{ me, machines, pkgs, lib, ... }: { imports = [ ../../modules/common.nix ./hardware.nix ./devices.nix ../../modules/www.nix ../../modules/git.nix ../../modules/syncthing.nix ../../services/cgit.nix ../../services/minecraft.nix ../../services/miniflux.nix ../../services/shiori.nix ../../services/irc ]; foundation.monitoring = { server = { enable = true; hosts = map (m: { inherit (m) name; inherit (m.tailscale) ip; }) machines; }; services = [ "base" "tailnet" "git" "mel" "shorest" ]; }; systemd.services."acme-${me.tailscale.domain}" = let oneWeekInSeconds = 7 * 24 * 60 * 60; tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" '' set -euxo pipefail check_validity() { pem=$1 ${pkgs.openssl}/bin/openssl x509 \ -checkend ${toString oneWeekInSeconds} \ -noout <$pem } try_renew() { ${pkgs.tailscale}/bin/tailscale cert \ --cert-file certificates/fullchain.pem \ --key-file certificates/key.pem \ ${me.tailscale.domain} } cut_out_certificate_authority() { fullchain=$1 buf="" while read LINE; do if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then buf="" fi buf="$buf$LINE"$'\n' done < $fullchain echo "$buf" } install_certificates() { touch out/renewed cp -vp 'certificates/fullchain.pem' out/fullchain.pem cp -vp 'certificates/key.pem' out/key.pem ln -sf fullchain.pem out/cert.pem cat out/key.pem out/fullchain.pem > out/full.pem cut_out_certificate_authority out/fullchain.pem > out/chain.pem chown 'acme:nginx' out/* chmod 640 out/* } if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then echo 1>&2 "attempting tailscale certificate renewal..." if ! try_renew; then echo 1>&2 "renewal failed :(" exit 1 fi install_certificates echo 1>&2 "successfully renewed certificate :)" else echo 1>&2 "renewal not yet necessary." fi ''; in { after = [ "tailscaled.service" ]; requires = [ "tailscaled.service" ]; serviceConfig = { ExecStart = lib.mkForce "+${tailscaleRenewScript}"; }; }; security.acme.preliminarySelfsigned = false; services.nginx.virtualHosts = { "rnrd.eu".locations = { # redirect to akkoma on lapin "/.well-known/webfinger" = { return = "301 https://soc.rnrd.eu$request_uri"; }; # delegate matrix to lapin "/.well-known/matrix/server" = { return = "200 '{ \"m.server\": \"matrix.rnrd.eu:443\" }'"; extraConfig = '' default_type application/json; ''; }; "/.well-known/matrix/client" = { return = '' 200 '{ "m.homeserver": { "base_url": "https://matrix.rnrd.eu/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.rnrd.eu/" } }' ''; extraConfig = '' default_type application/json; add_header "Access-Control-Allow-Origin" *; ''; }; }; # tailnet internal vhost "renard" = { forceSSL = true; enableACME = true; serverName = me.tailscale.domain; listenAddresses = [ me.tailscale.ip ]; # point to the default page, for now! locations."/" = { alias = "/var/www/html/"; }; extraConfig = '' access_log /var/log/nginx/tailnet.access.log json_combined; ''; }; "sho.rest" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:5000"; }; extraConfig = '' access_log /var/log/nginx/shorest.access.log json_combined; ''; }; "mel.gg" = { enableACME = true; forceSSL = true; root = "/srv/mel"; extraConfig = '' access_log /var/log/nginx/mel.access.log json_combined; ''; }; "git.rnrd.eu" = { enableACME = true; forceSSL = true; locations = { "/" = { proxyPass = "http://127.0.0.1:3792"; }; "/static/" = { alias = "/srv/cgit/static/"; }; }; extraConfig = '' access_log /var/log/nginx/git.access.log json_combined; ''; }; }; system.stateVersion = "24.05"; }