diff --git a/cluster/services/acme-client/default.nix b/cluster/services/acme-client/default.nix index ee832c3..5a0e0cd 100644 --- a/cluster/services/acme-client/default.nix +++ b/cluster/services/acme-client/default.nix @@ -1,6 +1,6 @@ { services.acme-client = { - nodes.client = [ "VEGAS" ]; + nodes.client = [ "VEGAS" "prophet" ]; nixos.client = ./client.nix; }; } diff --git a/cluster/services/dns/pdns-api-key.age b/cluster/services/dns/pdns-api-key.age index 6385114..3e90f17 100644 Binary files a/cluster/services/dns/pdns-api-key.age and b/cluster/services/dns/pdns-api-key.age differ diff --git a/cluster/services/websites/default.nix b/cluster/services/websites/default.nix new file mode 100644 index 0000000..0299463 --- /dev/null +++ b/cluster/services/websites/default.nix @@ -0,0 +1,16 @@ +{ config, ... }: + +let + inherit (config.vars) hosts; + +in +{ + services.websites = { + nodes = { + host = [ "VEGAS" "prophet" ]; + }; + nixos = { + host = ./host.nix; + }; + }; +} diff --git a/cluster/services/websites/host.nix b/cluster/services/websites/host.nix new file mode 100644 index 0000000..fd30e7b --- /dev/null +++ b/cluster/services/websites/host.nix @@ -0,0 +1,23 @@ +{ config, inputs, lib, pkgs, tools, ... }: + +let + importWebsites = expr: import expr { + tools = tools.nginx; + packages = inputs.self.packages.${pkgs.system}; + }; + + websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix); + + acmeUseDNS = name: conf: { + name = conf.useACMEHost or conf.serverName or name; + value = { + dnsProvider = "pdns"; + webroot = null; + }; + }; + + isACME = _: conf: conf ? enableACME && conf.enableACME; +in { + services.nginx.virtualHosts = websites; + security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites); +} diff --git a/cluster/services/websites/websites.nix b/cluster/services/websites/websites.nix new file mode 100644 index 0000000..3db0c3a --- /dev/null +++ b/cluster/services/websites/websites.nix @@ -0,0 +1,17 @@ +{ packages, tools }: +with tools.vhosts; +let inherit (tools) domain; in +{ + # websites + www = static packages.landing.webroot // { default = true; }; + + # PSA sites + stop-using-nix-env = static packages.stop-using-nix-env.webroot; + + whoami.locations = { # no tls + "/".return = ''200 "$remote_addr\n"''; + "/online".return = ''200 "CONNECTED_GLOBAL\n"''; + }; + + top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; }; +} diff --git a/hosts/VEGAS/services/websites/websites.nix b/hosts/VEGAS/services/websites/websites.nix index 16c084a..e4eda3c 100644 --- a/hosts/VEGAS/services/websites/websites.nix +++ b/hosts/VEGAS/services/websites/websites.nix @@ -6,18 +6,7 @@ let inherit (tools) domain; in ktp = static "/srv/storage/www/soda/ktp"; legacy = static "/srv/storage/www/legacy"; soda = static "/srv/storage/www/soda"; # TODO: add back custom error pages, wttr.in cache - www = static packages.landing.webroot // { default = true; }; - - # PSA sites - stop-using-nix-env = static packages.stop-using-nix-env.webroot; # content delivery autoconfig = static "/srv/storage/www/autoconfig"; - - "whoami".locations = { # no tls - "/".return = ''200 "$remote_addr\n"''; - "/online".return = ''200 "CONNECTED_GLOBAL\n"''; - }; - - top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; }; } diff --git a/secrets.nix b/secrets.nix index 726c65c..268f16c 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,7 +7,7 @@ in with hosts; "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ]; - "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];