diff options
| author | Mel <einebeere@gmail.com> | 2024-12-26 17:24:04 +0100 |
|---|---|---|
| committer | Mel <einebeere@gmail.com> | 2024-12-26 17:31:29 +0100 |
| commit | ce64e6e1990b62451acb3822b7ab914e16b122b6 (patch) | |
| tree | 3793d855dc49b849e82c919a36d4c376bf00f36f | |
| parent | 98cdef36e124b0b5ae90021a92408bb7899660c2 (diff) | |
| download | network-ce64e6e1990b62451acb3822b7ab914e16b122b6.tar.zst network-ce64e6e1990b62451acb3822b7ab914e16b122b6.zip | |
Pull out web configuration from specific machine modules
Signed-off-by: Mel <einebeere@gmail.com>
| -rw-r--r-- | machines/corsac/default.nix | 2 | ||||
| -rw-r--r-- | machines/lapin/default.nix | 47 | ||||
| -rw-r--r-- | machines/renard/default.nix | 100 | ||||
| -rw-r--r-- | modules/www/default.nix (renamed from modules/www.nix) | 39 | ||||
| -rw-r--r-- | modules/www/tailnet.nix | 89 | ||||
| -rw-r--r-- | services/akkoma/default.nix | 14 | ||||
| -rw-r--r-- | services/cgit.nix | 17 | ||||
| -rw-r--r-- | services/irc/gamja.nix | 2 | ||||
| -rw-r--r-- | services/miniflux.nix | 2 | ||||
| -rw-r--r-- | services/monitoring/default.nix | 2 | ||||
| -rw-r--r-- | services/pds.nix | 35 | ||||
| -rw-r--r-- | services/shiori.nix | 4 |
12 files changed, 180 insertions, 173 deletions
diff --git a/machines/corsac/default.nix b/machines/corsac/default.nix index f579884..66c898c 100644 --- a/machines/corsac/default.nix +++ b/machines/corsac/default.nix @@ -7,9 +7,9 @@ ./hardware.nix ./devices.nix + ../../modules/www ../../modules/dns.nix ../../modules/ddns.nix - ../../modules/www.nix ../../modules/nfs.nix ../../modules/jellyfin.nix diff --git a/machines/lapin/default.nix b/machines/lapin/default.nix index f08b644..4940df6 100644 --- a/machines/lapin/default.nix +++ b/machines/lapin/default.nix @@ -7,7 +7,7 @@ ./hardware.nix ./devices.nix - ../../modules/www.nix + ../../modules/www ../../services/conduwuit.nix ../../services/pds.nix @@ -19,50 +19,5 @@ services = [ "base" "akkoma" "pds" "conduwuit" ]; }; - age.secrets.cloudflare-dns = { - file = ../../secrets/cloudflare-dns.age; - }; - - security.acme.certs."pds.rnrd.eu" = { - group = "nginx"; - domain = "*.pds.rnrd.eu"; - extraDomainNames = [ "pds.rnrd.eu" ]; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-dns.path; - }; - }; - - services.nginx.virtualHosts = { - "soc.rnrd.eu" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:1111"; - }; - - extraConfig = '' - access_log /var/log/nginx/akkoma.access.log json_combined; - ''; - }; - - "pds.rnrd.eu" = { - serverAliases = [ "*.pds.rnrd.eu" ]; - forceSSL = true; - useACMEHost = "pds.rnrd.eu"; - - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:16419"; - }; - - extraConfig = '' - access_log /var/log/nginx/pds.access.log json_combined; - ''; - }; - }; - system.stateVersion = "23.05"; } diff --git a/machines/renard/default.nix b/machines/renard/default.nix index d443886..e5fc21f 100644 --- a/machines/renard/default.nix +++ b/machines/renard/default.nix @@ -1,4 +1,4 @@ -{ me, machines, pkgs, lib, ... }: +{ me, machines, ... }: { imports = [ @@ -7,7 +7,7 @@ ./hardware.nix ./devices.nix - ../../modules/www.nix + ../../modules/www ../../modules/git.nix ../../modules/syncthing.nix @@ -29,72 +29,6 @@ services = [ "base" "tailnet" "git" "mel" "shorest" ]; }; - systemd.services."acme-${me.tailscale.domain}" = - let - oneWeekInSeconds = 7 * 24 * 60 * 60; - - tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' - set -euxo pipefail - - check_validity() { - pem=$1 - ${pkgs.openssl}/bin/openssl x509 \ - -checkend ${toString oneWeekInSeconds} \ - -noout <$pem - } - - try_renew() { - ${pkgs.tailscale}/bin/tailscale cert \ - --cert-file certificates/fullchain.pem \ - --key-file certificates/key.pem \ - ${me.tailscale.domain} - } - - cut_out_certificate_authority() { - fullchain=$1 - buf="" - while read LINE; do - if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then - buf="" - fi - buf="$buf$LINE"$'\n' - done < $fullchain - echo "$buf" - } - - install_certificates() { - touch out/renewed - cp -vp 'certificates/fullchain.pem' out/fullchain.pem - cp -vp 'certificates/key.pem' out/key.pem - ln -sf fullchain.pem out/cert.pem - cat out/key.pem out/fullchain.pem > out/full.pem - cut_out_certificate_authority out/fullchain.pem > out/chain.pem - chown 'acme:nginx' out/* - chmod 640 out/* - } - - if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then - echo 1>&2 "attempting tailscale certificate renewal..." - if ! try_renew; then - echo 1>&2 "renewal failed :(" - exit 1 - fi - install_certificates - echo 1>&2 "successfully renewed certificate :)" - else - echo 1>&2 "renewal not yet necessary." - fi - ''; - in { - after = [ "tailscaled.service" ]; - requires = [ "tailscaled.service" ]; - serviceConfig = { - ExecStart = lib.mkForce "+${tailscaleRenewScript}"; - }; - }; - - security.acme.preliminarySelfsigned = false; - services.nginx.virtualHosts = { "rnrd.eu".locations = { # redirect to akkoma on lapin @@ -127,19 +61,6 @@ }; }; - # tailnet internal vhost - "renard" = { - forceSSL = true; - enableACME = true; - serverName = me.tailscale.domain; - listenAddresses = [ me.tailscale.ip ]; - # point to the default page, for now! - locations."/" = { alias = "/var/www/html/"; }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; - }; - "sho.rest" = { enableACME = true; forceSSL = true; @@ -159,23 +80,6 @@ access_log /var/log/nginx/mel.access.log json_combined; ''; }; - - "git.rnrd.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:3792"; - }; - - "/static/" = { - alias = "/srv/cgit/static/"; - }; - }; - extraConfig = '' - access_log /var/log/nginx/git.access.log json_combined; - ''; - }; }; system.stateVersion = "24.05"; diff --git a/modules/www.nix b/modules/www/default.nix index 7ce880b..f6bb4e4 100644 --- a/modules/www.nix +++ b/modules/www/default.nix @@ -1,12 +1,11 @@ { me, ... }: -let - rnrdUrl = - if me.is.renard - then "rnrd.eu" - else "${me.name}.rnrd.eu"; +let + rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu"; in { + imports = [ ./tailnet.nix ]; + security.acme = { acceptTerms = true; defaults.email = "einebeere@gmail.com"; @@ -23,26 +22,28 @@ in commonHttpConfig = '' log_format json_combined escape=json '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_length":"$request_length",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent",' - '"upstream_response_time":"$upstream_response_time",' - '"upstream_addr":"$upstream_addr",' - '"upstream_status":"$upstream_status"' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_length":"$request_length",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent",' + '"upstream_response_time":"$upstream_response_time",' + '"upstream_addr":"$upstream_addr",' + '"upstream_status":"$upstream_status"' '}'; access_log /var/log/nginx/access.log json_combined; error_log /var/log/nginx/error.log warn; ''; virtualHosts = { - default = { default = true; }; + default = { + default = true; + }; ${rnrdUrl} = { root = "/var/www/html"; forceSSL = true; diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix new file mode 100644 index 0000000..df70a55 --- /dev/null +++ b/modules/www/tailnet.nix @@ -0,0 +1,89 @@ +{ + me, + lib, + pkgs, + ... +}: + +let + oneWeekInSeconds = 7 * 24 * 60 * 60; + + tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' + set -euxo pipefail + + check_validity() { + pem=$1 + ${pkgs.openssl}/bin/openssl x509 \ + -checkend ${toString oneWeekInSeconds} \ + -noout <$pem + } + + try_renew() { + ${pkgs.tailscale}/bin/tailscale cert \ + --cert-file certificates/fullchain.pem \ + --key-file certificates/key.pem \ + ${me.tailscale.domain} + } + + cut_out_certificate_authority() { + fullchain=$1 + buf="" + while read LINE; do + if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then + buf="" + fi + buf="$buf$LINE"$'\n' + done < $fullchain + echo "$buf" + } + + install_certificates() { + touch out/renewed + cp -vp 'certificates/fullchain.pem' out/fullchain.pem + cp -vp 'certificates/key.pem' out/key.pem + ln -sf fullchain.pem out/cert.pem + cat out/key.pem out/fullchain.pem > out/full.pem + cut_out_certificate_authority out/fullchain.pem > out/chain.pem + chown 'acme:nginx' out/* + chmod 640 out/* + } + + if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then + echo 1>&2 "attempting tailscale certificate renewal..." + if ! try_renew; then + echo 1>&2 "renewal failed :(" + exit 1 + fi + install_certificates + echo 1>&2 "successfully renewed certificate :)" + else + echo 1>&2 "renewal not yet necessary." + fi + ''; + +in +{ + # overwrite default acme behaviour with tailscale + systemd.services."acme-${me.tailscale.domain}" = { + after = [ "tailscaled.service" ]; + requires = [ "tailscaled.service" ]; + serviceConfig = { + ExecStart = lib.mkForce "+${tailscaleRenewScript}"; + }; + }; + + # tailnet internal vhost + services.nginx.virtualHosts.tailnet = { + forceSSL = true; + enableACME = true; + serverName = me.tailscale.domain; + listenAddresses = [ me.tailscale.ip ]; + # point to the default page, for now! + locations."/" = { + alias = "/var/www/html/"; + }; + extraConfig = '' + access_log /var/log/nginx/tailnet.access.log json_combined; + ''; + }; +} diff --git a/services/akkoma/default.nix b/services/akkoma/default.nix index 939e9be..101d805 100644 --- a/services/akkoma/default.nix +++ b/services/akkoma/default.nix @@ -108,4 +108,18 @@ in entrypoint = "/bin/fedifetcher-entry.sh"; }; }; + + services.nginx.virtualHosts."soc.rnrd.eu" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${toString akkomaLocalPort}"; + }; + + extraConfig = '' + access_log /var/log/nginx/akkoma.access.log json_combined; + ''; + }; } diff --git a/services/cgit.nix b/services/cgit.nix index f8c2930..116a3de 100644 --- a/services/cgit.nix +++ b/services/cgit.nix @@ -51,4 +51,21 @@ in "-f" "/etc/lighttpd/cgit.conf" ]; }; + + services.nginx.virtualHosts."git.rnrd.eu" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3792"; + }; + + "/static/" = { + alias = "/srv/cgit/static/"; + }; + }; + extraConfig = '' + access_log /var/log/nginx/git.access.log json_combined; + ''; + }; } diff --git a/services/irc/gamja.nix b/services/irc/gamja.nix index 779b5b2..1c7c7f7 100644 --- a/services/irc/gamja.nix +++ b/services/irc/gamja.nix @@ -28,7 +28,7 @@ let in { # gamja is tailnet interal - services.nginx.virtualHosts.renard.locations = { + services.nginx.virtualHosts.tailnet.locations = { "/gamja" = { return = "301 $scheme://$host$request_uri/"; }; diff --git a/services/miniflux.nix b/services/miniflux.nix index 9b4f972..c2f864b 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -51,7 +51,7 @@ in }; }; - services.nginx.virtualHosts.renard.locations = { + services.nginx.virtualHosts.tailnet.locations = { "/miniflux" = { return = "301 $scheme://$host$request_uri/"; }; diff --git a/services/monitoring/default.nix b/services/monitoring/default.nix index ecbb9c4..09bda40 100644 --- a/services/monitoring/default.nix +++ b/services/monitoring/default.nix @@ -75,7 +75,7 @@ in }; }; - services.nginx.virtualHosts.renard.locations = { + services.nginx.virtualHosts.tailnet.locations = { "/grafana" = { return = "301 $scheme://$host$request_uri/"; }; diff --git a/services/pds.nix b/services/pds.nix index 671dc6a..5f1c8e0 100644 --- a/services/pds.nix +++ b/services/pds.nix @@ -3,9 +3,10 @@ let inherit (pkgs) dockerTools glibc; inherit (auxiliaryPkgs) common; - inherit (auxiliaryPkgs.bluesky) pds pdsadmin; + inherit (config.age) secrets; + pdsLocalPort = 16419; pdsDir = "/srv/pds"; @@ -25,8 +26,9 @@ let in { - age.secrets.pds-secrets = { - file = ../secrets/pds-secrets.age; + age.secrets = { + pds-secrets.file = ../secrets/pds-secrets.age; + cloudflare-dns.file = ../secrets/cloudflare-dns.age; }; foundation.services.pds = { @@ -55,9 +57,34 @@ in LOG_ENABLED = "true"; }; - environmentFiles = [ config.age.secrets.pds-secrets.path ]; + environmentFiles = [ secrets.pds-secrets.path ]; workdir = "/pds"; entrypoint = "${pds}/bin/pds"; }; + + security.acme.certs."pds.rnrd.eu" = { + group = "nginx"; + domain = "*.pds.rnrd.eu"; + extraDomainNames = [ "pds.rnrd.eu" ]; + dnsProvider = "cloudflare"; + credentialFiles = { + CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path; + }; + }; + + services.nginx.virtualHosts."pds.rnrd.eu" = { + serverAliases = [ "*.pds.rnrd.eu" ]; + forceSSL = true; + useACMEHost = "pds.rnrd.eu"; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:16419"; + }; + + extraConfig = '' + access_log /var/log/nginx/pds.access.log json_combined; + ''; + }; } diff --git a/services/shiori.nix b/services/shiori.nix index d57ebdc..cddefca 100644 --- a/services/shiori.nix +++ b/services/shiori.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, auxiliaryPkgs, ... }: +{ pkgs, auxiliaryPkgs, ... }: let inherit (pkgs) dockerTools; @@ -47,7 +47,7 @@ in cmd = [ "server" ]; }; - services.nginx.virtualHosts.renard.locations = { + services.nginx.virtualHosts.tailnet.locations = { "/shiori" = { return = "301 $scheme://$host$request_uri/"; }; |