From ce64e6e1990b62451acb3822b7ab914e16b122b6 Mon Sep 17 00:00:00 2001 From: Mel Date: Thu, 26 Dec 2024 17:24:04 +0100 Subject: Pull out web configuration from specific machine modules Signed-off-by: Mel --- machines/renard/default.nix | 100 +------------------------------------------- 1 file changed, 2 insertions(+), 98 deletions(-) (limited to 'machines/renard') diff --git a/machines/renard/default.nix b/machines/renard/default.nix index d443886..e5fc21f 100644 --- a/machines/renard/default.nix +++ b/machines/renard/default.nix @@ -1,4 +1,4 @@ -{ me, machines, pkgs, lib, ... }: +{ me, machines, ... }: { imports = [ @@ -7,7 +7,7 @@ ./hardware.nix ./devices.nix - ../../modules/www.nix + ../../modules/www ../../modules/git.nix ../../modules/syncthing.nix @@ -29,72 +29,6 @@ services = [ "base" "tailnet" "git" "mel" "shorest" ]; }; - systemd.services."acme-${me.tailscale.domain}" = - let - oneWeekInSeconds = 7 * 24 * 60 * 60; - - tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' - set -euxo pipefail - - check_validity() { - pem=$1 - ${pkgs.openssl}/bin/openssl x509 \ - -checkend ${toString oneWeekInSeconds} \ - -noout <$pem - } - - try_renew() { - ${pkgs.tailscale}/bin/tailscale cert \ - --cert-file certificates/fullchain.pem \ - --key-file certificates/key.pem \ - ${me.tailscale.domain} - } - - cut_out_certificate_authority() { - fullchain=$1 - buf="" - while read LINE; do - if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then - buf="" - fi - buf="$buf$LINE"$'\n' - done < $fullchain - echo "$buf" - } - - install_certificates() { - touch out/renewed - cp -vp 'certificates/fullchain.pem' out/fullchain.pem - cp -vp 'certificates/key.pem' out/key.pem - ln -sf fullchain.pem out/cert.pem - cat out/key.pem out/fullchain.pem > out/full.pem - cut_out_certificate_authority out/fullchain.pem > out/chain.pem - chown 'acme:nginx' out/* - chmod 640 out/* - } - - if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then - echo 1>&2 "attempting tailscale certificate renewal..." - if ! try_renew; then - echo 1>&2 "renewal failed :(" - exit 1 - fi - install_certificates - echo 1>&2 "successfully renewed certificate :)" - else - echo 1>&2 "renewal not yet necessary." - fi - ''; - in { - after = [ "tailscaled.service" ]; - requires = [ "tailscaled.service" ]; - serviceConfig = { - ExecStart = lib.mkForce "+${tailscaleRenewScript}"; - }; - }; - - security.acme.preliminarySelfsigned = false; - services.nginx.virtualHosts = { "rnrd.eu".locations = { # redirect to akkoma on lapin @@ -127,19 +61,6 @@ }; }; - # tailnet internal vhost - "renard" = { - forceSSL = true; - enableACME = true; - serverName = me.tailscale.domain; - listenAddresses = [ me.tailscale.ip ]; - # point to the default page, for now! - locations."/" = { alias = "/var/www/html/"; }; - extraConfig = '' - access_log /var/log/nginx/tailnet.access.log json_combined; - ''; - }; - "sho.rest" = { enableACME = true; forceSSL = true; @@ -159,23 +80,6 @@ access_log /var/log/nginx/mel.access.log json_combined; ''; }; - - "git.rnrd.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:3792"; - }; - - "/static/" = { - alias = "/srv/cgit/static/"; - }; - }; - extraConfig = '' - access_log /var/log/nginx/git.access.log json_combined; - ''; - }; }; system.stateVersion = "24.05"; -- cgit 1.4.1