peering-manager: restructure

felbinger · felbinger · commit 503144f6c3eb · 2025-07-27T04:07:09.000+02:00
diff --git a/modules/peering-manager.nix b/modules/peering-manager.nix
@@ -4,123 +4,156 @@
   pkgs,
   ...
 }:
+let
+  cfg = config.secshell.peering-manager;
+  inherit (lib)
+    mkIf
+    types
+    mkEnableOption
+    mkOption
+    mkMerge
+    ;
+in
 {
   options.secshell.peering-manager = {
-    enable = lib.mkEnableOption "peering-manager";
-    domain = lib.mkOption {
-      type = lib.types.str;
+    enable = mkEnableOption "peering-manager";
+    domain = mkOption {
+      type = types.str;
       default = "peering-manager.${toString config.networking.fqdn}";
       defaultText = "peering-manager.\${toString config.networking.fqdn}";
       description = ''
         The primary domain name for this service.
         Used for virtual host configuration, TLS certificates, and service URLs.
       '';
     };
-    internal_port = lib.mkOption {
-      type = lib.types.port;
+    internal_port = mkOption {
+      type = types.port;
       description = ''
         The local port the service listens on.
       '';
     };
     oidc = {
-      domain = lib.mkOption {
-        type = lib.types.str;
+      domain = mkOption {
+        type = types.str;
         default = "";
         description = ''
           The open id connect server used for authentication.
           Leave null to disable oidc authentication.
         '';
       };
-      realm = lib.mkOption {
-        type = lib.types.str;
+      realm = mkOption {
+        type = types.str;
         default = "main";
         description = ''
           The realm to use for the open id connect authentication.
         '';
       };
-      clientId = lib.mkOption {
-        type = lib.types.str;
-        default = config.secshell.peering-manager.domain;
+      clientId = mkOption {
+        type = types.str;
+        default = cfg.domain;
         defaultText = "config.secshell.peering-manager.domain";
         description = ''
           The client id for the open id connect authentication.
         '';
       };
     };
   };
-  config = lib.mkIf config.secshell.peering-manager.enable {
-    sops = {
-      secrets = {
-        "peering-manager/secretKey".owner = "peering-manager";
-      }
-      // (lib.optionalAttrs (config.secshell.peering-manager.oidc.domain != "") {
-        "peering-manager/oidcSecret".owner = "peering-manager";
-      });
+  config = mkIf cfg.enable (mkMerge [
+    # base
+    {
+      sops.secrets."peering-manager/secretKey".owner = "peering-manager";
 
-      templates."peering-manager/oidc-config".content = ''
-        # CLIENT_ID and SECRET are required to authenticate against the provider
-        OIDC_RP_CLIENT_ID = "${config.secshell.peering-manager.oidc.clientId}"
-        OIDC_RP_CLIENT_SECRET = "${config.sops.placeholder."peering-manager/oidcSecret"}"
+      services = {
+        postgresql = {
+          enable = true;
+          ensureDatabases = [ "peering-manager" ];
+        };
+      };
 
-        # The following two may be required depending on your provider,
-        # check the configuration endpoint for JWKS information
-        OIDC_RP_SIGN_ALGO = "RS256"
-        OIDC_OP_JWKS_ENDPOINT = "https://${config.secshell.peering-manager.oidc.domain}/realms/${config.secshell.peering-manager.oidc.realm}/protocol/openid-connect/certs"
+      services = {
+        peering-manager = {
+          enable = true;
+          secretKeyFile = config.sops.secrets."peering-manager/secretKey".path;
+          port = cfg.internal_port;
+          listenAddress = "127.0.0.1";
 
-        # Refer to the configuration endpoint of your provider
-        OIDC_OP_AUTHORIZATION_ENDPOINT = "https://${config.secshell.peering-manager.oidc.domain}/realms/${config.secshell.peering-manager.oidc.realm}/protocol/openid-connect/auth"
-        OIDC_OP_TOKEN_ENDPOINT = "https://${config.secshell.peering-manager.oidc.domain}/realms/${config.secshell.peering-manager.oidc.realm}/protocol/openid-connect/token"
-        OIDC_OP_USER_ENDPOINT = "https://${config.secshell.peering-manager.oidc.domain}/realms/${config.secshell.peering-manager.oidc.realm}/protocol/openid-connect/userinfo"
+          settings = {
+            LOGIN_REQUIRED = true;
+            TIME_ZONE = "Europe/Berlin";
+            ALLOWED_HOSTS = [ (toString cfg.domain) ];
+          };
+        };
+        nginx = {
+          enable = true;
+          virtualHosts."${toString cfg.domain}" = {
+            locations = {
+              "/".proxyPass = "http://127.0.0.1:${toString cfg.internal_port}";
+              "/static/".alias = "${pkgs.peering-manager}/opt/peering-manager/static/";
+            };
+            serverName = toString cfg.domain;
 
-        # Set these to the base path of your Peering Manager installation
-        LOGIN_REDIRECT_URL = "https://${config.secshell.peering-manager.domain}"
-        LOGOUT_REDIRECT_URL = "https://${config.secshell.peering-manager.domain}"
+            # use ACME DNS-01 challenge
+            useACMEHost = toString cfg.domain;
+            forceSSL = true;
+          };
+        };
+      };
+      security.acme.certs."${toString cfg.domain}" = { };
+    }
 
-        # If this is True, new users will be created if not yet existing.
-        OIDC_CREATE_USER = True
-      '';
-      templates."peering-manager/oidc-config".owner = "peering-manager";
-    };
+    # external database
+    {
+      # the nixpkgs module configures a local postgres instance, which we a simply not using
+      # disabling postgres in this postgres module might cause trouble with other modules that should use a local postgres instance
+      # TODO
+      #services.peering-manager.settings.DATABASE = {
+      #  NAME = "peering-manager";
+      #  USER = "peering-manager";
+      #  HOST = "/run/postgresql";
+      #};
+    }
 
-    services = {
-      postgresql = {
-        enable = true;
-        ensureDatabases = [ "peering-manager" ];
-      };
-    };
+    # oidc
+    # TODO requires adjustments for https://github.com/NixOS/nixpkgs/pull/382862
+    (mkIf (cfg.oidc.domain != "") {
+      sops = {
+        secrets = (
+          lib.optionalAttrs (cfg.oidc.domain != "") {
+            "peering-manager/oidcSecret".owner = "peering-manager";
+          }
+        );
+
+        templates."peering-manager/oidc-config" = {
+          content = ''
+            # CLIENT_ID and SECRET are required to authenticate against the provider
+            OIDC_RP_CLIENT_ID = "${cfg.oidc.clientId}"
+            OIDC_RP_CLIENT_SECRET = "${config.sops.placeholder."peering-manager/oidcSecret"}"
+
+            # The following two may be required depending on your provider,
+            # check the configuration endpoint for JWKS information
+            OIDC_RP_SIGN_ALGO = "RS256"
+            OIDC_OP_JWKS_ENDPOINT = "https://${cfg.oidc.domain}/realms/${cfg.oidc.realm}/protocol/openid-connect/certs"
+
+            # Refer to the configuration endpoint of your provider
+            OIDC_OP_AUTHORIZATION_ENDPOINT = "https://${cfg.oidc.domain}/realms/${cfg.oidc.realm}/protocol/openid-connect/auth"
+            OIDC_OP_TOKEN_ENDPOINT = "https://${cfg.oidc.domain}/realms/${cfg.oidc.realm}/protocol/openid-connect/token"
+            OIDC_OP_USER_ENDPOINT = "https://${cfg.oidc.domain}/realms/${cfg.oidc.realm}/protocol/openid-connect/userinfo"
 
-    services = {
-      peering-manager = {
-        enable = true;
-        secretKeyFile = config.sops.secrets."peering-manager/secretKey".path;
-        port = config.secshell.peering-manager.internal_port;
-        listenAddress = "127.0.0.1";
-        enableOidc = config.secshell.peering-manager.oidc.domain != "";
-        oidcConfigPath = lib.mkIf (
-          config.secshell.peering-manager.oidc.domain != ""
-        ) config.sops.templates."peering-manager/oidc-config".path;
+            # Set these to the base path of your Peering Manager installation
+            LOGIN_REDIRECT_URL = "https://${cfg.domain}"
+            LOGOUT_REDIRECT_URL = "https://${cfg.domain}"
 
-        settings = {
-          LOGIN_REQUIRED = true;
-          TIME_ZONE = "Europe/Berlin";
-          ALLOWED_HOSTS = [ (toString config.secshell.peering-manager.domain) ];
+            # If this is True, new users will be created if not yet existing.
+            OIDC_CREATE_USER = True
+          '';
+          owner = "peering-manager";
         };
       };
-      nginx = {
-        enable = true;
-        virtualHosts."${toString config.secshell.peering-manager.domain}" = {
-          locations = {
-            "/".proxyPass = "http://127.0.0.1:${toString config.secshell.peering-manager.internal_port}";
-            "/static/".alias = "${pkgs.peering-manager}/opt/peering-manager/static/";
-          };
-          serverName = toString config.secshell.peering-manager.domain;
 
-          # use ACME DNS-01 challenge
-          useACMEHost = toString config.secshell.peering-manager.domain;
-          forceSSL = true;
-        };
+      services.peering-manager = {
+        enableOidc = true;
+        oidcConfigPath = config.sops.templates."peering-manager/oidc-config".path;
       };
-    };
-    security.acme.certs."${toString config.secshell.peering-manager.domain}" = { };
-  };
+    })
+  ]);
 }
