blob: 38a2c4de9d6788f41e0f2d0c87d9ae3b414ebf02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
{ pkgs, lib, ... }:
{
imports = [
../../modules/common.nix
./hardware.nix
./devices.nix
../../modules/www.nix
../../modules/git.nix
../../services/cgit.nix
../../services/soju.nix
];
systemd.services."acme-renard.serval-moth.ts.net" =
let
oneWeekInSeconds = 7 * 24 * 60 * 60;
tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
set -euxo pipefail
check_validity() {
pem=$1
${pkgs.openssl}/bin/openssl x509 \
-checkend ${toString oneWeekInSeconds} \
-noout <$pem
}
try_renew() {
${pkgs.tailscale}/bin/tailscale cert \
--cert-file certificates/fullchain.pem \
--key-file certificates/key.pem \
renard.serval-moth.ts.net
}
cut_out_certificate_authority() {
fullchain=$1
buf=""
while read LINE; do
if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
buf=""
fi
buf="$buf$LINE"$'\n'
done < $fullchain
echo "$buf"
}
install_certificates() {
touch out/renewed
cp -vp 'certificates/fullchain.pem' out/fullchain.pem
cp -vp 'certificates/key.pem' out/key.pem
ln -sf fullchain.pem out/cert.pem
cat out/key.pem out/fullchain.pem > out/full.pem
cut_out_certificate_authority out/fullchain.pem > out/chain.pem
chown 'acme:nginx' out/*
chmod 640 out/*
}
if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
echo 1>&2 "attempting tailscale certificate renewal..."
if ! try_renew; then
echo 1>&2 "renewal failed :("
exit 1
fi
install_certificates
echo 1>&2 "successfully renewed certificate :)"
else
echo 1>&2 "renewal not yet necessary."
fi
'';
in {
after = [ "tailscaled.service" ];
requires = [ "tailscaled.service" ];
serviceConfig = {
ExecStart = lib.mkForce "+${tailscaleRenewScript}";
};
};
security.acme.preliminarySelfsigned = false;
services.nginx.virtualHosts = {
"rnrd.eu".locations = {
# redirect to akkoma on lapin
"/.well-known/webfinger" = {
return = "301 https://soc.rnrd.eu$request_uri";
};
# delegate matrix to lapin
"/.well-known/matrix/server" = {
return = "200 '{ \"m.server\": \"matrix.rnrd.eu:443\" }'";
extraConfig = ''
default_type application/json;
'';
};
"/.well-known/matrix/client" = {
return = "200 '{ \"m.homeserver\": { \"base_url\": \"https://matrix.rnrd.eu\" } }'";
extraConfig = ''
default_type application/json;
add_header "Access-Control-Allow-Origin" *;
'';
};
};
# tailnet internal vhost
"renard" = {
forceSSL = true;
enableACME = true;
serverName = "renard.serval-moth.ts.net";
listenAddresses = [ "100.75.17.75" ];
# point to the default page, for now!
locations."/" = { alias = "/var/www/html/"; };
};
"sho.rest" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5000";
};
};
"mel.gg" = {
enableACME = true;
forceSSL = true;
root = "/srv/mel";
};
"git.rnrd.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3792";
};
"/static/" = {
alias = "/srv/cgit/static/";
};
};
};
};
system.stateVersion = "24.05";
}
|
