ahmed/forsvarsarper/default.nix b/hosts/ahmed/forsvarsarper/default.nix
index 7052f04..c1c6163 100644
--- a/hosts/ahmed/forsvarsarper/default.nix
+++ b/hosts/ahmed/forsvarsarper/default.nix
@@ -2,17 +2,10 @@
 # server when it's not being used.
 {
   config,
-  lib,
   pkgs,
   ...
-}: let
-  inherit (lib) mkIf mkEnableOption;
-
-  cfg = config.services.forsvarsarper;
-in {
-  options.services.forsvarsarper.enable = mkEnableOption "daily scan for tests";
-
-  config = mkIf cfg.enable {
+}:{
+  config = {
     # Create a user to run the server under.
     users.users.forsvarsarper = {
       description = "Runs daily scan for tests";
diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix
index 88e4f6f..46c74e9 100644
--- a/hosts/ahmed/git.linus.onl/default.nix
+++ b/hosts/ahmed/git.linus.onl/default.nix
@@ -1,30 +1,18 @@
 {
-  lib,
   config,
   pkgs,
-  options,
   metadata,
   ...
 }: let
-  inherit (lib) mkEnableOption mkOption types mkIf;
-
   git-shell = "${pkgs.gitMinimal}/bin/git-shell";
 
-  cfg = config.modules."git.linus.onl";
-in {
-  options.modules."git.linus.onl" = {
-    enable = mkEnableOption "git.linus.onl static site";
-
-    useACME = mkEnableOption "built-in HTTPS stuff";
+  # Enables HTTPS stuff.
+  useACME = true;
 
-    location = mkOption {
-      description = "Where repositories will be stored.";
-      type = types.path;
-      default = "/srv/git";
-    };
-  };
-
-  config = mkIf cfg.enable {
+  # Where repositories will be stored.
+  location = "/srv/git";
+in {
+  config = {
     # Create a user which
     # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server
     users.users.git = {
@@ -33,7 +21,7 @@ in {
       group = "git";
 
       # FIXME: Is serving the home-directory of a user (indirectly through CGit) a bad idea?
-      home = cfg.location;
+      home = location;
       createHome = false;
 
       # Restrict this user to Git-related activities.
@@ -54,18 +42,19 @@ in {
     environment.shells = [git-shell];
 
     # Create repo directory. It must be readable to NGINX.
+    # NOTE: If location != "/srv/git" you may want to change this!
     # See: https://git.zx2c4.com/cgit/about/faq#why-doesnt-cgit-findshow-my-repo
-    system.activationScripts.create-cgit-scan-path = mkIf (cfg.location == options.modules."git.linus.onl".location.default) ''
-      mkdir -p ${cfg.location}
-      chown ${toString config.users.users.git.name} ${cfg.location}
-      chgrp ${toString config.users.groups.git.name} ${cfg.location}
-      chmod 755 ${cfg.location}
+    system.activationScripts.create-cgit-scan-path = ''
+      mkdir -p ${location}
+      chown ${toString config.users.users.git.name} ${location}
+      chgrp ${toString config.users.groups.git.name} ${location}
+      chmod 755 ${location}
     '';
 
     # Public git viewer.
     services.cgit."git.linus.onl" = {
       enable = true;
-      scanPath = cfg.location;
+      scanPath = location;
       settings = {
         root-title = "Linus' public projects";
         root-desc = "hello yes this is the git server";
@@ -88,8 +77,8 @@ in {
 
     # The CGit service creates the virtual host, but it does not enable ACME.
     services.nginx.virtualHosts."git.linus.onl" = {
-      enableACME = cfg.useACME;
-      forceSSL = cfg.useACME;
+      enableACME = useACME;
+      forceSSL = useACME;
     };
   };
 }
diff --git a/hosts/ahmed/hellohtml.linus.onl/default.nix b/hosts/ahmed/hellohtml.linus.onl/default.nix
index feb56ba..2d09788 100644
--- a/hosts/ahmed/hellohtml.linus.onl/default.nix
+++ b/hosts/ahmed/hellohtml.linus.onl/default.nix
@@ -1,19 +1,10 @@
-{
-  lib,
-  config,
-  ...
-}: let
-  inherit (lib) mkEnableOption mkIf;
+# This module defines the HelloHTML web server. It extends the NGINX config
+# with a virtual server that proxies the local HelloHTML service.
 
-  cfg = config.modules."hellohtml.linus.onl";
+{ ... }: let
+  useACME = true;
 in {
-  options.modules."hellohtml.linus.onl" = {
-    enable = mkEnableOption "hellohtml.linus.onl site";
-
-    useACME = mkEnableOption "built-in HTTPS stuff";
-  };
-
-  config = mkIf cfg.enable {
+  config = {
     # Start service listening on socket /tmp/hellohtml.sock
     services.hellohtml = {
       enable = true;
@@ -24,8 +15,8 @@ in {
 
     # Use NGINX as reverse proxy.
     services.nginx.virtualHosts."hellohtml.linus.onl" = {
-      enableACME = cfg.useACME;
-      forceSSL = cfg.useACME;
+      enableACME = useACME;
+      forceSSL = useACME;
       locations."/" = rec {
         proxyPass = "http://localhost:8538";
         # Disable settings that might mess with the text/event-stream response of the /listen/:id endpoint.
diff --git a/hosts/ahmed/linus.onl/default.nix b/hosts/ahmed/linus.onl/default.nix
index 52703fe..c31eb73 100644
--- a/hosts/ahmed/linus.onl/default.nix
+++ b/hosts/ahmed/linus.onl/default.nix
@@ -1,22 +1,15 @@
 {
   pkgs,
   lib,
-  config,
   ...
 }: let
-  inherit (lib) mkEnableOption mkOption types mkIf optional;
-
+  # The domain to serve. Also kinda embedded in the name of the module??
   domain = "linus.onl";
 
-  cfg = config.modules."${domain}";
+  # Enable HTTPS stuff.
+  useACME = true;
 in {
-  options.modules."${domain}" = {
-    enable = mkEnableOption "${domain} static site";
-
-    useACME = mkEnableOption "built-in HTTPS stuff";
-  };
-
-  config = mkIf cfg.enable {
+  config = {
     # Create a user to run the build script under.
     users.users."${domain}-builder" = {
       description = "builds ${domain}";
@@ -91,8 +84,8 @@ in {
     services.nginx = {
       virtualHosts."${domain}" = {
         # NOTE: 'forceSSL' will cause an infite loop, if the cloudflare proxy does NOT connect over HTTPS.
-        enableACME = cfg.useACME;
-        forceSSL = cfg.useACME;
+        enableACME = useACME;
+        forceSSL = useACME;
         root = "/var/www/${domain}";
       };
     };
diff --git a/hosts/ahmed/nofitications.linus.onl/default.nix b/hosts/ahmed/nofitications.linus.onl/default.nix
index c050ef4..f3ab04f 100644
--- a/hosts/ahmed/nofitications.linus.onl/default.nix
+++ b/hosts/ahmed/nofitications.linus.onl/default.nix
@@ -1,19 +1,9 @@
-{
-  lib,
-  config,
-  ...
-}: let
-  inherit (lib) mkEnableOption mkIf;
-
-  cfg = config.modules."notifications.linus.onl";
+{ ... }: let
+  # Enable HTTPS stuff.
+  useACME = true;
 in {
-  options.modules."notifications.linus.onl" = {
-    enable = mkEnableOption "notifications.linus.onl static site";
-
-    useACME = mkEnableOption "built-in HTTPS stuff";
-  };
-
-  config = mkIf cfg.enable {
+  config = {
+    # Start the proxied service.
     services.push-notification-api = {
       enable = true;
     };
@@ -23,8 +13,8 @@ in {
 
     # Use NGINX as reverse proxy.
     services.nginx.virtualHosts."notifications.linus.onl" = {
-      enableACME = cfg.useACME;
-      forceSSL = cfg.useACME;
+      enableACME = useACME;
+      forceSSL = useACME;
       locations."/" = {
         recommendedProxySettings = true;
         proxyPass = "http://unix:/run/push-notification-api.sock";
author	Linnnus <[email protected]>	2024-02-20 18:16:42 +0100
committer	Linnnus <[email protected]>	2024-02-20 18:16:42 +0100
commit	b63d45d4bb3d9a49ac196acb3bf19aab35cb6b97 (patch)
tree	c25952ac8a3f9e6cee508c184d9d2af4dddce9e7 /hosts
parent	1f675d8a4f90ea5e043a281f5b2a748033ada082 (diff)