feat: machines.meta.zones

default.nix

@@ -1,7 +1,8 @@
 let
   inputs = import ./deps;
 
-  lib = (import "${inputs.nixpkgs}/lib").extend (import ./lib inputs);
+  dnsLib = (import inputs.dns).lib;
+  lib = (import "${inputs.nixpkgs}/lib").extend (import ./lib inputs dnsLib);
 
   machines_plats = lib.lists.unique (
     lib.mapAttrsToList (_name: value: value.system) (

deps/sources.json

@@ -48,6 +48,21 @@
       "url": "https://github.com/nix-community/disko/archive/a08bfe06b39e94eec98dd089a2c1b18af01fef19.tar.gz",
       "hash": "0m9w7yld1sagyv6rn880qqggy1zm891yh2c50lsksdklbahbrcbg"
     },
+    "dns": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "dns.nix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v1.2.0",
+      "revision": "a3196708a56dee76186a9415c187473b94e6cbae",
+      "url": "https://api.github.com/repos/nix-community/dns.nix/tarball/v1.2.0",
+      "hash": "011b6ahj4qcf7jw009qgbf6k5dvjmgls88khwzgjr9kxlgbypb90"
+    },
     "git-hooks": {
       "type": "Git",
       "repository": {
@@ -208,4 +223,4 @@
     }
   },
   "version": 3
-}
+}

lib/dns.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  dnsLib,
+  ...
+}:
+let
+  SOA = {
+    nameServer = "ns";
+    adminEmail = "[email protected]";
+    serial = 0;
+  };
+  NS = [
+    "ns1"
+    "ns2"
+  ];
+
+  # Set some defaults for a zone
+  getSubmodulesCustom =
+    inputs@{ name, ... }:
+    lib.recursiveUpdate ((lib.head dnsLib.types.zone.getSubModules) ({ inherit name; } // inputs)) {
+      config = {
+        SOA = lib.mkDefault SOA;
+        NS = lib.mkDefault NS;
+        subdomains = {
+          ns1 = lib.mkDefault {
+            A = [ lib.snowfield.router.ips.public.ipv4 ];
+            AAAA = [ lib.snowfield.router.ips.public.ipv6 ];
+          };
+          ns2 = lib.mkDefault {
+            A = [ lib.snowfield.akhaten.ips.public.ipv4 ];
+            AAAA = [ lib.snowfield.akhaten.ips.public.ipv6 ];
+          };
+        };
+      };
+    };
+
+in
+with lib;
+{
+  options = {
+    machine.meta.zones = mkOption {
+      type = types.attrsOf (
+        recursiveUpdate dnsLib.types.zone { getSubModules = [ getSubmodulesCustom ]; }
+      );
+      default = { };
+    };
+  };
+
+}

modules/services/web-servers/nginx/default.nix

@@ -1,29 +1,26 @@
 { config, lib, ... }:
 
+with lib;
 let
   cfg = config.services.nginx;
+
+  mergeSub = f: mkMerge (map (sub: f (sub.systemConfig systemArgs)) (attrValues cfg.virtualHosts));
+
+  recordsFromDomain =
+    domain:
+    mapAttrs' (
+      n: v:
+      nameValuePair (dns.domainToZone dns.allowedDomains n) (
+        let
+          subdomain = dns.getDomainPrefix dns.allowedDomains n;
+        in
+        if elem subdomain dns.allowedDomains then v else { subdomains."${subdomain}" = v; }
+      )
+    ) (dns.domainToRecords domain config.machine.meta (dns.isVPNDomain domain));
 in
-with lib;
 
 {
   options.services.nginx = {
-    noDefault.enable = mkEnableOption ''Don't fallback to default page'';
-
-    publicDomains = mkOption {
-      default = [ "mondon.xyz" ];
-      type = types.listOf types.str;
-    };
-
-    vpnDomains = mkOption {
-      default = [ ".kms" ];
-      type = types.listOf types.str;
-    };
-
-    vpnAcmeServer = mkOption {
-      default = "https://ca.luj/acme/acme/directory";
-      type = types.str;
-    };
-
     localDomains = mkOption {
       default = [
         ".lan"
@@ -32,23 +29,36 @@ with lib;
       type = types.listOf types.str;
     };
 
+    noDefault.enable = mkEnableOption ''Don't fallback to default page'';
+
+    publicDomains = mkOption { type = types.listOf types.str; };
+
+    vpnAcmeServer = mkOption { type = types.str; };
+
+    vpnDomains = mkOption { type = types.listOf types.str; };
+
     virtualHosts = mkOption {
       type = types.attrsOf (
         types.submodule (
           {
             name,
             config,
-            publicDomains,
             ...
           }:
           {
-            options.port = mkOption {
-              type = types.port;
-              default = 0;
-            };
-            options.websockets = mkOption {
-              type = types.bool;
-              default = false;
+            options = {
+              port = mkOption {
+                type = types.port;
+                default = 0;
+              };
+              websockets = mkOption {
+                type = types.bool;
+                default = false;
+              };
+              systemConfig = mkOption {
+                internal = true;
+                type = types.unspecified; # A function from module arguments to config.
+              };
             };
 
             config = {
@@ -60,21 +70,28 @@ with lib;
                     p = config.port;
                   in
                   mkIf (p != 0) (mkDefault "http://127.0.0.1:${toString p}");
+
                 proxyWebsockets = mkDefault config.websockets;
+
+                # Firewall VPN domains
+                extraConfig = mkIf (hasSuffixIn cfg.vpnDomains name) ''
+                  allow 100.100.45.0/24;
+                  allow fd7a:115c:a1e0::/48;
+                  deny all;
+                '';
+              };
+
+              extraConfig = mkIf (hasSuffixIn cfg.vpnDomains name) ''
+                ssl_stapling off;
+              '';
+
+              systemConfig = _: {
+                machine.meta.zones = optionalAttrs (name != "default") (recordsFromDomain name);
+
+                security.acme.certs = optionalAttrs (hasSuffixIn cfg.vpnDomains name) {
+                  "${name}".server = mkIf (hasSuffixIn cfg.vpnDomains name) cfg.vpnAcmeServer;
+                };
               };
-              # Firewall VPN domains
-              extraConfig =
-                if (hasSuffixIn cfg.publicDomains name) then
-                  ''
-                    allow all;
-                  ''
-                else
-                  ''
-                    if ($bad_ip) {
-                      return 444;
-                    }
-                    ssl_stapling off;
-                  '';
             };
           }
         )
@@ -89,18 +106,7 @@ with lib;
       recommendedGzipSettings = mkDefault true;
       recommendedTlsSettings = mkDefault true;
 
-      # VPN IPs
       appendHttpConfig = ''
-        geo $bad_ip {
-          default 1;
-          127.0.0.1/32 0;
-          ::1/128 0;
-          192.168.0.0/16 0;
-          fc00::/7 0;
-          100.100.45.0/24 0;
-          fd7a:115c:a1e0::/48 0;
-        }
-
         proxy_headers_hash_max_size 512;
         proxy_headers_hash_bucket_size 128;
       '';
@@ -115,18 +121,14 @@ with lib;
         sslCertificate = "/var/lib/acme/default/cert.pem";
         sslCertificateKey = "/var/lib/acme/default/key.pem";
         extraConfig = ''
+          ssl_stapling off;
           return 444;
         '';
       };
     };
 
-    # Use VPN CA only on VPN domains
-    security.acme.certs = mapAttrs (
-      n: _:
-      mkIf (config.services.tailscale.enable && hasSuffixIn cfg.vpnDomains n && !hasPrefix "www." n) {
-        server = mkDefault cfg.vpnAcmeServer;
-      }
-    ) cfg.virtualHosts;
+    machine = mergeSub (c: c.machine);
+    security.acme.certs = mergeSub (c: c.security.acme.certs);
 
     # Open port 443 only if necessary
     networking.firewall.allowedTCPPorts = mkIf cfg.enable [