Pull out web configuration from specific machine modules

Signed-off-by: Mel <einebeere@gmail.com>

1 files changed, 31 insertions, 4 deletions

diff --git a/services/pds.nix b/services/pds.nix
index 671dc6a..5f1c8e0 100644
--- a/services/pds.nix
+++ b/services/pds.nix
@@ -3,9 +3,10 @@
 let
   inherit (pkgs) dockerTools glibc;
   inherit (auxiliaryPkgs) common;
-
   inherit (auxiliaryPkgs.bluesky) pds pdsadmin;
 
+  inherit (config.age) secrets;
+
   pdsLocalPort = 16419;
   pdsDir = "/srv/pds";
 
@@ -25,8 +26,9 @@ let
 
 in
 {
-  age.secrets.pds-secrets = {
-    file = ../secrets/pds-secrets.age;
+  age.secrets = {
+    pds-secrets.file = ../secrets/pds-secrets.age;
+    cloudflare-dns.file = ../secrets/cloudflare-dns.age;
   };
 
   foundation.services.pds = {
@@ -55,9 +57,34 @@ in
       LOG_ENABLED = "true";
     };
 
-    environmentFiles = [ config.age.secrets.pds-secrets.path ];
+    environmentFiles = [ secrets.pds-secrets.path ];
 
     workdir = "/pds";
     entrypoint = "${pds}/bin/pds";
   };
+
+  security.acme.certs."pds.rnrd.eu" = {
+    group = "nginx";
+    domain = "*.pds.rnrd.eu";
+    extraDomainNames = [ "pds.rnrd.eu" ];
+    dnsProvider = "cloudflare";
+    credentialFiles = {
+      CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
+    };
+  };
+
+  services.nginx.virtualHosts."pds.rnrd.eu" = {
+    serverAliases = [ "*.pds.rnrd.eu" ];
+    forceSSL = true;
+    useACMEHost = "pds.rnrd.eu";
+
+    locations."/" = {
+      proxyWebsockets = true;
+      proxyPass = "http://127.0.0.1:16419";
+    };
+
+    extraConfig = ''
+      access_log /var/log/nginx/pds.access.log json_combined;
+    '';
+  };
 }