3 files changed, 4 insertions, 145 deletions
diff --git a/machines/corsac/default.nix b/machines/corsac/default.nix
index f579884..66c898c 100644
--- a/machines/corsac/default.nix
+++ b/machines/corsac/default.nix
@@ -7,9 +7,9 @@
     ./hardware.nix
     ./devices.nix
 
+    ../../modules/www
     ../../modules/dns.nix
     ../../modules/ddns.nix
-    ../../modules/www.nix
     ../../modules/nfs.nix
     ../../modules/jellyfin.nix
 
diff --git a/machines/lapin/default.nix b/machines/lapin/default.nix
index f08b644..4940df6 100644
--- a/machines/lapin/default.nix
+++ b/machines/lapin/default.nix
@@ -7,7 +7,7 @@
     ./hardware.nix
     ./devices.nix
 
-    ../../modules/www.nix
+    ../../modules/www
 
     ../../services/conduwuit.nix
     ../../services/pds.nix
@@ -19,50 +19,5 @@
     services = [ "base" "akkoma" "pds" "conduwuit" ];
   };
 
-  age.secrets.cloudflare-dns = {
-    file = ../../secrets/cloudflare-dns.age;
-  };
-
-  security.acme.certs."pds.rnrd.eu" = {
-    group = "nginx";
-    domain = "*.pds.rnrd.eu";
-    extraDomainNames = [ "pds.rnrd.eu" ];
-    dnsProvider = "cloudflare";
-    credentialFiles = {
-      CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-dns.path;
-    };
-  };
-
-  services.nginx.virtualHosts = {
-    "soc.rnrd.eu" = {
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "http://127.0.0.1:1111";
-      };
-
-      extraConfig = ''
-        access_log /var/log/nginx/akkoma.access.log json_combined;
-      '';
-    };
-
-    "pds.rnrd.eu" = {
-      serverAliases = [ "*.pds.rnrd.eu" ];
-      forceSSL = true;
-      useACMEHost = "pds.rnrd.eu";
-
-      locations."/" = {
-        proxyWebsockets = true;
-        proxyPass = "http://127.0.0.1:16419";
-      };
-
-      extraConfig = ''
-        access_log /var/log/nginx/pds.access.log json_combined;
-      '';
-    };
-  };
-
   system.stateVersion = "23.05";
 }
diff --git a/machines/renard/default.nix b/machines/renard/default.nix
index d443886..e5fc21f 100644
--- a/machines/renard/default.nix
+++ b/machines/renard/default.nix
@@ -1,4 +1,4 @@
-{ me, machines, pkgs, lib, ... }:
+{ me, machines, ... }:
 
 {
   imports = [
@@ -7,7 +7,7 @@
     ./hardware.nix
     ./devices.nix
 
-    ../../modules/www.nix
+    ../../modules/www
     ../../modules/git.nix
     ../../modules/syncthing.nix
 
@@ -29,72 +29,6 @@
     services = [ "base" "tailnet" "git" "mel" "shorest" ];
   };
 
-  systemd.services."acme-${me.tailscale.domain}" =
-  let
-    oneWeekInSeconds = 7 * 24 * 60 * 60;
-
-    tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
-      set -euxo pipefail
-
-      check_validity() {
-        pem=$1
-        ${pkgs.openssl}/bin/openssl x509 \
-          -checkend ${toString oneWeekInSeconds} \
-          -noout <$pem
-      }
-
-      try_renew() {
-        ${pkgs.tailscale}/bin/tailscale cert \
-          --cert-file certificates/fullchain.pem \
-          --key-file certificates/key.pem \
-          ${me.tailscale.domain}
-      }
-
-      cut_out_certificate_authority() {
-        fullchain=$1
-        buf=""
-        while read LINE; do
-          if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
-            buf=""
-          fi
-          buf="$buf$LINE"$'\n'
-        done < $fullchain
-        echo "$buf"
-      }
-
-      install_certificates() {
-        touch out/renewed
-        cp -vp 'certificates/fullchain.pem' out/fullchain.pem
-        cp -vp 'certificates/key.pem' out/key.pem
-        ln -sf fullchain.pem out/cert.pem
-        cat out/key.pem out/fullchain.pem > out/full.pem
-        cut_out_certificate_authority out/fullchain.pem > out/chain.pem
-        chown 'acme:nginx' out/*
-        chmod 640 out/*
-      }
-
-      if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
-        echo 1>&2 "attempting tailscale certificate renewal..."
-        if ! try_renew; then
-          echo 1>&2 "renewal failed :("
-          exit 1
-        fi
-        install_certificates
-        echo 1>&2 "successfully renewed certificate :)"
-      else
-        echo 1>&2 "renewal not yet necessary."
-      fi
-    '';
-  in {
-    after = [ "tailscaled.service" ];
-    requires = [ "tailscaled.service" ];
-    serviceConfig = {
-      ExecStart = lib.mkForce "+${tailscaleRenewScript}";
-    };
-  };
-
-  security.acme.preliminarySelfsigned = false;
-
   services.nginx.virtualHosts = {
     "rnrd.eu".locations = {
       # redirect to akkoma on lapin
@@ -127,19 +61,6 @@
       };
     };
 
-    # tailnet internal vhost
-    "renard" = {
-      forceSSL = true;
-      enableACME = true;
-      serverName = me.tailscale.domain;
-      listenAddresses = [ me.tailscale.ip ];
-      # point to the default page, for now!
-      locations."/" = { alias = "/var/www/html/"; };
-      extraConfig = ''
-        access_log /var/log/nginx/tailnet.access.log json_combined;
-      '';
-    };
-
     "sho.rest" = {
       enableACME = true;
       forceSSL = true;
@@ -159,23 +80,6 @@
         access_log /var/log/nginx/mel.access.log json_combined;
       '';
     };
-
-    "git.rnrd.eu" = {
-      enableACME = true;
-      forceSSL = true;
-      locations = {
-        "/" = {
-          proxyPass = "http://127.0.0.1:3792";
-        };
-
-        "/static/" = {
-          alias = "/srv/cgit/static/";
-        };
-      };
-      extraConfig = ''
-        access_log /var/log/nginx/git.access.log json_combined;
-      '';
-    };
   };
 
   system.stateVersion = "24.05";