Rework HTTP services into a separate wrapper module for convenience

common/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./http.nix
+  ];
+}

common/http.nix

@@ -0,0 +1,49 @@
+# Wrapper module to configure nginx and define virtual hosts in a higher level
+# fashion: enforce standards on TLS usage, simplify the common case of "just
+# proxy pass to a service running on this port", etc.
+
+{ config, lib, ... }:
+
+let
+  cfg = config.my.http;
+
+  selectVhostsByAttr = attr: lib.filterAttrs (n: v: v ? ${attr}) cfg.vhosts;
+  mapVhostsByAttr = attr: fn: lib.mapAttrs fn (selectVhostsByAttr attr);
+
+  redirectVhosts = mapVhostsByAttr "redirect" (n: vh: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".return = "302 ${vh.redirect}";
+  });
+
+  localProxyVhosts = mapVhostsByAttr "proxyLocalPort" (n: vh: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${toString vh.proxyLocalPort}";
+  });
+in {
+  options.my.http.vhosts = with lib; mkOption {
+    type = types.attrs;
+    default = {};
+  };
+
+  config = {
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts =
+        redirectVhosts //
+        localProxyVhosts;
+    };
+
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "root@dolphin-emu.org";
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}

default.nix

@@ -0,0 +1,12 @@
+# Passed to NixOS modules as "my".
+rec {
+  common = import ./common;
+  roles = import ./roles;
+
+  modules = {
+    imports = [
+      common
+      roles
+    ];
+  };
+}

machines/altair/default.nix

@@ -1,14 +1,15 @@
 { self, pkgs, agenix, nixpkgs, ... }:
 
-{
+let
+  my = import ../..;
+in {
   imports = [
     agenix.nixosModule
 
-    ../../roles
+    my.modules
 
     ./hypervisor.nix
     ./hardware.nix
-    ./nginx.nix
     ./postgres.nix
   ];
 
@@ -27,9 +28,12 @@
   networking.search = [ "dolphin-emu.org" ];
 
   my.roles = {
+    netplay-index.enable = true;
     redirector.enable = true;
   };
 
+  my.http.vhosts."altair.dolphin-emu.org".redirect = "https://github.com/dolphin-emu/sadm";
+
   system.stateVersion = "22.05";
   system.configurationRevision = pkgs.lib.mkIf (self ? rev) self.rev;
 }

machines/altair/nginx.nix

@@ -1,23 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    virtualHosts = {
-      "altair.dolphin-emu.org" = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/".return = "302 https://github.com/dolphin-emu/sadm";
-      };
-    };
-  };
-
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "root@dolphin-emu.org";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}

roles/redirector/default.nix

@@ -26,11 +26,6 @@ in {
       };
     };
 
-    services.nginx.virtualHosts."dolp.in" = {
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/".proxyPass = "http://localhost:${toString port}";
-    };
+    my.http.vhosts."dolp.in".proxyLocalPort = port;
   };
 }