diff options
| author | Mel <mel@rnrd.eu> | 2025-04-16 12:49:53 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-04-16 12:49:53 +0200 |
| commit | 5e1a9f0179c0beb73b63140a3ee20c4acb04fcc4 (patch) | |
| tree | e2d3c83e761dc2bec056d81c268bc500ad148a6c /modules/www | |
| parent | 6c9f992808b6cf8b079f4c8cfa5625de1e624618 (diff) | |
| download | network-5e1a9f0179c0beb73b63140a3ee20c4acb04fcc4.tar.zst network-5e1a9f0179c0beb73b63140a3ee20c4acb04fcc4.zip | |
Move WWW configuration into foundation module, and make it configurable
Signed-off-by: Mel <mel@rnrd.eu>
Diffstat (limited to 'modules/www')
| -rw-r--r-- | modules/www/default.nix | 105 | ||||
| -rw-r--r-- | modules/www/tailnet.nix | 112 |
2 files changed, 0 insertions, 217 deletions
diff --git a/modules/www/default.nix b/modules/www/default.nix deleted file mode 100644 index ecc9b66..0000000 --- a/modules/www/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - me, - config, - pkgs, - lib, - util, - ... -}: - -let - inherit (lib) mergeAttrsList; - inherit (config.age) secrets; - - rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu"; - - base-index = pkgs.substituteAll { - src = ../../assets/base.html; - env.me = util.titleCase me.name; - }; - - base = pkgs.linkFarm "www-base" { - "index.html" = base-index; - "favicon.png" = ../../assets/favicon.png; - }; - - certificate = domain: { - ${domain} = { - domain = "*.${domain}"; - extraDomainNames = [ domain ]; - - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path; - }; - }; - }; -in -{ - imports = [ ./tailnet.nix ]; - - age.secrets = { - cloudflare-dns.file = ../../secrets/cloudflare-dns.age; - }; - - security.acme = { - acceptTerms = true; - # causes issues with tailscale certificates - preliminarySelfsigned = false; - defaults = { - email = "mel@rnrd.eu"; - # our certificates are really only used with Nginx - group = config.services.nginx.group; - reloadServices = [ "nginx.service" ]; - }; - - certs = mergeAttrsList [ - (certificate "rnrd.eu") - (certificate "rnrd.fyi") - ]; - }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - statusPage = true; - - commonHttpConfig = '' - log_format json_combined escape=json '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_length":"$request_length",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent",' - '"upstream_response_time":"$upstream_response_time",' - '"upstream_addr":"$upstream_addr",' - '"upstream_status":"$upstream_status"' - '}'; - access_log /var/log/nginx/access.log json_combined; - error_log /var/log/nginx/error.log warn; - ''; - - virtualHosts = { - base = { - default = true; - serverName = rnrdUrl; - forceSSL = true; - useACMEHost = "rnrd.eu"; - - root = base; - extraConfig = '' - access_log /var/log/nginx/base.access.log json_combined; - ''; - }; - }; - }; -} diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix deleted file mode 100644 index 56cfbf4..0000000 --- a/modules/www/tailnet.nix +++ /dev/null @@ -1,112 +0,0 @@ -# NOTE: the tailnet virtual host and it's certificate management -# has been mostly superseded by the `rnrd.fyi` domain, allowing -# for both vastly simpler certificate requesting and subdomains, -# which tailscale does not support for their magicdns product. -{ - me, - config, - lib, - pkgs, - ... -}: - -let - rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi"; - - oneWeekInSeconds = 7 * 24 * 60 * 60; - - tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' - set -euxo pipefail - - check_validity() { - pem=$1 - ${pkgs.openssl}/bin/openssl x509 \ - -checkend ${toString oneWeekInSeconds} \ - -noout <$pem - } - - try_renew() { - ${pkgs.tailscale}/bin/tailscale cert \ - --cert-file certificates/fullchain.pem \ - --key-file certificates/key.pem \ - ${me.tailscale.domain} - } - - cut_out_certificate_authority() { - fullchain=$1 - buf="" - while read LINE; do - if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then - buf="" - fi - buf="$buf$LINE"$'\n' - done < $fullchain - echo "$buf" - } - - install_certificates() { - touch out/renewed - cp -vp 'certificates/fullchain.pem' out/fullchain.pem - cp -vp 'certificates/key.pem' out/key.pem - ln -sf fullchain.pem out/cert.pem - cat out/key.pem out/fullchain.pem > out/full.pem - cut_out_certificate_authority out/fullchain.pem > out/chain.pem - chown 'acme:nginx' out/* - chmod 640 out/* - } - - if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then - echo 1>&2 "attempting tailscale certificate renewal..." - if ! try_renew; then - echo 1>&2 "renewal failed :(" - exit 1 - fi - install_certificates - echo 1>&2 "successfully renewed certificate :)" - else - echo 1>&2 "renewal not yet necessary." - fi - ''; - -in -{ - # overwrite default acme behaviour with tailscale - systemd.services."acme-${me.tailscale.domain}" = { - after = [ "tailscaled.service" ]; - requires = [ "tailscaled.service" ]; - serviceConfig = { - ExecStart = lib.mkForce "+${tailscaleRenewScript}"; - }; - }; - - # tailnet internal vhost - services.nginx.virtualHosts = { - # mostly superceded - tailnet = { - forceSSL = true; - enableACME = true; - serverName = me.tailscale.domain; - listenAddresses = [ me.tailscale.ip ]; - # point to the default page, for now! - locations."/" = { - alias = "${config.services.nginx.virtualHosts.base.root}/"; - }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; - }; - - # default page for the `rnrd.fyi` internal domain - ${rnrdInternalUrl} = { - useACMEHost = "rnrd.fyi"; - forceSSL = true; - listenAddresses = [ me.tailscale.ip ]; - locations."/" = { - alias = "${config.services.nginx.virtualHosts.base.root}/"; - }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; - }; - }; -} |