revert server modules to pre-merge state

Server work (frigate, bitcoin/clightning, forgejo, nginx) was merged before ready. Reverts these to de56423 state. Work is preserved on branches: cameras, lightning, server, bitcoind.
2026-03-24 00:29:43 -04:00 · 2026-03-08 11:04:30 -04:00 · 2026-03-08 11:04:30 -04:00 · dab93c5ee0
commit dab93c5ee0
parent 0bcd891c7c
12 changed files with 107 additions and 388 deletions
--- a/src/system/modules/nginx/default.nix
+++ b/src/system/modules/nginx/default.nix
@ -4,100 +4,86 @@ with lib;
 let
  cfg = config.modules.system.nginx;
  module = config.modules.system;
-  forgejo = config.services.forgejo;

 in
 { options.modules.system.nginx = { enable = mkEnableOption "Nginx Reverse Proxy"; };
  config = mkIf cfg.enable {
    users = {
      users = {
-        "${config.services.nginx.user}" = {
+        "nginx" = {
          description = "Web server system user";
          isSystemUser = true;
-          group = mkForce "${config.services.nginx.group}";
-          extraGroups = [
-            "${config.security.acme.defaults.group}"
-          ];
+          group = mkForce "web";
        };
        "btc" = {
          extraGroups = mkIf module.bitcoin.enable [
-            "${config.services.nginx.group}"
+            "web"
          ];
        };
-        "${forgejo.user}" = {
+        "git" = {
          extraGroups = mkIf module.forgejo.enable [
-            "${config.services.nginx.group}"
+            "web"
          ];
        };
      };
      groups = {
-        "${config.services.nginx.group}" = {
+        "web" = {
          members = [
-            "${config.services.nginx.user}"
+            "nginx"
          ];
        };
      };
    };

-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        email = "${config.user.email}";
-        validMinDays = 90;
-        listenHTTP = ":80";
-      };
-      certs = {
-        "ramos.codes" = {
-          extraDomainNames = [
-            "git.ramos.codes"
-            "btc.ramos.codes"
-          ];
-        };
-      };
-    };
-
-    services.nginx = 
+    security.acme = 
    let
-      certPath = config.security.acme.certs."ramos.codes".directory;
-      sslCertificate = "${certPath}/fullchain.pem";
-      sslCertificateKey = "${certPath}/key.pem";
-
-      withSSL = hosts: mapAttrs (name: hostConfig: hostConfig // {
-        inherit sslCertificate sslCertificateKey;
-        forceSSL = true;
-      }) hosts;
+      acmeDir = "/var/lib/acme";
    in
    {
-      enable = true;
-      user = "nginx";
-      group = "web";
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
+      acceptTerms = true;
+      certs = {
+        "ramos.codes" = {
+          #webroot = "${acmeDir}/acme-challenge";
+          directory = "${acmeDir}/ramos.codes";
+          email = config.user.email;
+          group = "web";
+          validMinDays = 90;
+          extraDomainNames = attrNames config.services.nginx.virtualHosts;
+          listenHTTP = ":80";
+        };
+      };
+    };

-      virtualHosts = withSSL {
+    services.nginx = {
+      enable = true;
+      virtualHosts = 
+      let
+        certPath = config.security.acme.certs."ramos.codes".directory;
+        sslCertificate = "${certPath}/fullchain.pem";
+        sslCertificateKey = "${certPath}/key.pem";
+
+        withSSL = hosts: mapAttrs (name: hostConfig: hostConfig // {
+          inherit sslCertificate sslCertificateKey;
+          forceSSL = true;
+        }) hosts;
+
+      in withSSL
+      {
        "git.ramos.codes" = mkIf module.forgejo.enable {
          locations = {
            "/" = {
-              proxyPass = "http://unix:${forgejo.settings.server.HTTP_ADDR}";
+              proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
            };
          };
        };
+        #"btc.ramos.codes" = mkIf module.bitcoin.electrum.enable {
+        #  locations = {
+        #   "/" = {
+        #     proxyPass = "";
+        #   };
+        #  };
+        #};
      };
-
-      streamConfig = ''
-        ${lib.optionalString module.bitcoin.electrum.enable ''
-          server {
-            listen 0.0.0.0:50002 ssl;
-            proxy_pass 127.0.0.1:50001;
-
-            ssl_certificate ${sslCertificate};
-            ssl_certificate_key ${sslCertificateKey};
-          }
-        ''}
-      '';
    };
-    networking.firewall.allowedTCPPorts = [
-      50002
-    ];
  };
 }