cluster/services/websites: init

2022-08-09 20:10:25 +02:00 · 2022-08-09 20:10:25 +02:00 · 175d3c8b13
commit 175d3c8b13
parent 3e1041ed85
7 changed files with 58 additions and 13 deletions
--- a/cluster/services/acme-client/default.nix
+++ b/cluster/services/acme-client/default.nix
@ -1,6 +1,6 @@
 {
  services.acme-client = {
-    nodes.client = [ "VEGAS" ];
+    nodes.client = [ "VEGAS" "prophet" ];
    nixos.client = ./client.nix;
  };
 }
--- a/cluster/services/dns/pdns-api-key.age
+++ b/cluster/services/dns/pdns-api-key.age
--- a/cluster/services/websites/default.nix
+++ b/cluster/services/websites/default.nix
@ -0,0 +1,16 @@
+{ config, ... }:
+
+let
+  inherit (config.vars) hosts;
+
+in
+{
+  services.websites = {
+    nodes = {
+      host = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      host = ./host.nix;
+    };
+  };
+}
--- a/cluster/services/websites/host.nix
+++ b/cluster/services/websites/host.nix
@ -0,0 +1,23 @@
+{ config, inputs, lib, pkgs, tools, ... }:
+
+let
+  importWebsites = expr: import expr {
+    tools = tools.nginx;
+    packages = inputs.self.packages.${pkgs.system};
+  };
+
+  websites = tools.nginx.mappers.mapSubdomains (importWebsites ./websites.nix);
+
+  acmeUseDNS = name: conf: {
+    name = conf.useACMEHost or conf.serverName or name;
+    value = {
+      dnsProvider = "pdns";
+      webroot = null;
+    };
+  };
+
+  isACME = _: conf: conf ? enableACME && conf.enableACME;
+in {
+  services.nginx.virtualHosts = websites;
+  security.acme.certs = lib.mapAttrs' acmeUseDNS (lib.filterAttrs isACME websites);
+}
--- a/cluster/services/websites/websites.nix
+++ b/cluster/services/websites/websites.nix
@ -0,0 +1,17 @@
+{ packages, tools }:
+with tools.vhosts;
+let inherit (tools) domain; in
+{
+  # websites
+  www = static packages.landing.webroot // { default = true; };
+
+  # PSA sites
+  stop-using-nix-env = static packages.stop-using-nix-env.webroot;
+
+  whoami.locations = { # no tls
+    "/".return = ''200 "$remote_addr\n"'';
+    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
+  };
+
+  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
+}
--- a/hosts/VEGAS/services/websites/websites.nix
+++ b/hosts/VEGAS/services/websites/websites.nix
@ -6,18 +6,7 @@ let inherit (tools) domain; in
  ktp    = static "/srv/storage/www/soda/ktp";
  legacy = static "/srv/storage/www/legacy";
  soda   = static "/srv/storage/www/soda"; # TODO: add back custom error pages, wttr.in cache
-  www    = static packages.landing.webroot // { default = true; };
-
-  # PSA sites
-  stop-using-nix-env = static packages.stop-using-nix-env.webroot;

  # content delivery
  autoconfig = static "/srv/storage/www/autoconfig";
-
-  "whoami".locations = { # no tls
-    "/".return = ''200 "$remote_addr\n"'';
-    "/online".return = ''200 "CONNECTED_GLOBAL\n"'';
-  };
-
-  top-level = redirect "https://www.${domain}$request_uri" // { serverName = domain; };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -7,7 +7,7 @@ in with hosts;
  "cluster/services/dns/pdns-admin-oidc-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/dns/pdns-admin-salt.age".publicKeys = max ++ map systemKeys [ VEGAS ];
  "cluster/services/dns/pdns-admin-secret.age".publicKeys = max ++ map systemKeys [ VEGAS ];
-  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/dns/pdns-api-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/dns/pdns-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
  "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];