From 16378850018a497bdeef5974743f2dc2da8e8aa8 Mon Sep 17 00:00:00 2001
From: Wateir <contact@wateir.fr>
Date: Sun, 21 Dec 2025 20:37:17 +0100
Subject: [PATCH] feat : Add modular service to hostname

---
 configuration.nix      |  9 +++----
 default.nix            | 55 ++++++++++++++++++++++++++++++++++++++++++
 host.nix               | 11 +++++++++
 module/acme.nix        |  8 +++---
 module/hostname.nix    | 11 ---------
 module/newt.nix        |  2 +-
 module/nginx.nix       | 36 +++++++++++++--------------
 module/roundcube.nix   |  8 +++---
 module/searXNG.nix     |  4 +--
 module/tailscale.nix   | 22 ++++++++---------
 module/vaultWarden.nix | 12 +++------
 11 files changed, 112 insertions(+), 66 deletions(-)
 create mode 100644 default.nix
 create mode 100644 host.nix
 delete mode 100644 module/hostname.nix

diff --git a/configuration.nix b/configuration.nix
index 65b384c..5067f9d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -7,9 +7,11 @@
     [
       ./hardware-configuration.nix
       ./package.nix
-      ./module/hostname.nix
+      ./host.nix
+      ./default.nix
       ./module/nginx.nix
       ./module/newt.nix
+      ./module/tailscale.nix
 
       ./module/searXNG.nix
       ./module/roundcube.nix
@@ -59,9 +61,6 @@
     variant = "azerty";
   };
 
-
-  programs.zsh.enable = true;
-
   users.users.manager = {
     isNormalUser = true;
     description = "manager";
@@ -108,7 +107,7 @@
   };
 
   programs = {
-    zsh.enable = true;
+    zsh.enable = true; # Mandatory for the user manager
 
     # Some programs need SUID wrappers, can be configured further or are
     # started in user sessions.
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..b38e4b1
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  mkServiceOption = { desc, defaultEnabled ? false, extraOpts ? {} }: mkOption {
+    description = desc;
+    default = {};
+    type = types.submodule {
+      options = {
+        enable = mkEnableOption desc // { default = defaultEnabled; };
+      } // extraOpts;
+    };
+  };
+in
+{
+  options = {
+    sACME = mkServiceOption { desc = "ACME DNS Challenge"; };
+
+    sROUNDCUBE = mkServiceOption {
+      desc = "Roundcube webapp";
+      extraOpts = {
+        port = mkOption { type = types.port; default = 1984; };
+      };
+    };
+
+    sVAULTWARDEN = mkServiceOption {
+      desc = "Vaultwarden service";
+      extraOpts = {
+        externalPort = mkOption { type = types.port; default = 8000; };
+        internalPort = mkOption { type = types.port; default = 8222; };
+      };
+    };
+
+    sSEARXNG = mkServiceOption {
+      desc = "SearXNG meta-search engine";
+      extraOpts = {
+        port = mkOption { type = types.port; default = 1692; };
+      };
+    };
+
+    sTAILSCALE = mkServiceOption {
+      desc = "Tailscale VPN";
+      defaultEnabled = true;
+    };
+
+    sNEWT = mkServiceOption { desc = "Newt custom wireguard tunnel"; };
+
+    HostName = mkOption {
+      type = types.str;
+      default = "${config.networking.hostName}.ssh.wateir.fr";
+      description = "Global hostname with domain for all services";
+    };
+  };
+}
diff --git a/host.nix b/host.nix
new file mode 100644
index 0000000..d72e76e
--- /dev/null
+++ b/host.nix
@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
+    sVAULTWARDEN.enable = true;
+    sROUNDCUBE.enable   = true;
+    sSEARXNG.enable     = true;
+    sACME.enable        = true;
+    sNEWT.enable        = true;
+  };
+}
diff --git a/module/acme.nix b/module/acme.nix
index 92fad9f..534dc95 100644
--- a/module/acme.nix
+++ b/module/acme.nix
@@ -1,11 +1,11 @@
-  { config, ... }:
+{ config, lib, ... }:
 
-  {
+lib.mkIf config.sACME.enable {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "admin+contact@wateir.fr";
+    defaults.email = config.sACME.email;
 
-    certs."wateir.fr" = {
+    certs."${config.sACME.domain}" = {
       dnsProvider = "ovh";
       environmentFile = "/etc/acme.env";
     };
diff --git a/module/hostname.nix b/module/hostname.nix
deleted file mode 100644
index a10585e..0000000
--- a/module/hostname.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-  options.HostName = mkOption {
-    type = types.str;
-    default = "${config.networking.hostName}.ssh.wateir.fr";
-    description = "Global hostname with domain for all services";
-  };
-}
diff --git a/module/newt.nix b/module/newt.nix
index 22db625..36147d8 100644
--- a/module/newt.nix
+++ b/module/newt.nix
@@ -1,6 +1,6 @@
  {config,lib, ... }:
 
-{
+lib.mkIf config.sNEWT.enable{
   services.newt = {
      enable = true;
      environmentFile = "/etc/newt.env";
diff --git a/module/nginx.nix b/module/nginx.nix
index 23c91e4..6e3f5ba 100644
--- a/module/nginx.nix
+++ b/module/nginx.nix
@@ -1,17 +1,16 @@
 { config, pkgs, lib, ... }:
 
-lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
+with lib;
 
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
+{
+  services.nginx.enable = true;
+
+  services.nginx.virtualHosts = mkMerge [
+    (mkIf config.sVAULTWARDEN.enable {
       "${config.HostName}-vault" = {
-        listen = [
-          { addr = "0.0.0.0"; port = 8000; }
-        ];
-
+        listen = [{ addr = "0.0.0.0"; port = config.sVAULTWARDEN.externalPort; }];
         locations."/" = {
-          proxyPass = "http://127.0.0.1:8222";
+          proxyPass = "http://127.0.0.1:${toString config.sVAULTWARDEN.internalPort}";
           extraConfig = ''
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -20,21 +19,18 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
           '';
         };
       };
+    })
 
+    (mkIf config.sROUNDCUBE.enable {
       "${config.HostName}-roundcube" = {
-        listen = [
-          { addr = "0.0.0.0"; port = 1984; }
-        ];
-
+        listen = [{ addr = "0.0.0.0"; port = config.sROUNDCUBE.port; }];
         root = "${pkgs.roundcube}/public_html";
-
         locations."/" = {
           extraConfig = ''
             index index.php index.html;
             try_files $uri $uri/ /index.php?$args;
           '';
         };
-
         locations."~ \\.php$" = {
           extraConfig = ''
             include ${pkgs.nginx}/conf/fastcgi_params;
@@ -43,9 +39,11 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
           '';
         };
       };
-    };
-  };
+    })
+  ];
 
-
-  networking.firewall.allowedTCPPorts = [ 1984 8000 ];
+  networking.firewall.allowedTCPPorts = concatLists [
+    (if config.sVAULTWARDEN.enable then [ config.sVAULTWARDEN.externalPort ] else [])
+    (if config.sROUNDCUBE.enable   then [ config.sROUNDCUBE.port   ] else [])
+  ];
 }
diff --git a/module/roundcube.nix b/module/roundcube.nix
index 99566db..1e953cb 100644
--- a/module/roundcube.nix
+++ b/module/roundcube.nix
@@ -1,16 +1,15 @@
-{ config,pkgs,lib, ... }:
+{ config, pkgs, lib, ... }:
 
-lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
+lib.mkIf config.sROUNDCUBE.enable {
   services.roundcube = {
     enable = true;
     hostName = "${config.HostName}";
 
     plugins = [ "multiple_accounts" ];
-
     configureNginx = false;
 
     extraConfig = ''
-      # PurelyMail is the entreprise who host my mail
+      # PurelyMail configuration
       $config['default_host'] = 'ssl://imap.purelymail.com';
       $config['default_port'] = 993;
       $config['smtp_server'] = 'tls://smtp.purelymail.com';
@@ -22,5 +21,4 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
 
   systemd.services.nginx.serviceConfig.ProtectHome = false;
   users.groups.roundcube.members = [ "nginx" ];
-
 }
diff --git a/module/searXNG.nix b/module/searXNG.nix
index f88a4d5..42a9a35 100644
--- a/module/searXNG.nix
+++ b/module/searXNG.nix
@@ -1,6 +1,6 @@
 { config,lib,pkgs, ... }:
 
-lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){
+lib.mkIf config.sSEARXNG.enable {
   services.searx = {
       enable = true;
       redisCreateLocally = true;
@@ -9,7 +9,7 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){
       environmentFile = "/etc/searx.env";
       settings.server = {
         bind_address = "0.0.0.0";
-        port = 1692;
+        port = config.sSEARXNG.port;
       };
       settings.engines = lib.mapAttrsToList (name: value: { inherit name; } // value) {
         "wikidata".disabled = true;
diff --git a/module/tailscale.nix b/module/tailscale.nix
index 8a6ce09..b29a6d5 100644
--- a/module/tailscale.nix
+++ b/module/tailscale.nix
@@ -1,17 +1,17 @@
- {config,lib, ... }:
+{ config, lib, pkgs, ... }:
 
-{
+lib.mkIf config.sTAILSCALE.enable {
   services.tailscale = {
-	  enable = true;
-	  extraDaemonFlags = [
-	  	"--no-logs-no-support"
-	  ];
+    enable = true;
+    extraDaemonFlags = [
+      "--no-logs-no-support"
+    ];
 
-	  extraSetFlags = [
-	  	"--ssh=false"
-	  ];
-	  useRoutingFeatures = "server";  # or "client" / "both"
-	};
+    extraSetFlags = [
+      "--ssh=false"
+    ];
+    useRoutingFeatures = "server";
+  };
 
   networking.firewall = {
     allowedTCPPorts = [ 443 ];
diff --git a/module/vaultWarden.nix b/module/vaultWarden.nix
index c09c204..ef190ed 100644
--- a/module/vaultWarden.nix
+++ b/module/vaultWarden.nix
@@ -1,16 +1,12 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 
-lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){
+lib.mkIf config.sVAULTWARDEN.enable {
   services.vaultwarden = {
     enable = true;
-
-    backupDir = "/var/local/vaultwarden/backup";
-
-    environmentFile = "/etc/vaultwarden.env";
-
     config = {
+      ROCKET_PORT = config.sVAULTWARDEN.internalPort;
+      ROCKET_ADDRESS = "127.0.0.1";
       SIGNUPS_ALLOWED = true;
-      ROCKET_PORT = 8222;
     };
   };
 }