From ce64e6e1990b62451acb3822b7ab914e16b122b6 Mon Sep 17 00:00:00 2001 From: Mel Date: Thu, 26 Dec 2024 17:24:04 +0100 Subject: Pull out web configuration from specific machine modules Signed-off-by: Mel --- modules/www.nix | 56 ------------------------------- modules/www/default.nix | 57 +++++++++++++++++++++++++++++++ modules/www/tailnet.nix | 89 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 56 deletions(-) delete mode 100644 modules/www.nix create mode 100644 modules/www/default.nix create mode 100644 modules/www/tailnet.nix (limited to 'modules') diff --git a/modules/www.nix b/modules/www.nix deleted file mode 100644 index 7ce880b..0000000 --- a/modules/www.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ me, ... }: - -let - rnrdUrl = - if me.is.renard - then "rnrd.eu" - else "${me.name}.rnrd.eu"; -in -{ - security.acme = { - acceptTerms = true; - defaults.email = "einebeere@gmail.com"; - }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - statusPage = true; - - commonHttpConfig = '' - log_format json_combined escape=json '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_length":"$request_length",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent",' - '"upstream_response_time":"$upstream_response_time",' - '"upstream_addr":"$upstream_addr",' - '"upstream_status":"$upstream_status"' - '}'; - access_log /var/log/nginx/access.log json_combined; - error_log /var/log/nginx/error.log warn; - ''; - - virtualHosts = { - default = { default = true; }; - ${rnrdUrl} = { - root = "/var/www/html"; - forceSSL = true; - enableACME = true; - extraConfig = '' - access_log /var/log/nginx/base.access.log json_combined; - ''; - }; - }; - }; -} diff --git a/modules/www/default.nix b/modules/www/default.nix new file mode 100644 index 0000000..f6bb4e4 --- /dev/null +++ b/modules/www/default.nix @@ -0,0 +1,57 @@ +{ me, ... }: + +let + rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu"; +in +{ + imports = [ ./tailnet.nix ]; + + security.acme = { + acceptTerms = true; + defaults.email = "einebeere@gmail.com"; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + statusPage = true; + + commonHttpConfig = '' + log_format json_combined escape=json '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_length":"$request_length",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent",' + '"upstream_response_time":"$upstream_response_time",' + '"upstream_addr":"$upstream_addr",' + '"upstream_status":"$upstream_status"' + '}'; + access_log /var/log/nginx/access.log json_combined; + error_log /var/log/nginx/error.log warn; + ''; + + virtualHosts = { + default = { + default = true; + }; + ${rnrdUrl} = { + root = "/var/www/html"; + forceSSL = true; + enableACME = true; + extraConfig = '' + access_log /var/log/nginx/base.access.log json_combined; + ''; + }; + }; + }; +} diff --git a/modules/www/tailnet.nix b/modules/www/tailnet.nix new file mode 100644 index 0000000..df70a55 --- /dev/null +++ b/modules/www/tailnet.nix @@ -0,0 +1,89 @@ +{ + me, + lib, + pkgs, + ... +}: + +let + oneWeekInSeconds = 7 * 24 * 60 * 60; + + tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' + set -euxo pipefail + + check_validity() { + pem=$1 + ${pkgs.openssl}/bin/openssl x509 \ + -checkend ${toString oneWeekInSeconds} \ + -noout <$pem + } + + try_renew() { + ${pkgs.tailscale}/bin/tailscale cert \ + --cert-file certificates/fullchain.pem \ + --key-file certificates/key.pem \ + ${me.tailscale.domain} + } + + cut_out_certificate_authority() { + fullchain=$1 + buf="" + while read LINE; do + if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then + buf="" + fi + buf="$buf$LINE"$'\n' + done < $fullchain + echo "$buf" + } + + install_certificates() { + touch out/renewed + cp -vp 'certificates/fullchain.pem' out/fullchain.pem + cp -vp 'certificates/key.pem' out/key.pem + ln -sf fullchain.pem out/cert.pem + cat out/key.pem out/fullchain.pem > out/full.pem + cut_out_certificate_authority out/fullchain.pem > out/chain.pem + chown 'acme:nginx' out/* + chmod 640 out/* + } + + if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then + echo 1>&2 "attempting tailscale certificate renewal..." + if ! try_renew; then + echo 1>&2 "renewal failed :(" + exit 1 + fi + install_certificates + echo 1>&2 "successfully renewed certificate :)" + else + echo 1>&2 "renewal not yet necessary." + fi + ''; + +in +{ + # overwrite default acme behaviour with tailscale + systemd.services."acme-${me.tailscale.domain}" = { + after = [ "tailscaled.service" ]; + requires = [ "tailscaled.service" ]; + serviceConfig = { + ExecStart = lib.mkForce "+${tailscaleRenewScript}"; + }; + }; + + # tailnet internal vhost + services.nginx.virtualHosts.tailnet = { + forceSSL = true; + enableACME = true; + serverName = me.tailscale.domain; + listenAddresses = [ me.tailscale.ip ]; + # point to the default page, for now! + locations."/" = { + alias = "/var/www/html/"; + }; + extraConfig = '' + access_log /var/log/nginx/tailnet.access.log json_combined; + ''; + }; +} -- cgit 1.4.1