From 1a9475ad7fee50fd7a787c413e40661352c6a28f Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sat, 31 May 2025 13:00:43 +0200
Subject: [PATCH] profiles/common-webserver: Migrate webserver config to
 profile

---
 configuration/common/default.nix      |  1 -
 configuration/common/web.nix          | 54 ---------------------
 profiles/common-webserver/default.nix | 70 +++++++++++++++++++++++++++
 profiles/common/default.nix           |  2 +
 profiles/default.nix                  |  1 +
 5 files changed, 73 insertions(+), 55 deletions(-)
 delete mode 100644 configuration/common/web.nix
 create mode 100644 profiles/common-webserver/default.nix

diff --git a/configuration/common/default.nix b/configuration/common/default.nix
index 3c07706..0c7b5c5 100644
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -12,7 +12,6 @@
     ./ssh.nix
     ./systemd.nix
     ./user.nix
-    ./web.nix
   ];
 
   services.fstrim.enable = true;
diff --git a/configuration/common/web.nix b/configuration/common/web.nix
deleted file mode 100644
index f98065f..0000000
--- a/configuration/common/web.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{ ... }:
-
-{
-  services.nginx = {
-    enableReload = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    commonHttpConfig = ''
-      server_names_hash_bucket_size 64;
-      charset utf-8;
-      types {
-        text/plain nix;
-      }
-      map $remote_addr $remote_addr_anon {
-        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
-        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
-        default                           ::;
-      }
-      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
-                               '"$request" $status $body_bytes_sent '
-                               '"$http_referer" "$http_user_agent"';
-      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
-                                '"$request" $status $body_bytes_sent '
-                                '"$http_referer" "$http_user_agent"';
-      access_log /var/log/nginx/access.log vcombined_anon;
-    '';
-
-    virtualHosts = {
-      "default" = {
-        default = true;
-        rejectSSL = true;
-        locations."/" = {
-          return = ''200 "Some piece of infrastructure\n"'';
-          extraConfig = ''
-            types { } default_type "text/plain; charset=utf-8";
-          '';
-        };
-      };
-    };
-  };
-
-  services.logrotate.settings.nginx = {
-    frequency = "daily";
-    maxage = 14;
-  };
-
-  security.acme = {
-    defaults.email = "letsencrypt@clerie.de";
-    acceptTerms = true;
-  };
-}
diff --git a/profiles/common-webserver/default.nix b/profiles/common-webserver/default.nix
new file mode 100644
index 0000000..f64ac8e
--- /dev/null
+++ b/profiles/common-webserver/default.nix
@@ -0,0 +1,70 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.common-webserver;
+
+in {
+
+  options.profiles.clerie.common-webserver = {
+    enable = mkEnableOption "Webserver profile";
+    httpDefaultVirtualHost = (mkEnableOption "Default Virtual Host") // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enableReload = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      commonHttpConfig = ''
+        server_names_hash_bucket_size 64;
+        charset utf-8;
+        types {
+          text/plain nix;
+        }
+        map $remote_addr $remote_addr_anon {
+          ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
+          ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
+          default                           ::;
+        }
+        log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
+                                 '"$request" $status $body_bytes_sent '
+                                 '"$http_referer" "$http_user_agent"';
+        log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                  '"$request" $status $body_bytes_sent '
+                                  '"$http_referer" "$http_user_agent"';
+        access_log /var/log/nginx/access.log vcombined_anon;
+      '';
+
+      virtualHosts = mkIf cfg.httpDefaultVirtualHost {
+        "default" = {
+          default = true;
+          rejectSSL = true;
+          locations."/" = {
+            return = ''200 "Some piece of infrastructure\n"'';
+            extraConfig = ''
+              types { } default_type "text/plain; charset=utf-8";
+            '';
+          };
+        };
+      };
+    };
+
+    services.logrotate.settings.nginx = {
+      frequency = "daily";
+      maxage = 14;
+    };
+
+    security.acme = {
+      defaults.email = "letsencrypt@clerie.de";
+      acceptTerms = true;
+    };
+  };
+}
diff --git a/profiles/common/default.nix b/profiles/common/default.nix
index 186683c..f3ae5ba 100644
--- a/profiles/common/default.nix
+++ b/profiles/common/default.nix
@@ -14,5 +14,7 @@ with lib;
 
     profiles.clerie.common-networking.enable = mkDefault true;
 
+    profiles.clerie.common-webserver.enable = mkDefault true;
+
   };
 }
diff --git a/profiles/default.nix b/profiles/default.nix
index 9052485..7d0aa97 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -6,6 +6,7 @@
     ./common
     ./common-dns
     ./common-networking
+    ./common-webserver
     ./cybercluster-vm
     ./dn42-router
     ./fem-net