6 files changed, 246 insertions, 0 deletions

diff --git a/modules/nixos/mixins/acme.nix b/modules/nixos/mixins/acme.nix
new file mode 100644
index 0000000..3b49caf
--- /dev/null
+++ b/modules/nixos/mixins/acme.nix
@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+let
+  cfg = config.mixins.acme;
+in
+{
+  options.mixins.acme = {
+    enable = lib.mkEnableOption "ACME mixin";
+
+    manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
+      default = config.traits.secrets.enable;
+      defaultText = lib.literalExpression "config.traits.secrets.enable";
+    };
+
+    useDns = lib.mkEnableOption "the use of Cloudflare to obtain certs" // {
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        security.acme = {
+          acceptTerms = true;
+          defaults = {
+            email = "[email protected]";
+          };
+        };
+      }
+
+      (lib.mkIf cfg.useDns {
+        security.acme.defaults = {
+          dnsProvider = "cloudflare";
+        };
+      })
+
+      (lib.mkIf cfg.manageSecrets {
+        age.secrets = {
+          cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age";
+        };
+
+        security.acme.defaults = {
+          credentialsFile = config.age.secrets.cloudflareApiKey.path;
+        };
+      })
+    ]
+  );
+}
diff --git a/modules/nixos/mixins/cloudflared.nix b/modules/nixos/mixins/cloudflared.nix
new file mode 100644
index 0000000..372103b
--- /dev/null
+++ b/modules/nixos/mixins/cloudflared.nix
@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+let
+  cfg = config.mixins.cloudflared;
+  inherit (config.services) nginx;
+in
+{
+  options.mixins.cloudflared = {
+    enable = lib.mkEnableOption "cloudflared mixin";
+    tunnelName = lib.mkOption {
+      description = ''
+        Name of the default tunnel being created
+      '';
+      type = lib.types.str;
+      default = "${config.networking.hostName}-nginx";
+      defaultText = lib.literalExpression "\${config.networking.hostName}-nginx";
+      example = "my-tunnel";
+    };
+
+    manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
+      default = config.traits.secrets.enable;
+      defaultText = lib.literalExpression "config.traits.secrets.enable";
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.cloudflared = {
+          enable = true;
+          tunnels.${cfg.tunnelName} = {
+            default = "http_status:404";
+
+            # map our virtualHosts from nginx to ingress rules
+            ingress = lib.mapAttrs (_: _: {
+              service = "http://localhost:${toString nginx.defaultHTTPListenPort}";
+            }) nginx.virtualHosts;
+          };
+        };
+      }
+
+      (lib.mkIf cfg.manageSecrets {
+        age.secrets.cloudflaredCreds = {
+          file = secretsDir + "/cloudflaredCreds.age";
+          mode = "400";
+          owner = "cloudflared";
+          group = "cloudflared";
+        };
+
+        services.cloudflared.tunnels.${cfg.tunnelName} = {
+          credentialsFile = config.age.secrets.cloudflaredCreds.path;
+        };
+      })
+    ]
+  );
+}
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
new file mode 100644
index 0000000..461cd34
--- /dev/null
+++ b/modules/nixos/mixins/default.nix
@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./acme.nix
+    ./cloudflared.nix
+    ./hercules.nix
+    ./nginx.nix
+    ./promtail.nix
+  ];
+}
diff --git a/modules/nixos/mixins/hercules.nix b/modules/nixos/mixins/hercules.nix
new file mode 100644
index 0000000..de209a3
--- /dev/null
+++ b/modules/nixos/mixins/hercules.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  unstable,
+  secretsDir,
+  ...
+}:
+let
+  cfg = config.mixins.hercules-ci;
+in
+{
+  options.mixins.hercules-ci = {
+    enable = lib.mkEnableOption "Hercules CI mixin";
+    manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
+      default = config.traits.secrets.enable;
+      defaultText = lib.literalExpression "config.traits.secrets.enable";
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.hercules-ci-agent = {
+          enable = true;
+          # we want newer features
+          package = unstable.hercules-ci-agent;
+        };
+      }
+
+      (
+        let
+          secretNames = [
+            "binaryCaches"
+            "clusterJoinToken"
+            "secretsJson"
+          ];
+        in
+        lib.mkIf cfg.manageSecrets {
+          age.secrets = lib.genAttrs secretNames (file: {
+            file = "${secretsDir}/${file}.age";
+            mode = "400";
+            owner = "hercules-ci-agent";
+            group = "hercules-ci-agent";
+          });
+
+          services.hercules-ci-agent = {
+            settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) (
+              lib.genAttrs secretNames (name: config.age.secrets.${name}.path)
+            );
+          };
+        }
+      )
+    ]
+  );
+}
diff --git a/modules/nixos/mixins/nginx.nix b/modules/nixos/mixins/nginx.nix
new file mode 100644
index 0000000..67d0c25
--- /dev/null
+++ b/modules/nixos/mixins/nginx.nix
@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+let
+  cfg = config.mixins.nginx;
+in
+{
+  options.mixins.nginx = {
+    enable = lib.mkEnableOption "NGINX mixin";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+    };
+  };
+}
diff --git a/modules/nixos/mixins/promtail.nix b/modules/nixos/mixins/promtail.nix
new file mode 100644
index 0000000..022c271
--- /dev/null
+++ b/modules/nixos/mixins/promtail.nix
@@ -0,0 +1,48 @@
+{ config, lib, ... }:
+let
+  cfg = config.mixins.promtail;
+  inherit (lib) types;
+in
+{
+  options.mixins.promtail = {
+    enable = lib.mkEnableOption "Promtail mixin";
+
+    clients = lib.mkOption {
+      type = types.listOf types.attrs;
+      default = [ { } ];
+      defaultText = lib.literalExpression "[ { } ]";
+      description = "Clients for promtail";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.promtail = {
+      enable = true;
+      configuration = {
+        inherit (cfg) clients;
+        server.disable = true;
+
+        scrape_configs = [
+          {
+            job_name = "journal";
+
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+                host = "${config.networking.hostName}";
+              };
+            };
+
+            relabel_configs = [
+              {
+                source_labels = [ "__journal__systemd_unit" ];
+                target_label = "unit";
+              }
+            ];
+          }
+        ];
+      };
+    };
+  };
+}