cluster/services/websites: init

cluster/services/acme-client/default.nix

@@ -1,6 +1,6 @@
 {
   services.acme-client = {
-    nodes.client = [ "VEGAS" ];
+    nodes.client = [ "VEGAS" "prophet" ];
     nixos.client = ./client.nix;
   };
 }

cluster/services/websites/default.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+
+let
+  inherit (config.vars) hosts;
+
+in
+{
+  services.websites = {
+    nodes = {
+      host = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      host = ./host.nix;
+    };
+  };
+}

cluster/services/websites/host.nix

@@ -0,0 +1,23 @@
+{ config, inputs, lib, pkgs, tools, ... }:
+
+let
+  importWebsites = expr: import expr {
+    tools = tools.nginx;
+    packages = inputs.self.packages.${pkgs.system};
+  };
+
+  websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
+
+  acmeUseDNS = name: conf: {
+    name = conf.useACMEHost or conf.serverName or name;
+    value = {
+      dnsProvider = "pdns";
+      webroot = null;
+    };
+  };
+
+  isACME = _: conf: conf ? enableACME && conf.enableACME;
+in {
+  services.nginx.virtualHosts = websites;
+  security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
+}

cluster/services/websites/websites.nix

@@ -0,0 +1,17 @@
+{ packages, tools }:
+with tools.vhosts;
+let inherit (tools) domain; in
+{
+  # websites
+  www = static packages.landing.webroot // { default = true; };
+
+  # PSA sites
+  stop-using-nix-env = static packages.stop-using-nix-env.webroot;
+
+  whoami.locations = { # no tls
+    "/".return = ''200 "$remote_addr\n"'';
+    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
+  };
+
+  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
+}

hosts/VEGAS/services/websites/websites.nix

@@ -6,18 +6,7 @@ let inherit (tools) domain; in
   ktp    = static "/srv/storage/www/soda/ktp";
   legacy = static "/srv/storage/www/legacy";
   soda   = static "/srv/storage/www/soda"; # TODO: add back custom error pages, wttr.in cache
-  www    = static packages.landing.webroot // { default = true; };
-
-  # PSA sites
-  stop-using-nix-env = static packages.stop-using-nix-env.webroot;
 
   # content delivery
   autoconfig = static "/srv/storage/www/autoconfig";
-
-  "whoami".locations = { # no tls
-    "/".return = ''200 "$remote_addr\n"'';
-    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
-  };
-
-  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
 }

secrets.nix

@@ -7,7 +7,7 @@ in with hosts;
   "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];