Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-03-23 20:30:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(dns,nginx): add some weird magic

Browse source
This commit is contained in:
Julien Malka 2024-10-26 04:09:35 +02:00
parent ab03b23b45
commit 714a279fc2
Signed by: Luj
GPG key ID: 6FC74C847011FD83
8 changed files with 127 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/default.nix
View file

@ -36,17 +36,11 @@ rec {
mkVPNSubdomain = name: port: {
luj.nginx.enable = true;
security.acme.certs."${name}.luj".server = "https://ca.luj/acme/acme/directory";
services.nginx.virtualHosts."${name}.luj" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
extraConfig = ''
allow 100.100.45.0/24;
allow fd7a:115c:a1e0::/48;
deny all;
'';
};
};
};

10
lib/dns.nix
View file

@ -4,6 +4,16 @@ with lib;
rec {
allowedDomains = [
"luj.fr"
"julienmalka.me"
"malka.family"
"luj"
"malka.sh"
];
isVPNDomain = hasSuffix "luj";
hasSuffix' = flip strings.hasSuffix;
domainToZone = allowedDomains: domain: (findFirst (hasSuffix' domain) null allowedDomains);

34
modules/dns/default.nix
View file

@ -1,20 +1,9 @@
{
lib,
config,
dnsLib,
...
}:
let
cfg = config.machine.meta;
allowedDomains = [
"luj.fr"
"julienmalka.me"
"malka.family"
"luj"
"malka.sh"
];
isVPNDomain = domain: lib.dns.domainToZone [ "luj" ] domain != null;
SOA = {
nameServer = "ns";
adminEmail = "dns@malka.sh";
@ -57,27 +46,4 @@ with lib;
};
};
config =
let
# list of domains that are defined in the current configuration through virtualHosts
domains = dns.domainsFromConfiguration allowedDomains config;
# AttrSet domain -> { records }
recordsPerDomain = map (
domain:
mapAttrs' (
n: v:
nameValuePair (dns.domainToZone allowedDomains n) (
let
subdomain = dns.getDomainPrefix allowedDomains n;
in
if elem subdomain allowedDomains then v else { subdomains."${subdomain}" = v; }
)
) (dns.domainToRecords domain cfg (isVPNDomain domain))
) domains;
in
{
machine.meta.zones = mkMerge recordsPerDomain;
};
}

30
modules/homepage/default.nix
View file

@ -1,4 +1,9 @@
{ lib, inputs, config, ... }:
{
lib,
inputs,
config,
...
}:
with lib;
let
cfg = config.luj.homepage;
@ -8,21 +13,12 @@ in
enable = mkEnableOption "enable homepage";
};
config = mkIf cfg.enable
{
luj.nginx.enable = true;
services.nginx.virtualHosts."julienmalka.me" = {
enableACME = true;
forceSSL = true;
root = inputs.homepage;
};
services.nginx.virtualHosts."www.julienmalka.me" = {
enableACME = true;
forceSSL = true;
root = inputs.homepage;
};
config = mkIf cfg.enable {
luj.nginx.enable = true;
services.nginx.virtualHosts."julienmalka.me" = {
enableACME = true;
forceSSL = true;
root = inputs.homepage;
};
};
}

117
modules/nginx/default.nix
View file

@ -1,15 +1,74 @@
{ lib, config, ... }:
systemArgs@{ lib, config, ... }:
with lib;
let
cfg = config.luj.nginx;
mergeSub =
f:
lib.mkMerge (
map (sub: f (sub.systemConfig systemArgs)) (lib.attrValues config.services.nginx.virtualHosts)
);
recordsFromDomain =
domain:
mapAttrs' (
n: v:
nameValuePair (dns.domainToZone dns.allowedDomains n) (
let
subdomain = dns.getDomainPrefix dns.allowedDomains n;
in
if elem subdomain dns.allowedDomains then v else { subdomains."${subdomain}" = v; }
)
) (dns.domainToRecords domain config.machine.meta (dns.isVPNDomain domain));
in
{
options.luj.nginx = {
enable = mkEnableOption "activate nginx service";
email = mkOption {
type = types.str;
default = "julien@malka.sh";
options = {
luj.nginx = {
enable = mkEnableOption "activate nginx service";
email = mkOption {
type = types.str;
default = "julien@malka.sh";
};
};
# Awesome NixOS crimes
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{
name,
...
}:
{
options = {
systemConfig = lib.mkOption {
internal = true;
type = types.unspecified; # A function from module arguments to config.
};
};
config = {
locations."/".extraConfig = lib.mkIf (lib.hasSuffix "luj" name) ''
allow 100.100.45.0/24;
allow fd7a:115c:a1e0::/48;
deny all;
'';
extraConfig = ''
ssl_stapling off;
'';
systemConfig = _: {
security.acme.certs = lib.optionalAttrs (hasSuffix "luj" name) {
"${name}".server = lib.mkIf (hasSuffix "luj" name) "https://ca.luj/acme/acme/directory";
};
machine.meta.zones = lib.optionalAttrs (name != "default") (recordsFromDomain name);
};
};
}
)
);
};
};
@ -19,8 +78,7 @@ in
80
443
];
security.acme.defaults.email = "${cfg.email}";
security.acme.acceptTerms = true;
users.groups.nginx = {
name = "nginx";
};
@ -35,16 +93,45 @@ in
commonHttpConfig = ''
server_names_hash_bucket_size 128;
'';
};
services.nginx.virtualHosts."404.julienmalka.me" = {
default = true;
locations."/" = {
root = "${./404}";
virtualHosts.default = {
default = true;
addSSL = true;
enableACME = false;
sslCertificate = "/var/lib/acme/default/cert.pem";
sslCertificateKey = "/var/lib/acme/default/key.pem";
extraConfig = ''
return 444;
'';
};
};
machine.meta.zones."julienmalka.me".subdomains."404" = lib.mkForce { };
security.acme.certs = mergeSub (c: c.security.acme.certs);
security.acme.defaults.email = "${cfg.email}";
security.acme.acceptTerms = true;
age.secrets.nginx-cert = {
file = ../../secrets/404-ssl-certificate-cert.age;
path = "/var/lib/acme/default/cert.pem";
owner = "acme";
group = "nginx";
mode = "0640";
symlink = false;
};
age.secrets.nginx-key = {
file = ../../secrets/404-ssl-certificate-key.age;
path = "/var/lib/acme/default/key.pem";
owner = "acme";
group = "nginx";
mode = "0640";
symlink = false;
};
systemd.tmpfiles.rules = [
"d /var/lib/acme/default 0750 acme nginx - -"
];
machine = mergeSub (c: c.machine);
};
}

BIN
secrets/404-ssl-certificate-cert.age Normal file
View file

Binary file not shown.

BIN
secrets/404-ssl-certificate-key.age Normal file
View file

Binary file not shown.

2
secrets/secrets.nix
View file

@ -94,4 +94,6 @@ in
gustave
tower
];
"404-ssl-certificate-cert.age".publicKeys = all;
"404-ssl-certificate-key.age".publicKeys = all;
}