From 175d3c8b13ee0fae67750c9a6b1109b06467d20b Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Tue, 9 Aug 2022 20:10:25 +0200
Subject: [PATCH] cluster/services/websites: init

---
 cluster/services/acme-client/default.nix   |   2 +-
 cluster/services/dns/pdns-api-key.age      | Bin 837 -> 915 bytes
 cluster/services/websites/default.nix      |  16 ++++++++++++++
 cluster/services/websites/host.nix         |  23 +++++++++++++++++++++
 cluster/services/websites/websites.nix     |  17 +++++++++++++++
 hosts/VEGAS/services/websites/websites.nix |  11 ----------
 secrets.nix                                |   2 +-
 7 files changed, 58 insertions(+), 13 deletions(-)
 create mode 100644 cluster/services/websites/default.nix
 create mode 100644 cluster/services/websites/host.nix
 create mode 100644 cluster/services/websites/websites.nix

diff --git a/cluster/services/acme-client/default.nix b/cluster/services/acme-client/default.nix
index ee832c3..5a0e0cd 100644
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@@ -1,6 +1,6 @@
 {
   services.acme-client = {
-    nodes.client = [ "VEGAS" ];
+    nodes.client = [ "VEGAS" "prophet" ];
     nixos.client = ./client.nix;
   };
 }
diff --git a/cluster/services/dns/pdns-api-key.age b/cluster/services/dns/pdns-api-key.age
index 63851146126de6434a3940ebc41179afeac1bb71..3e90f17b204c0e8bfdcad29eaccb019bc373ddcb 100644
GIT binary patch
delta 865
zcmZ9{`;XHE0KoBJ<dg*we!y2GH;ge}##q<a)?75K>vrvRTi33Sbp}bd^|5ugZr!6@
zPaGhiKu!*b8X@r)!^Izrs6mV-9*3DRCPtLVBj<(FkT6jL;_DZLsK5Fbd_UjMMvmMw
zyQv>87NdsEvYmR85+^vp)G^kM(Uu0cV=*yGglSIcR!SWuDf@b89#JX;iUz8<t;Mho
zWI}>1vAIO7jP;aqN&%{1O3z^vvM>0wztu8=Y8gb3Fy==>9uGKvT7~4PwrhiQw*faQ
zay)62cnx<mb)13IH96~w=}a?@dPpAj#YxX47%)W%WTqOoVFohHSO`n!2sD)^AX#8V
zqaCLkP|iAZ^TB>ITl3rmEz4?zm2soRc9>9_La2)AG^=^B&}p+N5K@|;#QM}0+pDIF
znj-zn(Xn`}M9Lv)vfj!TDupb?cQlGccyq!_l>UE$%ITV``(>rdGl?vhONOkpR}<hq
z0TA&BQNdFn$havy!wZ>6#7R4x?Bg<pB$J5HA}VN_l@$0=xvtr|hdPaR*X)`Fjf;@b
z1l<Dk|8fSkQ5(0n2X$LjTB`rKEn~i{=!)T<6-6YVq!J0J-jSPSO}03SHJx4~EYkh3
zM42vI#nV&^F)0^FIsvI#CVAB9hDg$vHv-L6v!>&kYFIrmN*54NZ)La|L1uixV9+11
z8P~4yT26xlQ(aPxN(DR|aCu<T3dydQC?<+jk7=Zs9N>dbUi)R$hkL)+>|fq}=klQO
z+O0zWty4FcvA^+y&%dpd-h7Gg?tNu(dfV|m!govO2N!k@qE88@vL9UsR?aJHHar%a
z=fyoUyO-?nw?EeBW;6FLU7NlyGPiJ?{H=WF?DfvYk>QPB*DaFzRdvPmG*Ev3=k$Sm
z@7UMBpLzY+S(uaVwjTL%YJTV~4_^(AP5y;#jPy63wZ3`b+{*p$V1KBi0p;Wq4+ZwU
zxYgVK)yFV5a&dTc*VxVT`=2@Z27KaH?83s@)$cJ^AR=_)aQ^gQ%bLjTGd#C&?t>xv
z>6IN@*B=P2TK;7H<3ByTja>JAb)WO@rMoWCPu`yS;m8~|TOWO(@$xwNr%~Ln;{MBv
c;ErRTkM5M$I**P^hgOeV9RM@CDD?FFKQ5<B{Qv*}

delta 786
zcmV+t1MU2i2gL@EEPq8YPEks2W^`|Ebw_n;ba_T*Wo311G+0J$cX&)<a8pAtIcZWd
zP%CI^Q3^zAc}!JiZ%r{qaX466RyA5;L}D*yH$_S}OLkCMHf=X}b8&5GIA%mSX9_Jo
zAaiqQEoEdfH8n9gAT=*~R4{iSLuO+)VmM<?Lt$@pL~b!>I7T*PS$9-2W^igyRySuj
zWJoqqZEIySZc|uu3UNYJH$pRQMpkZEZZ%R%LP9T3X-H{dGjBpKQE)MCZ7^9&b7N3(
zIW#y?k?|LQc}ZnqLuzzJOmjhTV@Fw2Y-VLcdN^TodQ4eFQ#e{UWp874Zb>m?Wiw|A
zL~&_KVR=$-bZ%-idTB;BN>@u&I74H3QBF5(Hgzy_NNPEFa5q|3RWol2Ej}PkEoX9N
zVRL05d^IdqZXjcJW?EY$Y)K$MK22;OeL8*$S5`59Y;1B&QcX%hW-C-RO>T5_Z7_LA
zHC9tcVM$1ML2xxjRabU*ZBt}wa$z_%FimG}Hc@v*Fg1EdNO(z9MG9tYW@alzXmDzA
zT6kwsN<m|Ca7AQBVRu9?RWwp~NJd9XFKI7Rcvnqna7R^V3N0-yATmctY*TY#GDlEX
zF<CEvH+f4haYQp}Sb0TjS65GGYi@2ybTw*ZOjI{AYYH<>)S2wPOs?!EUSt{D*f=y$
z%4zU%w{vpIepdwS0S|;9@+VF!W9cA{vWST;b*|%|z8mk-&xpx{llll<420S8$1$4z
z{Pv3p{k1Y;wsI+FN3(D*WP!?E#rj;+{<UX+A=PH?M;9D?RTPmgqZ)^LAoYO)rOtA@
zFyv=-fvx*Cyt}x}a}qlH{sCR$2MM6|@#X7~MA-U!XDHXE*nS26Z{8=X-#Kt{A2U@o
z4|*yQL>rs&DN?CAV6$wUzy3&VcI^gGi=)%@uv^efIG<xOYGu${Ryvq5-%tTZeYImj
zH?kVhuBKLi^KRmspb<AB>joGppMt}5rEQdGm;l(Wve1liNfxBwplUHJag!?Zo;tUC
Q9RI2?BhLghdE-8#h-IcT?f?J)

diff --git a/cluster/services/websites/default.nix b/cluster/services/websites/default.nix
new file mode 100644
index 0000000..0299463
--- /dev/null
+++ b/cluster/services/websites/default.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+
+let
+  inherit (config.vars) hosts;
+
+in
+{
+  services.websites = {
+    nodes = {
+      host = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      host = ./host.nix;
+    };
+  };
+}
diff --git a/cluster/services/websites/host.nix b/cluster/services/websites/host.nix
new file mode 100644
index 0000000..fd30e7b
--- /dev/null
+++ b/cluster/services/websites/host.nix
@@ -0,0 +1,23 @@
+{ config, inputs, lib, pkgs, tools, ... }:
+
+let
+  importWebsites = expr: import expr {
+    tools = tools.nginx;
+    packages = inputs.self.packages.${pkgs.system};
+  };
+
+  websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
+
+  acmeUseDNS = name: conf: {
+    name = conf.useACMEHost or conf.serverName or name;
+    value = {
+      dnsProvider = "pdns";
+      webroot = null;
+    };
+  };
+
+  isACME = _: conf: conf ? enableACME && conf.enableACME;
+in {
+  services.nginx.virtualHosts = websites;
+  security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
+}
diff --git a/cluster/services/websites/websites.nix b/cluster/services/websites/websites.nix
new file mode 100644
index 0000000..3db0c3a
--- /dev/null
+++ b/cluster/services/websites/websites.nix
@@ -0,0 +1,17 @@
+{ packages, tools }:
+with tools.vhosts;
+let inherit (tools) domain; in
+{
+  # websites
+  www = static packages.landing.webroot // { default = true; };
+
+  # PSA sites
+  stop-using-nix-env = static packages.stop-using-nix-env.webroot;
+
+  whoami.locations = { # no tls
+    "/".return = ''200 "$remote_addr\n"'';
+    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
+  };
+
+  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
+}
diff --git a/hosts/VEGAS/services/websites/websites.nix b/hosts/VEGAS/services/websites/websites.nix
index 16c084a..e4eda3c 100644
--- a/hosts/VEGAS/services/websites/websites.nix
+++ b/hosts/VEGAS/services/websites/websites.nix
@@ -6,18 +6,7 @@ let inherit (tools) domain; in
   ktp    = static "/srv/storage/www/soda/ktp";
   legacy = static "/srv/storage/www/legacy";
   soda   = static "/srv/storage/www/soda"; # TODO: add back custom error pages, wttr.in cache
-  www    = static packages.landing.webroot // { default = true; };
-
-  # PSA sites
-  stop-using-nix-env = static packages.stop-using-nix-env.webroot;
 
   # content delivery
   autoconfig = static "/srv/storage/www/autoconfig";
-
-  "whoami".locations = { # no tls
-    "/".return = ''200 "$remote_addr\n"'';
-    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
-  };
-
-  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
 }
diff --git a/secrets.nix b/secrets.nix
index 726c65c..268f16c 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,7 +7,7 @@ in with hosts;
   "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];