configure domain in a central file

machines/gerd/services/authelia.nix

@@ -1,6 +1,8 @@
 { config, ... }:
 
 let
+  svc_domain = "auth.${config.mine.settings.domain}";
+
   autheliaStateDir = "/var/lib/authelia-main";
 in {
   services.authelia.instances.main = {
@@ -16,7 +18,7 @@ in {
 
     settings = {
       access_control.default_policy = "one_factor";
-      session.domain = "fricloud.dk";
+      session.domain = config.mine.settings.domain;
 
       storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
       notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
@@ -33,19 +35,19 @@ in {
           timeout = "5s";
           start_tls = false;
 
-          base_dn = "dc=fricloud,dc=dk";
-          additional_users_dn = "ou=people";
+          base_dn = config.mine.settings.ldap.dc;
+          additional_users_dn = "ou=${config.mine.settings.ldap.ou.users}";
+          additional_groups_dn = "ou=${config.mine.settings.ldap.ou.groups}";
           users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
-          additional_groups_dn = "ou=groups";
           groups_filter = "(member={dn})";
 
 
-          display_name_attribute = "displayName";
-          username_attribute = "uid";
-          group_name_attribute = "cn";
-          mail_attribute = "mail";
+          display_name_attribute = config.mine.settings.ldap.attr.firstname;
+          username_attribute = config.mine.settings.ldap.attr.uid;
+          group_name_attribute = config.mine.settings.ldap.attr.groupname;
+          mail_attribute = config.mine.settings.ldap.attr.email;
 
-          user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
+          user = config.mine.settings.ldap.bind_dn;
         };
       };
     };
@@ -74,7 +76,7 @@ in {
   # }];
 
 
-  services.nginx.virtualHosts."auth.fricloud.dk" = {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";

machines/gerd/services/forgejo.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:
 
 let
+  svc_domain = "git.${config.mine.settings.domain}";
+
   scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
     #!/usr/bin/env sh
     FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
@@ -54,8 +56,8 @@ in {
 
     settings = {
       server = {
-        DOMAIN = "git.fricloud.dk";
-        ROOT_URL = "https://git.fricloud.dk";
+        DOMAIN = svc_domain;
+        ROOT_URL = "https://${svc_domain}";
         HTTPPORT = 3000;
       };
 
@@ -78,7 +80,7 @@ in {
   # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
   security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
 
-  services.nginx.virtualHosts."git.fricloud.dk" = {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     extraConfig = ''

machines/gerd/services/fricloud-website.nix

@@ -1,13 +1,15 @@
 { config, pkgs, ... }:
 
-{
-  services.nginx.virtualHosts."fricloud.dk" = {
+let
+  svc_domain = config.mine.settings.domain;
+in {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     root = pkgs.writeTextDir "index.html" ''
       <html>
         <head>
-          <title>Fricloud.dk</title>
+          <title>${svc_domain}</title>
         </head>
         <body>
           <marquee
@@ -21,7 +23,7 @@
   };
 
   # setup group for fricloud.dk cert + add nginx to group.
-  # group `fricloud-domain` is used for users that need access to the domain certificate, e.g. murmur
-  security.acme.certs."fricloud.dk".group = config.users.groups.fricloud-domain.name;
-  users.groups.fricloud-domain.members = [ config.users.users.nginx.name ];
+  # group `main-domain` is used for users that need access to the domain certificate, e.g. murmur
+  security.acme.certs."${svc_domain}".group = config.users.groups.main-domain.name;
+  users.groups.main-domain.members = [ config.users.users.nginx.name ];
 }

machines/gerd/services/hedgedoc.nix

@@ -1,7 +1,8 @@
 { config, ... }:
 
 let
-  domain = "hedgedoc.fricloud.dk";
+  svc_domain = "hedgedoc.${config.mine.settings.domain}";
+
   stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
 in {
   services.hedgedoc = {
@@ -9,7 +10,7 @@ in {
     settings = {
       # only change default port, because 3000 is used by other service
       port = 6864;
-      domain = domain;
+      domain = svc_domain;
       protocolUseSSL = true;
       debug = true;
       uploadsPath = stateDir + "/uploads";
@@ -41,7 +42,7 @@ in {
   systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
   systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
 
-  services.nginx.virtualHosts."${domain}" = {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";

machines/gerd/services/lldap.nix

@@ -1,13 +1,15 @@
 { config, ... }:
 
-{
+let
+  svc_domain = "ldap.${config.mine.settings.domain}";
+in {
   services.lldap = {
     enable = true;
 
     settings = {
       verbose = true;
       ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
-      ldap_base_dn = "dc=fricloud,dc=dk";
+      ldap_base_dn = config.mine.settings.ldap.dc;
     };
 
     environment = {
@@ -20,7 +22,7 @@
     };
   };
 
-  services.nginx.virtualHosts."ldap.fricloud.dk" = {
+  services.nginx.virtualHosts."${svc_domain}" = {
     forceSSL = true;
     enableACME = true;
     locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
@@ -51,7 +53,7 @@
     port = 3890;
     url = "ldap://${host}:${builtins.toString port}";
 
-    dc = "dc=fricloud,dc=dk";
+    dc = "dc=${config.mine.settings.domain_sld},dc=${config.mine.settings.domain_tld}";
     bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
     search_base = "ou=${ou.users},${dc}";
     user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
@@ -78,6 +80,7 @@
       lastname = "sn";
       email = "mail";
       avatar = "jpegPhoto";
+      groupname = "cn";
     };
 
     age_secret = config.age.secrets.lldap-bind-user-pass.path;

machines/gerd/services/murmur.nix

@@ -1,8 +1,10 @@
 { config, lib, ... }:
 
-{
+let
+  svc_domain = config.mine.settings.domain;
+in {
   services.murmur = let
-    certLocation = config.security.acme.certs."fricloud.dk".directory;
+    certLocation = config.security.acme.certs."${svc_domain}".directory;
   in {
     enable = true;
     openFirewall = true;
@@ -19,7 +21,7 @@
   systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}'';
 
   # add murmur user to domain group to access cert
-  users.groups.fricloud-domain.members = [ config.users.groups.murmur.name ];
+  users.groups.main-domain.members = [ config.users.groups.murmur.name ];
 
   age.secrets = {
     murmur-env.owner = config.users.users.murmur.name;

machines/gerd/services/teeworlds.nix

@@ -1,8 +1,10 @@
+{ config, ... }:
+
 {
   services.teeworlds = {
       enable = true;
       openPorts = true;
 
-      motd = "Welcome to Fricloud.dk's Teeworld server!";
+      motd = "Welcome to ${config.mine.settings.domain}'s Teeworld server!";
   };
 }

shared/default.nix

@@ -1,3 +1,5 @@
+{ config, ... }:
+
 let
   sources = import ./sources/sources.nix;
 in {
@@ -10,4 +12,10 @@ in {
     ./platforms
     ./modules
   ];
+
+  # TODO(eyJhb): why is the commented line a infinite recurssion
+  mine.settings.domain_tld = "dk";
+  mine.settings.domain_sld = "fricloud";
+  # mine.settings.domain = "${config.mine.settings.domain_sld}.${config.mine.settings.domain_tld}";
+  mine.settings.domain = "fricloud.dk";
 }