Move Grav into options

modules/default.nix

@@ -21,6 +21,7 @@
     ./services/docker
     ./services/docker-mailserver
     ./services/gitea
+    ./grav
     ./services/logs-share
     ./services/log-to-ram
     ./services/pipewire

modules/grav/default.nix

@@ -1,29 +1,38 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  cfg = config.services.az-grav;
+in
 {
-  services.az-docker.enable = true;
+  options = {
+    services.az-grav.enable = lib.mkEnableOption "Enable Grav.";
+  };
 
-  virtualisation.oci-containers = {
-    backend = "docker";
-    containers."grav" = {
-      # https://fleet.linuxserver.io/image?name=linuxserver/grav
-      image = "lscr.io/linuxserver/grav:1.7.41";
-      autoStart = true;
-      environment = {
-        TZ = "Europe/Zurich";
-        PUID = "100";
-        PGID = "101";
+  config = lib.mkIf cfg.enable {
+    services.az-docker.enable = true;
+
+    virtualisation.oci-containers = {
+      backend = "docker";
+      containers."grav" = {
+        # https://fleet.linuxserver.io/image?name=linuxserver/grav
+        image = "lscr.io/linuxserver/grav:1.7.41";
+        autoStart = true;
+        environment = {
+          TZ = "Europe/Zurich";
+          PUID = "100";
+          PGID = "101";
+        };
+        ports = [
+          "8080:80"
+        ];
+        volumes = [
+          "/etc/timezone:/etc/timezone:ro"
+          "/etc/localtime:/etc/localtime:ro"
+        ];
+        extraOptions = [
+          ''--mount=type=volume,source=grav,target=/config,volume-driver=local,volume-opt=type=nfs,volume-opt=device=:/server_data/grav,"volume-opt=o=addr=10.7.89.108,rw,nfsvers=4.0,nolock,hard,noatime"''
+          "--log-opt=tag='grav'"
+        ];
       };
-      ports = [
-        "8080:80"
-      ];
-      volumes = [
-        "/etc/timezone:/etc/timezone:ro"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      extraOptions = [
-        ''--mount=type=volume,source=grav,target=/config,volume-driver=local,volume-opt=type=nfs,volume-opt=device=:/server_data/grav,"volume-opt=o=addr=10.7.89.108,rw,nfsvers=4.0,nolock,hard,noatime"''
-        "--log-opt=tag='grav'"
-      ];
     };
   };
 }

systems/proxy/default.nix

@@ -10,53 +10,55 @@
       time = "00:00";
     })
     "${inputs.self}/modules/nginx-acme-base"
-    "${inputs.self}/modules/grav"
     "${inputs.self}/modules/haproxy"
     "${inputs.self}/modules/heimdall"
   ];
 
-  services.nginx = {
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+  services = {
+    az-grav.enable = true;
+    nginx = {
+      commonHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Adding this header to HTTP requests is discouraged
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
 
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
 
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
+        # Enable XSS protection of the browser.
+        # May be unnecessary when CSP is configured properly (see above)
+        add_header X-XSS-Protection "1; mode=block";
 
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-    recommendedProxySettings = true;
-    virtualHosts = {
-      "2li.ch" = {
-        serverAliases = [ "www.2li.ch" ];
-        enableACME = true;
-        forceSSL = true;
-        listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8080";
-          proxyWebsockets = true; # needed if you need to use WebSocket
+        # This might create errors
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "2li.ch" = {
+          serverAliases = [ "www.2li.ch" ];
+          enableACME = true;
+          forceSSL = true;
+          listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8080";
+            proxyWebsockets = true; # needed if you need to use WebSocket
+          };
         };
-      };
-      "heimdall.2li.ch" = {
-        enableACME = true;
-        forceSSL = true;
-        listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8081";
-          proxyWebsockets = true; # needed if you need to use WebSocket
+        "heimdall.2li.ch" = {
+          enableACME = true;
+          forceSSL = true;
+          listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8081";
+            proxyWebsockets = true; # needed if you need to use WebSocket
+          };
         };
       };
     };