1 files changed, 121 insertions, 0 deletions
diff --git a/modules/foundation/www/tailnet.nix b/modules/foundation/www/tailnet.nix
new file mode 100644
index 0000000..ff2410c
--- /dev/null
+++ b/modules/foundation/www/tailnet.nix
@@ -0,0 +1,121 @@
+# NOTE: the tailnet virtual host and it's certificate management
+# has been mostly superseded by the `rnrd.fyi` domain, allowing
+# for both vastly simpler certificate requesting and subdomains,
+# which tailscale does not support for their magicdns product.
+{
+  me,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.foundation.www;
+
+  rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi";
+
+  oneWeekInSeconds = 7 * 24 * 60 * 60;
+
+  tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
+    set -euxo pipefail
+
+    check_validity() {
+      pem=$1
+      ${pkgs.openssl}/bin/openssl x509 \
+    -checkend ${toString oneWeekInSeconds} \
+    -noout <$pem
+    }
+
+    try_renew() {
+      ${pkgs.tailscale}/bin/tailscale cert \
+    --cert-file certificates/fullchain.pem \
+    --key-file certificates/key.pem \
+    ${me.tailscale.domain}
+    }
+
+    cut_out_certificate_authority() {
+      fullchain=$1
+      buf=""
+      while read LINE; do
+    if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
+      buf=""
+    fi
+    buf="$buf$LINE"$'\n'
+      done < $fullchain
+      echo "$buf"
+    }
+
+    install_certificates() {
+      touch out/renewed
+      cp -vp 'certificates/fullchain.pem' out/fullchain.pem
+      cp -vp 'certificates/key.pem' out/key.pem
+      ln -sf fullchain.pem out/cert.pem
+      cat out/key.pem out/fullchain.pem > out/full.pem
+      cut_out_certificate_authority out/fullchain.pem > out/chain.pem
+      chown 'acme:nginx' out/*
+      chmod 640 out/*
+    }
+
+    if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
+      echo 1>&2 "attempting tailscale certificate renewal..."
+      if ! try_renew; then
+    echo 1>&2 "renewal failed :("
+    exit 1
+      fi
+      install_certificates
+      echo 1>&2 "successfully renewed certificate :)"
+    else
+      echo 1>&2 "renewal not yet necessary."
+    fi
+  '';
+
+in
+{
+  options.foundation.www = {
+    tailnet = lib.mkEnableOption "tailnet internal host";
+  };
+
+  config =
+    lib.mkIf (cfg.enable && cfg.tailnet) {
+      # overwrite default acme behaviour with tailscale
+      systemd.services."acme-${me.tailscale.domain}" = {
+        after = [ "tailscaled.service" ];
+        requires = [ "tailscaled.service" ];
+        serviceConfig = {
+          ExecStart = lib.mkForce "+${tailscaleRenewScript}";
+        };
+      };
+
+      # tailnet internal vhost
+      services.nginx.virtualHosts = {
+        # mostly superceded
+        tailnet = {
+          forceSSL = true;
+          enableACME = true;
+          serverName = me.tailscale.domain;
+          listenAddresses = [ me.tailscale.ip ];
+          # point to the default page, for now!
+          locations."/" = {
+            alias = "${cfg.defaultPage}/";
+          };
+          extraConfig = ''
+            access_log /var/log/nginx/tailnet.access.log json_combined;
+          '';
+        };
+
+        # default page for the `rnrd.fyi` internal domain
+        ${rnrdInternalUrl} = {
+          useACMEHost = "rnrd.fyi";
+          forceSSL = true;
+          listenAddresses = [ me.tailscale.ip ];
+          locations."/" = {
+            alias = "${cfg.defaultPage}/";
+          };
+          extraConfig = ''
+            access_log /var/log/nginx/tailnet.access.log json_combined;
+          '';
+        };
+      };
+    };
+}