2 files changed, 0 insertions, 217 deletions
diff --git a/modules/www/default.nix b/modules/www/default.nix
deleted file mode 100644
index ecc9b66..0000000
--- a/modules/www/default.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{
-  me,
-  config,
-  pkgs,
-  lib,
-  util,
-  ...
-}:
-
-let
-  inherit (lib) mergeAttrsList;
-  inherit (config.age) secrets;
-
-  rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";
-
-  base-index = pkgs.substituteAll {
-    src = ../../assets/base.html;
-    env.me = util.titleCase me.name;
-  };
-
-  base = pkgs.linkFarm "www-base" {
-    "index.html" = base-index;
-    "favicon.png" = ../../assets/favicon.png;
-  };
-
-  certificate = domain: {
-    ${domain} = {
-      domain = "*.${domain}";
-      extraDomainNames = [ domain ];
-
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
-      };
-    };
-  };
-in
-{
-  imports = [ ./tailnet.nix ];
-
-  age.secrets = {
-    cloudflare-dns.file = ../../secrets/cloudflare-dns.age;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    # causes issues with tailscale certificates
-    preliminarySelfsigned = false;
-    defaults = {
-      email = "mel@rnrd.eu";
-      # our certificates are really only used with Nginx
-      group = config.services.nginx.group;
-      reloadServices = [ "nginx.service" ];
-    };
-
-    certs = mergeAttrsList [
-      (certificate "rnrd.eu")
-      (certificate "rnrd.fyi")
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    statusPage = true;
-
-    commonHttpConfig = ''
-      log_format json_combined escape=json '{'
-      	'"time_local":"$time_local",'
-      	'"remote_addr":"$remote_addr",'
-      	'"remote_user":"$remote_user",'
-      	'"request":"$request",'
-      	'"status": "$status",'
-      	'"body_bytes_sent":"$body_bytes_sent",'
-      	'"request_length":"$request_length",'
-      	'"request_time":"$request_time",'
-      	'"http_referrer":"$http_referer",'
-      	'"http_user_agent":"$http_user_agent",'
-      	'"upstream_response_time":"$upstream_response_time",'
-      	'"upstream_addr":"$upstream_addr",'
-      	'"upstream_status":"$upstream_status"'
-      '}';
-      access_log /var/log/nginx/access.log json_combined;
-      error_log /var/log/nginx/error.log warn;
-    '';
-
-    virtualHosts = {
-      base = {
-        default = true;
-        serverName = rnrdUrl;
-        forceSSL = true;
-        useACMEHost = "rnrd.eu";
-
-        root = base;
-        extraConfig = ''
-          access_log /var/log/nginx/base.access.log json_combined;
-        '';
-      };
-    };
-  };
-}
diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix
deleted file mode 100644
index 56cfbf4..0000000
--- a/modules/www/tailnet.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-# NOTE: the tailnet virtual host and it's certificate management
-# has been mostly superseded by the `rnrd.fyi` domain, allowing
-# for both vastly simpler certificate requesting and subdomains,
-# which tailscale does not support for their magicdns product.
-{
-  me,
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi";
-
-  oneWeekInSeconds = 7 * 24 * 60 * 60;
-
-  tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
-    set -euxo pipefail
-
-    check_validity() {
-      pem=$1
-      ${pkgs.openssl}/bin/openssl x509 \
-    -checkend ${toString oneWeekInSeconds} \
-    -noout <$pem
-    }
-
-    try_renew() {
-      ${pkgs.tailscale}/bin/tailscale cert \
-    --cert-file certificates/fullchain.pem \
-    --key-file certificates/key.pem \
-    ${me.tailscale.domain}
-    }
-
-    cut_out_certificate_authority() {
-      fullchain=$1
-      buf=""
-      while read LINE; do
-    if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
-      buf=""
-    fi
-    buf="$buf$LINE"$'\n'
-      done < $fullchain
-      echo "$buf"
-    }
-
-    install_certificates() {
-      touch out/renewed
-      cp -vp 'certificates/fullchain.pem' out/fullchain.pem
-      cp -vp 'certificates/key.pem' out/key.pem
-      ln -sf fullchain.pem out/cert.pem
-      cat out/key.pem out/fullchain.pem > out/full.pem
-      cut_out_certificate_authority out/fullchain.pem > out/chain.pem
-      chown 'acme:nginx' out/*
-      chmod 640 out/*
-    }
-
-    if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
-      echo 1>&2 "attempting tailscale certificate renewal..."
-      if ! try_renew; then
-    echo 1>&2 "renewal failed :("
-    exit 1
-      fi
-      install_certificates
-      echo 1>&2 "successfully renewed certificate :)"
-    else
-      echo 1>&2 "renewal not yet necessary."
-    fi
-  '';
-
-in
-{
-  # overwrite default acme behaviour with tailscale
-  systemd.services."acme-${me.tailscale.domain}" = {
-    after = [ "tailscaled.service" ];
-    requires = [ "tailscaled.service" ];
-    serviceConfig = {
-      ExecStart = lib.mkForce "+${tailscaleRenewScript}";
-    };
-  };
-
-  # tailnet internal vhost
-  services.nginx.virtualHosts = {
-    # mostly superceded
-    tailnet = {
-      forceSSL = true;
-      enableACME = true;
-      serverName = me.tailscale.domain;
-      listenAddresses = [ me.tailscale.ip ];
-      # point to the default page, for now!
-      locations."/" = {
-        alias = "${config.services.nginx.virtualHosts.base.root}/";
-      };
-      extraConfig = ''
-        access_log /var/log/nginx/tailnet.access.log json_combined;
-      '';
-    };
-
-    # default page for the `rnrd.fyi` internal domain
-    ${rnrdInternalUrl} = {
-      useACMEHost = "rnrd.fyi";
-      forceSSL = true;
-      listenAddresses = [ me.tailscale.ip ];
-      locations."/" = {
-        alias = "${config.services.nginx.virtualHosts.base.root}/";
-      };
-      extraConfig = ''
-        access_log /var/log/nginx/tailnet.access.log json_combined;
-      '';
-    };
-  };
-}