diff --git a/module.nix b/module.nix index f3fbc37..9ad9f35 100644 --- a/module.nix +++ b/module.nix @@ -4,9 +4,9 @@ let cfg = config.services.danilafe-blog; sslForDomain = domain: (cfg.ssl == true) || (cfg.ssl."${domain}" or false); anySsl = any (mapAttrsToList (domain: pkg: sslForDomain domain) cfg.domains); - virtualHost = domain: package: mkMerge [ + virtualHost = domain: package: { - services.nginx.virtualHosts."${domain}" = mkMerge [ + virtualHosts."${domain}" = mkMerge [ { root = package; } @@ -16,16 +16,17 @@ let acmeRoot = cfg.challengePath; }) ]; - } - (mkIf (sslForDomain domain) { + }; + service = domain: + { # Workaround for new configuration setting all of /var to be readonly. # See https://github.com/NixOS/nixpkgs/issues/139310 - systemd.services."acme-${cfg.domain}".serviceConfig = { + "acme-${domain}".serviceConfig = { ReadWritePaths = [ cfg.challengePath ]; }; - }) - ]; - virtualHosts = []; # mapAttrsToList virtualHost cfg.domains; + }; + virtualHosts = mapAttrsToList virtualHost cfg.domains; + services = map service (filter sslForDomain (attrNames cfg.domains)); in { options.services.danilafe-blog = { @@ -45,16 +46,17 @@ in }; }; - config = mkIf cfg.enable (mkMerge (virtualHosts ++ [ + config.services.nginx = mkIf cfg.enable (mkMerge (virtualHosts ++ [ { # Always enable nginx. - services.nginx.enable = true; - services.nginx.recommendedGzipSettings = true; + enable = true; + recommendedGzipSettings = true; } - (mkIf anySsl { - # If any domain uses SSL, enable ACME and accept terms. - security.acme.email = "danila.fedorin@gmail.com"; - security.acme.acceptTerms = true; - }) ])); + config.systemd.services = mkIf cfg.enable (mkMerge services); + config.security.acme = mkIf (cfg.enable && anySsl) { + # If any domain uses SSL, enable ACME and accept terms. + security.acme.email = "danila.fedorin@gmail.com"; + security.acme.acceptTerms = true; + } }