cluster/services/nginx: move acme config

cluster/services/acme-client: move acme config, wait for authoritative DNS to work
cluster/services/ways: don't render empty upstream blocks
2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00 · 2024-08-12 02:53:15 +02:00
4 changed files with 47 additions and 8 deletions
--- a/cluster/services/acme-client/client.nix
+++ b/cluster/services/acme-client/client.nix
@ -32,7 +32,10 @@ in
    owner = "acme";
  };
  security.acme.acceptTerms = true;
  security.acme.maxConcurrentRenewals = 0;
  security.acme.defaults = {
    email = depot.lib.meta.adminEmail;
    extraLegoFlags = lib.flatten [
      (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
      "--dns-timeout" "30"
@ -42,4 +45,38 @@ in
      EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
    '';
  };
  systemd.services = lib.mapAttrs' (name: value: {
    name = "acme-${name}";
    value = {
      distributed.enable = value.dnsProvider != null;
      preStart = let
        serverList = lib.pipe authoritativeServers [
          (map (x: "@${x}"))
          (map (lib.replaceStrings [":53"] [""]))
          lib.escapeShellArgs
        ];
        domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [
          (map (x: "${x}."))
          (map (lib.replaceStrings ["*"] ["x"]))
          lib.unique
          lib.escapeShellArgs
        ];
      in ''
        echo Testing availability of authoritative DNS servers
        for i in {1..60}; do
          ${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break
          echo Retry [$i/60]
          sleep 10
        done
        echo Available
      '';
      serviceConfig = {
        Restart = "on-failure";
        RestartMaxDelaySec = 30;
        RestartStesp = 5;
        RestartMode = "direct";
      };
    };
  }) config.security.acme.certs;
 }
--- a/cluster/services/nginx/nginx.nix
+++ b/cluster/services/nginx/nginx.nix
@ -1,10 +1,6 @@
-{ config, depot, ... }:
+{ config, ... }:
-let
+{
  inherit (depot.lib.meta) adminEmail;
 in {
  security.acme.defaults.email = adminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
--- a/cluster/services/ways/host.nix
+++ b/cluster/services/ways/host.nix
@ -69,11 +69,16 @@ in
        {
          source = let
            upstreams = lib.mapAttrsToList (_: cfg: ''
              {{ if ne (len (service "${cfg.consulService}~_agent")) 0 }}
              # ${cfg.consulService}
              upstream ${cfg.nginxUpstreamName} {
                {{ range $i, $e := service "${cfg.consulService}~_agent" -}}
                server {{ .Address }}:{{ .Port }}{{ if ne $i 0 }} backup{{ end }};
-                {{end}}
+                {{ end }}
              }
              {{ else }}
              # upstream ${cfg.nginxUpstreamName} (${cfg.consulService}): no servers available
              {{ end }}
            '') consulServiceWays;
          in pkgs.writeText "ways-upstreams.ctmpl" (lib.concatStringsSep "\n" (lib.unique upstreams));
          destination = "/run/consul-template/nginx-ways-upstreams.conf";
--- a/lib/nginx.nix
+++ b/lib/nginx.nix
@ -36,7 +36,8 @@
        proxyGhost = scheme: target: basic // {
          locations."/".extraConfig = ''
-            proxy_pass ${scheme}://${target};
+            set $nix_proxy_ghost_target "${scheme}://${target}";
            proxy_pass $nix_proxy_ghost_target;
            proxy_set_header Host ${target};
            proxy_set_header Referer ${scheme}://${target};
            proxy_cookie_domain ${target} domain.invalid;
Author	SHA1	Message	Date
Max	df14a9a513	cluster/services/nginx: move acme config	2024-08-12 02:53:15 +02:00
Max	d59abfb678	cluster/services/acme-client: move acme config, wait for authoritative DNS to work	2024-08-12 02:53:15 +02:00
Max	a285c57d5b	cluster/services/ways: don't render empty upstream blocks	2024-08-12 02:53:15 +02:00
Max	415fd7f076	lib/nginx: use dynamic proxy targets in proxyGhost	2024-08-12 02:53:15 +02:00