2 files changed, 109 insertions, 19 deletions
diff --git a/modules/www.nix b/modules/www/default.nix
index 7ce880b..f6bb4e4 100644
--- a/modules/www.nix
+++ b/modules/www/default.nix
@@ -1,12 +1,11 @@
 { me, ... }:
 
-let 
-  rnrdUrl =
-    if me.is.renard
-      then "rnrd.eu"
-      else "${me.name}.rnrd.eu";
+let
+  rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";
 in
 {
+  imports = [ ./tailnet.nix ];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "einebeere@gmail.com";
@@ -23,26 +22,28 @@ in
 
     commonHttpConfig = ''
       log_format json_combined escape=json '{'
-	'"time_local":"$time_local",'
-	'"remote_addr":"$remote_addr",'
-	'"remote_user":"$remote_user",'
-	'"request":"$request",'
-	'"status": "$status",'
-	'"body_bytes_sent":"$body_bytes_sent",'
-	'"request_length":"$request_length",'
-	'"request_time":"$request_time",'
-	'"http_referrer":"$http_referer",'
-	'"http_user_agent":"$http_user_agent",'
-	'"upstream_response_time":"$upstream_response_time",'
-	'"upstream_addr":"$upstream_addr",'
-	'"upstream_status":"$upstream_status"'
+      	'"time_local":"$time_local",'
+      	'"remote_addr":"$remote_addr",'
+      	'"remote_user":"$remote_user",'
+      	'"request":"$request",'
+      	'"status": "$status",'
+      	'"body_bytes_sent":"$body_bytes_sent",'
+      	'"request_length":"$request_length",'
+      	'"request_time":"$request_time",'
+      	'"http_referrer":"$http_referer",'
+      	'"http_user_agent":"$http_user_agent",'
+      	'"upstream_response_time":"$upstream_response_time",'
+      	'"upstream_addr":"$upstream_addr",'
+      	'"upstream_status":"$upstream_status"'
       '}';
       access_log /var/log/nginx/access.log json_combined;
       error_log /var/log/nginx/error.log warn;
     '';
 
     virtualHosts = {
-      default = { default = true; };
+      default = {
+        default = true;
+      };
       ${rnrdUrl} = {
         root = "/var/www/html";
         forceSSL = true;
diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix
new file mode 100644
index 0000000..df70a55
--- /dev/null
+++ b/modules/www/tailnet.nix
@@ -0,0 +1,89 @@
+{
+  me,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  oneWeekInSeconds = 7 * 24 * 60 * 60;
+
+  tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
+    set -euxo pipefail
+
+    check_validity() {
+      pem=$1
+      ${pkgs.openssl}/bin/openssl x509 \
+    -checkend ${toString oneWeekInSeconds} \
+    -noout <$pem
+    }
+
+    try_renew() {
+      ${pkgs.tailscale}/bin/tailscale cert \
+    --cert-file certificates/fullchain.pem \
+    --key-file certificates/key.pem \
+    ${me.tailscale.domain}
+    }
+
+    cut_out_certificate_authority() {
+      fullchain=$1
+      buf=""
+      while read LINE; do
+    if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
+      buf=""
+    fi
+    buf="$buf$LINE"$'\n'
+      done < $fullchain
+      echo "$buf"
+    }
+
+    install_certificates() {
+      touch out/renewed
+      cp -vp 'certificates/fullchain.pem' out/fullchain.pem
+      cp -vp 'certificates/key.pem' out/key.pem
+      ln -sf fullchain.pem out/cert.pem
+      cat out/key.pem out/fullchain.pem > out/full.pem
+      cut_out_certificate_authority out/fullchain.pem > out/chain.pem
+      chown 'acme:nginx' out/*
+      chmod 640 out/*
+    }
+
+    if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
+      echo 1>&2 "attempting tailscale certificate renewal..."
+      if ! try_renew; then
+    echo 1>&2 "renewal failed :("
+    exit 1
+      fi
+      install_certificates
+      echo 1>&2 "successfully renewed certificate :)"
+    else
+      echo 1>&2 "renewal not yet necessary."
+    fi
+  '';
+
+in
+{
+  # overwrite default acme behaviour with tailscale
+  systemd.services."acme-${me.tailscale.domain}" = {
+    after = [ "tailscaled.service" ];
+    requires = [ "tailscaled.service" ];
+    serviceConfig = {
+      ExecStart = lib.mkForce "+${tailscaleRenewScript}";
+    };
+  };
+
+  # tailnet internal vhost
+  services.nginx.virtualHosts.tailnet = {
+    forceSSL = true;
+    enableACME = true;
+    serverName = me.tailscale.domain;
+    listenAddresses = [ me.tailscale.ip ];
+    # point to the default page, for now!
+    locations."/" = {
+      alias = "/var/www/html/";
+    };
+    extraConfig = ''
+      access_log /var/log/nginx/tailnet.access.log json_combined;
+    '';
+  };
+}