From d425868d124106b066e778bfc38a116a2cc2b6cc Mon Sep 17 00:00:00 2001
From: Sridhar Ratnakumar <srid@srid.ca>
Date: Tue, 19 Nov 2024 17:18:33 -0500
Subject: [PATCH] cleanup

---
 configurations/nixos/gate/default.nix         | 19 +-----------
 .../nixos/pureintent/containers.nix           | 22 --------------
 configurations/nixos/pureintent/default.nix   |  2 +-
 webapps/README.md                             |  9 ++++++
 webapps/default.nix                           |  8 +++++
 webapps/host.nix                              | 24 +++++++++++++++
 webapps/proxy.nix                             | 30 +++++++++++++++++++
 7 files changed, 73 insertions(+), 41 deletions(-)
 delete mode 100644 configurations/nixos/pureintent/containers.nix
 create mode 100644 webapps/README.md
 create mode 100644 webapps/default.nix
 create mode 100644 webapps/host.nix
 create mode 100644 webapps/proxy.nix

diff --git a/configurations/nixos/gate/default.nix b/configurations/nixos/gate/default.nix
index cf03e48..f393ccb 100644
--- a/configurations/nixos/gate/default.nix
+++ b/configurations/nixos/gate/default.nix
@@ -5,33 +5,16 @@ let
   inherit (inputs) self;
 in
 {
-  # nixos-unified.sshTarget = "root@5.161.184.111";
   nixos-unified.sshTarget = "gate";
 
   imports = [
     ./configuration.nix
     (self + /modules/nixos/shared/primary-as-admin.nix)
+    (self + /webapps/proxy.nix)
   ];
 
   nixpkgs.hostPlatform = "x86_64-linux";
-  services.tailscale.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    virtualHosts."actualism.app" = {
-      # FIXME: Don't hardcode, instead of read from pureintent's containers.nix
-      locations."/".proxyPass = "http://pureintent:3000";
-      enableACME = true;
-      addSSL = true;
-    };
-  };
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "srid@srid.ca";
-  };
-  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
 
   # Workaround the annoying `Failed to start Network Manager Wait Online` error on switch.
   # https://github.com/NixOS/nixpkgs/issues/180175
diff --git a/configurations/nixos/pureintent/containers.nix b/configurations/nixos/pureintent/containers.nix
deleted file mode 100644
index 0180066..0000000
--- a/configurations/nixos/pureintent/containers.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-# TODO(refactor): decompose
-{ flake, pkgs, ... }:
-
-let
-  inherit (flake) inputs;
-  actualism-app = inputs.actualism-app.packages.${pkgs.system}.default;
-in
-{
-  containers.actualism-app = {
-    autoStart = true;
-    config = { lib, ... }: {
-      systemd.services.actualism-app = {
-        description = "actualism-app";
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          ExecStart = "${lib.getExe actualism-app}";
-          Restart = "always";
-        };
-      };
-    };
-  };
-}
diff --git a/configurations/nixos/pureintent/default.nix b/configurations/nixos/pureintent/default.nix
index c435f78..3c00857 100644
--- a/configurations/nixos/pureintent/default.nix
+++ b/configurations/nixos/pureintent/default.nix
@@ -11,7 +11,7 @@ in
   imports = [
     self.nixosModules.default
     ./configuration.nix
-    ./containers.nix
+    (self + /webapps/host.nix)
   ];
 
   services.openssh.enable = true;
diff --git a/webapps/README.md b/webapps/README.md
new file mode 100644
index 0000000..eb31c0c
--- /dev/null
+++ b/webapps/README.md
@@ -0,0 +1,9 @@
+# Hosting webapps on home-server
+
+Host them on `pureintent` (home-server)
+
+Run nginx on `gate` (Hetzner VPS).
+
+Put the two in a Tailscale network. Profit!
+
+WARNING: This is not cleanly designed yet, so don't use it as a reference.
diff --git a/webapps/default.nix b/webapps/default.nix
new file mode 100644
index 0000000..fafecd1
--- /dev/null
+++ b/webapps/default.nix
@@ -0,0 +1,8 @@
+{ flake, system, ... }:
+{
+  actualism-app = {
+    port = 3000; # TODO: Change this, and pass to daemon (renaming `package` to `exec` or something)
+    domain = "actualism.app";
+    package = flake.inputs.actualism-app.packages.${system}.default;
+  };
+}
diff --git a/webapps/host.nix b/webapps/host.nix
new file mode 100644
index 0000000..938c7af
--- /dev/null
+++ b/webapps/host.nix
@@ -0,0 +1,24 @@
+# Configuration for the host on which all webapps will run.
+{ flake, pkgs, lib, ... }:
+
+let
+  webapps = import ./. { inherit flake; system = pkgs.system; };
+in
+{
+  # Run each web app as a systemd service decided inside a container.
+  containers = lib.mapAttrs
+    (name: v: {
+      autoStart = true;
+      config = {
+        systemd.services.${name} = {
+          description = name;
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            ExecStart = "${lib.getExe v.package}";
+            Restart = "always";
+          };
+        };
+      };
+    })
+    webapps;
+}
diff --git a/webapps/proxy.nix b/webapps/proxy.nix
new file mode 100644
index 0000000..0d17a9b
--- /dev/null
+++ b/webapps/proxy.nix
@@ -0,0 +1,30 @@
+# Configuration for the VPS running nginx reverse proxy
+{ flake, pkgs, lib, webapps, ... }:
+
+let
+  host = "pureintent"; # See host.nix
+  webapps = import ./. { inherit flake; system = pkgs.system; };
+in
+{
+  services.tailscale.enable = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = lib.mapAttrs'
+      (name: v: lib.nameValuePair v.domain {
+        locations."/".proxyPass = "http://${host}:${builtins.toString v.port}";
+        enableACME = true;
+        addSSL = true;
+      })
+      webapps;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "srid@srid.ca";
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+}