blob: 90c21e2bbd76d8c644c71e80c59039e049262b13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
# NOTE: the tailnet virtual host and it's certificate management
# has been mostly superseded by the `rnrd.fyi` domain, allowing
# for both vastly simpler certificate requesting and subdomains,
# which tailscale does not support for their magicdns product.
{
me,
config,
lib,
pkgs,
...
}:
let
cfg = config.foundation.www;
rnrdInternalUrl = if me.is.renard then "rnrd.fyi" else "${me.name}.rnrd.fyi";
oneWeekInSeconds = 7 * 24 * 60 * 60;
tailscaleRenewScript = pkgs.writeShellScript "tailscale-cert-renew" ''
set -euxo pipefail
check_validity() {
pem=$1
${pkgs.openssl}/bin/openssl x509 \
-checkend ${toString oneWeekInSeconds} \
-noout <$pem
}
try_renew() {
${pkgs.tailscale}/bin/tailscale cert \
--cert-file certificates/fullchain.pem \
--key-file certificates/key.pem \
${me.tailscale.domain}
}
cut_out_certificate_authority() {
fullchain=$1
buf=""
while read LINE; do
if [[ $LINE == *"BEGIN CERTIFICATE"* ]]; then
buf=""
fi
buf="$buf$LINE"$'\n'
done < $fullchain
echo "$buf"
}
install_certificates() {
touch out/renewed
cp -vp 'certificates/fullchain.pem' out/fullchain.pem
cp -vp 'certificates/key.pem' out/key.pem
ln -sf fullchain.pem out/cert.pem
cat out/key.pem out/fullchain.pem > out/full.pem
cut_out_certificate_authority out/fullchain.pem > out/chain.pem
chown 'acme:nginx' out/*
chmod 640 out/*
}
if [[ ! -e 'out/fullchain.pem' ]] || ! check_validity out/fullchain.pem; then
echo 1>&2 "attempting tailscale certificate renewal..."
if ! try_renew; then
echo 1>&2 "renewal failed :("
exit 1
fi
install_certificates
echo 1>&2 "successfully renewed certificate :)"
else
echo 1>&2 "renewal not yet necessary."
fi
'';
in
{
options.foundation.www = {
tailnet = lib.mkEnableOption "tailnet internal host";
};
config = lib.mkIf (cfg.enable && cfg.tailnet) {
security.acme.certs.${me.tailscale.domain} = {
# since we replace the renew script, the dns provider is not important,
# however, we can't have the configuration thinking that the acme
# renewal service depends on nginx, so instead it's a "dns certificate".
dnsProvider = "dummy";
webroot = null;
};
# overwrite default acme behaviour with tailscale
systemd.services."acme-${me.tailscale.domain}" = {
serviceConfig.ExecStart = lib.mkForce "+${tailscaleRenewScript}";
};
# tailnet internal vhost
services.nginx.virtualHosts = {
# mostly superceded
tailnet = {
forceSSL = true;
enableACME = true;
serverName = me.tailscale.domain;
listenAddresses = [ me.tailscale.ip ];
# point to the default page, for now!
locations."/" = {
alias = "${cfg.defaultPage}/";
};
extraConfig = ''
access_log /var/log/nginx/tailnet.access.log json_combined;
'';
};
# default page for the `rnrd.fyi` internal domain
${rnrdInternalUrl} = {
useACMEHost = "rnrd.fyi";
forceSSL = true;
listenAddresses = [ me.tailscale.ip ];
locations."/" = {
alias = "${cfg.defaultPage}/";
};
extraConfig = ''
access_log /var/log/nginx/tailnet.access.log json_combined;
'';
};
};
foundation.tailnetServices = [
"nginx"
"acme-${me.tailscale.domain}"
];
};
}
|
