nixos: include nginx proxies in mixins

author: Seth Flynn <[email protected]> 2025-02-20 04:19:27 -0500
committer: Seth Flynn <[email protected]> 2025-02-20 04:19:27 -0500
commit: a8cb1f33b2c0ea49c434b5f251fe45938d050f6a (patch)
tree: 8d5f992762727b93228452278db64332b844c407
parent: 257d26ce3886ee8778565d8c214848d64a40ff0d (diff)
8 files changed, 86 insertions, 81 deletions
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index e9930bf..2bad18c 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -13,6 +13,7 @@
     ./journal-upload.nix
     ./kanidm.nix
     ./lanzaboote.nix
+    ./miniflux.nix
     ./nginx.nix
     ./niri.nix
     ./node-exporter.nix
diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix
index 6d6a942..03f2c6a 100644
--- a/modules/nixos/mixins/grafana.nix
+++ b/modules/nixos/mixins/grafana.nix
@@ -5,6 +5,10 @@
   ...
 }:
 
+let
+  grafanaCfg = config.services.grafana;
+in
+
 {
   config = lib.mkMerge [
     {
@@ -21,12 +25,23 @@
             domain = lib.mkDefault ("grafana." + config.networking.domain);
             enable_gzip = true;
             enforce_domain = true;
-            root_url = "https://" + config.services.grafana.settings.server.domain + "/";
+            root_url = "https://" + grafanaCfg.settings.server.domain + "/";
           };
         };
       };
     }
 
+    (lib.mkIf grafanaCfg.enable {
+      services = {
+        nginx.virtualHosts.${grafanaCfg.settings.server.domain} = {
+          locations."/" = {
+            proxyPass = "http://${grafanaCfg.settings.server.http_addr}:${toString grafanaCfg.settings.server.http_port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    })
+
     (lib.mkIf config.services.kanidm.enableServer {
       services.grafana = {
         settings = {
@@ -56,7 +71,7 @@
       };
     })
 
-    (lib.mkIf (config.services.grafana.enable && config.services.kanidm.enableServer) {
+    (lib.mkIf (grafanaCfg.enable && config.services.kanidm.enableServer) {
       age.secrets.grafanaKanidm = {
         file = secretsDir + "/grafanaKanidmSecret.age";
         owner = config.users.users.grafana.name;
diff --git a/modules/nixos/mixins/miniflux.nix b/modules/nixos/mixins/miniflux.nix
new file mode 100644
index 0000000..187ddc0
--- /dev/null
+++ b/modules/nixos/mixins/miniflux.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+
+{
+  config = lib.mkMerge [
+    {
+      services.miniflux = {
+        adminCredentialsFile = config.age.secrets.miniflux.path;
+        config = {
+          BASE_URL = "https://miniflux.${config.networking.domain}";
+          LISTEN_ADDR = "localhost:7000";
+        };
+      };
+    }
+
+    (lib.mkIf config.services.miniflux.enable {
+      age.secrets.miniflux.file = secretsDir + "/miniflux.age";
+
+      services = {
+        nginx.virtualHosts.${lib.removePrefix "https://" config.services.miniflux.config.BASE_URL} = {
+          locations."/" = {
+            proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
+          };
+        };
+      };
+
+      /*
+        # Create the socket manually to ensure NGINX has permission for the socket's parent directory
+        # ...since for some reason Miniflux will not give it the same `0777` permission as the socket itself
+        systemd = {
+          services.miniflux = {
+            requires = [ "miniflux.socket" ];
+          };
+
+          sockets.miniflux = {
+            wantedBy = [ "sockets.target" ];
+            listenStreams = [ "/run/miniflux.sock" ];
+          };
+        };
+      */
+    })
+  ];
+}
diff --git a/systems/atlas/default.nix b/systems/atlas/default.nix
index 9c8cc7b..0e85853 100644
--- a/systems/atlas/default.nix
+++ b/systems/atlas/default.nix
@@ -3,10 +3,6 @@
   imports = [
     (modulesPath + "/profiles/minimal.nix")
     ./hardware-configuration.nix
-    ./forgejo.nix
-    ./grafana.nix
-    ./kanidm.nix
-    ./miniflux.nix
     ./moyai.nix
     ./nixpkgs-tracker-bot.nix
     ./victoria-metrics.nix
@@ -23,6 +19,10 @@
     loader.efi.canTouchEfiVariables = true;
   };
 
+  catppuccin = {
+    forgejo.enable = true;
+  };
+
   networking = {
     domain = "getchoo.com";
     hostName = "atlas";
@@ -36,7 +36,24 @@
   nixpkgs.hostPlatform = "aarch64-linux";
 
   services = {
+    forgejo.enable = true;
+
+    grafana.enable = true;
+
     hedgedoc.enable = true;
+
+    kanidm = {
+      enableClient = true;
+      enableServer = true;
+    };
+
+    miniflux = {
+      enable = true;
+      config = {
+        METRICS_COLLECTOR = 1;
+      };
+    };
+
     nginx.enable = true;
   };
 
diff --git a/systems/atlas/forgejo.nix b/systems/atlas/forgejo.nix
deleted file mode 100644
index 1d86e91..0000000
--- a/systems/atlas/forgejo.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  catppuccin.forgejo.enable = true;
-
-  services = {
-    forgejo.enable = true;
-  };
-}
diff --git a/systems/atlas/grafana.nix b/systems/atlas/grafana.nix
deleted file mode 100644
index c6a84ab..0000000
--- a/systems/atlas/grafana.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    grafana = {
-      enable = true;
-    };
-
-    nginx.virtualHosts = {
-      "grafana.getchoo.com" = {
-        locations."/" = {
-          proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-}
diff --git a/systems/atlas/kanidm.nix b/systems/atlas/kanidm.nix
deleted file mode 100644
index dc1e534..0000000
--- a/systems/atlas/kanidm.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  services.kanidm = {
-    enableClient = true;
-    enableServer = true;
-  };
-}
diff --git a/systems/atlas/miniflux.nix b/systems/atlas/miniflux.nix
deleted file mode 100644
index 14c9fc5..0000000
--- a/systems/atlas/miniflux.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{
-  config,
-  secretsDir,
-  ...
-}:
-
-{
-  age.secrets.miniflux.file = secretsDir + "/miniflux.age";
-
-  services = {
-    miniflux = {
-      enable = true;
-      adminCredentialsFile = config.age.secrets.miniflux.path;
-      config = {
-        BASE_URL = "https://miniflux.${config.networking.domain}";
-        LISTEN_ADDR = "localhost:7000";
-        METRICS_COLLECTOR = 1;
-      };
-    };
-
-    nginx.virtualHosts = {
-      "miniflux.getchoo.com" = {
-        locations."/" = {
-          proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
-        };
-      };
-    };
-  };
-
-  /*
-    # Create the socket manually to ensure NGINX has permission for the socket's parent directory
-    # ...since for some reason Miniflux will not give it the same `0777` permission as the socket itself
-    systemd = {
-      services.miniflux = {
-        requires = [ "miniflux.socket" ];
-      };
-
-      sockets.miniflux = {
-        wantedBy = [ "sockets.target" ];
-        listenStreams = [ "/run/miniflux.sock" ];
-      };
-    };
-  */
-}
author	Seth Flynn <[email protected]>	2025-02-20 04:19:27 -0500
committer	Seth Flynn <[email protected]>	2025-02-20 04:19:27 -0500
commit	a8cb1f33b2c0ea49c434b5f251fe45938d050f6a (patch)
tree	8d5f992762727b93228452278db64332b844c407
parent	257d26ce3886ee8778565d8c214848d64a40ff0d (diff)