diff options
-rw-r--r-- | modules/server/ftp/default.nix | 4 | ||||
-rw-r--r-- | modules/server/irc/znc/default.nix | 4 | ||||
-rw-r--r-- | modules/server/spectrum/acme/default.nix | 7 | ||||
-rw-r--r-- | modules/server/spectrum/default.nix | 2 | ||||
-rw-r--r-- | modules/server/spectrum/nginx/default.nix | 4 | ||||
-rw-r--r-- | modules/server/xmpp/default.nix | 2 | ||||
-rw-r--r-- | sys/atuin.nix | 349 |
7 files changed, 178 insertions, 194 deletions
diff --git a/modules/server/ftp/default.nix b/modules/server/ftp/default.nix index 78f7c794ce1f..a0e32294aeb7 100644 --- a/modules/server/ftp/default.nix +++ b/modules/server/ftp/default.nix @@ -29,7 +29,7 @@ in config = { services.nginx.virtualHosts."ftp.qyliss.net" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; root = pkgs.runCommandNoCC "ftp.qyliss.net" {} '' mkdir $out @@ -43,5 +43,7 @@ in autoindex on; ''; }; + + security.acme.certs."qyliss.net".extraDomainNames = [ "ftp.qyliss.net" ]; }; } diff --git a/modules/server/irc/znc/default.nix b/modules/server/irc/znc/default.nix index 056419ae492b..559b59e657c2 100644 --- a/modules/server/irc/znc/default.nix +++ b/modules/server/irc/znc/default.nix @@ -7,7 +7,7 @@ services.nginx.virtualHosts."znc.${config.networking.domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; locations = { "/" = { @@ -27,5 +27,7 @@ } ''; + security.acme.certs."qyliss.net".extraDomainNames = [ "znc.qyliss.net" ]; + networking.firewall.allowedTCPPorts = [ 6697 ]; } diff --git a/modules/server/spectrum/acme/default.nix b/modules/server/spectrum/acme/default.nix new file mode 100644 index 000000000000..6a60f52d2456 --- /dev/null +++ b/modules/server/spectrum/acme/default.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + security.acme.certs."spectrum-os.org" = { + webroot = "/var/lib/acme/acme-challenge"; + }; +} diff --git a/modules/server/spectrum/default.nix b/modules/server/spectrum/default.nix index d8f096c2d820..c18355a4946a 100644 --- a/modules/server/spectrum/default.nix +++ b/modules/server/spectrum/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./cgit ./git-http-backend ./nginx ./public-inbox ]; + imports = [ ./acme ./cgit ./git-http-backend ./nginx ./public-inbox ]; } diff --git a/modules/server/spectrum/nginx/default.nix b/modules/server/spectrum/nginx/default.nix index f4fca7ca1676..5067595698c5 100644 --- a/modules/server/spectrum/nginx/default.nix +++ b/modules/server/spectrum/nginx/default.nix @@ -17,7 +17,7 @@ in serverName = head redirectDomains; serverAliases = tail redirectDomains; addSSL = true; - enableACME = true; + useACMEHost = "spectrum-os.org"; globalRedirect = "spectrum-os.org"; }; @@ -26,6 +26,8 @@ in alias = ./robots.txt; }; + security.acme.certs."spectrum-os.org".extraDomainNames = redirectDomains; + # The Spectrum website lives in /home/spectrum/www systemd.services.nginx.serviceConfig.ProtectHome = false; } diff --git a/modules/server/xmpp/default.nix b/modules/server/xmpp/default.nix index f1540e0c569f..3771872741aa 100644 --- a/modules/server/xmpp/default.nix +++ b/modules/server/xmpp/default.nix @@ -23,5 +23,5 @@ ssl.cert = "/var/lib/acme/qyliss.net/fullchain.pem"; }; - users.users.prosody.extraGroups = [ "tls" ]; + users.users.prosody.extraGroups = [ "acme" ]; } diff --git a/sys/atuin.nix b/sys/atuin.nix index 587d70627228..d34b2958616e 100644 --- a/sys/atuin.nix +++ b/sys/atuin.nix @@ -1,5 +1,125 @@ { config, pkgs, lib, ... }: +let + publicInboxCss = pkgs.runCommand "216light.css" {} '' + unpackFile ${pkgs.public-inbox.src} + cp */contrib/css/216light.css $out + ''; + + cgitCss = pkgs.runCommand "cgit-extra.css" { + licenseHeader = '' + /* + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License v2 as published + * by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * See <https://www.gnu.org/licenses/>. + */ + + ''; + + # Adapted from + # <https://git.causal.agency/src/plain/www/git.causal.agency/custom.css>, + # distributed as a Larger Work under a Secondary License, + # as permitted by the terms of the + # Mozilla Public License Version 2.0. + extraCss = '' + * { line-height: 1.25em; } + + article { + font-family: sans-serif; + max-width: 70ch; + margin-left: auto; + margin-right: auto; + } + + div#cgit { + margin: auto; + font-family: monospace; + -moz-tab-size: 4; + tab-size: 4; + display: table; + } + + div#cgit table#header { + margin-left: auto; + margin-right: auto; + } + div#cgit table#header td.logo { + display: none; + } + div#cgit table#header td.main { + font-size: 1em; + font-weight: bold; + } + div#cgit table#header td.sub { + border-top: none; + } + div#cgit table.tabs { + margin-left: auto; + margin-right: auto; + border-bottom: none; + } + div#cgit div.content { + border-bottom: none; + min-width: 108ch; + } + div#cgit div.content div#summary { + display: table; + margin-left: auto; + margin-right: auto; + } + div#cgit div.notes { + border: none; + background: transparent; + padding: 0; + } + div#cgit table.list { + margin-left: auto; + margin-right: auto; + } + div#cgit table.list th a { + color: inherit; + } + div#cgit table.list tr:nth-child(even) { + background: inherit; + } + div#cgit table.list tr:hover { + background: inherit; + } + div#cgit table.list tr.nohover-highlight:hover:nth-child(even) { + background: inherit; + } + div#cgit table.list td:last-child { + width: 0; + } + div#cgit div.footer { + font-size: 1em; + margin-top: 0; + } + + div#cgit table.blob td.linenumbers:nth-last-child(3) { + display: none; + } + + div#cgit table.blob td.linenumbers a:target { + color: goldenrod; + text-decoration: underline; + outline: none; + } + ''; + passAsFile = [ "licenseHeader" "extraCss" ]; + } '' + cat $licenseHeaderPath ${pkgs.cgit}/cgit/cgit.css $extraCssPath > $out + ''; + +in + { imports = [ ../modules/server @@ -91,42 +211,12 @@ }; }; - security.acme.certs = - with lib; - let - coalesce = maybe: default: if maybe == null then default else maybe; - - toAttrs = val: if isList val then genAttrs val (_: null) else val; - - vhostDomains = mapAttrsToList - (name: { serverName, ... }: coalesce serverName name) - config.services.nginx.virtualHosts; - - domains = { - "qyliss.net" = {}; - "spectrum-os.org" = { extraDomains = [ "spectrum-os.com" "spectrumos.org" ]; }; - }; - in - mapAttrs ( - domain: - { postRun ? "systemctl reload nginx.service" - , webroot ? "/var/lib/acme/acme-challenge" - , group ? "tls" - , extraDomains ? {} - , ... - } @ value: - - let - extraDomainsFromVhosts = - toAttrs (filter (hasSuffix ".${domain}") vhostDomains); - in - value // { - inherit postRun webroot group; - extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains); - } - ) domains; - - users.groups.tls.members = [ "nginx" ]; + security.acme.certs."qyliss.net" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ "git.qyliss.net" ]; + }; + + users.groups.acme.members = [ "nginx" ]; users.users.qyliss.home = "/home/qyliss"; services.cgit.instances.qyliss = { vhost = "git.qyliss.net"; @@ -158,159 +248,40 @@ projectRoot = "/home/qyliss/git"; }; - services.nginx.virtualHosts = - let - vhosts = { - "spectrum-os.org".locations = { - "/".root = "/home/spectrum/www"; - - "= /git/cgit.css".alias = cgitCss.outPath; - - "= /lists/archives/public-inbox.css".alias = publicInboxCss.outPath; - - "/lists/archives".proxyPass = "http://unix:/run/public-inbox-httpd.sock:/lists/archives"; - "= /lists/archives".return = "301 /lists/archives/"; - }; - - default = { - serverName = null; - default = true; - enableACME = false; - useACMEHost = "qyliss.net"; - - locations."/".return = "https://alyssa.is/"; - locations."/dns-query".proxyPass = "http://[::1]:4448/"; - }; - - "git.qyliss.net" = { - locations = { - "= /cgit.css".alias = cgitCss.outPath; - }; - }; - }; - - publicInboxCss = pkgs.runCommand "216light.css" {} '' - unpackFile ${pkgs.public-inbox.src} - cp */contrib/css/216light.css $out - ''; - - cgitCss = pkgs.runCommand "cgit-extra.css" { - licenseHeader = '' - /* - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License v2 as published - * by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * See <https://www.gnu.org/licenses/>. - */ - - ''; - - # Adapted from - # <https://git.causal.agency/src/plain/www/git.causal.agency/custom.css>, - # distributed as a Larger Work under a Secondary License, - # as permitted by the terms of the - # Mozilla Public License Version 2.0. - extraCss = '' - * { line-height: 1.25em; } - - article { - font-family: sans-serif; - max-width: 70ch; - margin-left: auto; - margin-right: auto; - } - - div#cgit { - margin: auto; - font-family: monospace; - -moz-tab-size: 4; - tab-size: 4; - display: table; - } - - div#cgit table#header { - margin-left: auto; - margin-right: auto; - } - div#cgit table#header td.logo { - display: none; - } - div#cgit table#header td.main { - font-size: 1em; - font-weight: bold; - } - div#cgit table#header td.sub { - border-top: none; - } - div#cgit table.tabs { - margin-left: auto; - margin-right: auto; - border-bottom: none; - } - div#cgit div.content { - border-bottom: none; - min-width: 108ch; - } - div#cgit div.content div#summary { - display: table; - margin-left: auto; - margin-right: auto; - } - div#cgit div.notes { - border: none; - background: transparent; - padding: 0; - } - div#cgit table.list { - margin-left: auto; - margin-right: auto; - } - div#cgit table.list th a { - color: inherit; - } - div#cgit table.list tr:nth-child(even) { - background: inherit; - } - div#cgit table.list tr:hover { - background: inherit; - } - div#cgit table.list tr.nohover-highlight:hover:nth-child(even) { - background: inherit; - } - div#cgit table.list td:last-child { - width: 0; - } - div#cgit div.footer { - font-size: 1em; - margin-top: 0; - } - - div#cgit table.blob td.linenumbers:nth-last-child(3) { - display: none; - } - - div#cgit table.blob td.linenumbers a:target { - color: goldenrod; - text-decoration: underline; - outline: none; - } - ''; - passAsFile = [ "licenseHeader" "extraCss" ]; - } '' - cat $licenseHeaderPath ${pkgs.cgit}/cgit/cgit.css $extraCssPath > $out - ''; - in - lib.mapAttrs ( - _: { forceSSL ? true, enableACME ? true, ... } @ args: - args // { inherit forceSSL enableACME; } - ) - vhosts; + services.nginx.virtualHosts."spectrum-os.org" = { + forceSSL = true; + useACMEHost = "spectrum-os.org"; + + locations = { + "/".root = "/home/spectrum/www"; + + "= /git/cgit.css".alias = cgitCss.outPath; + + "= /lists/archives/public-inbox.css".alias = publicInboxCss.outPath; + + "/lists/archives".proxyPass = "http://unix:/run/public-inbox-httpd.sock:/lists/archives"; + "= /lists/archives".return = "301 /lists/archives/"; + }; + }; + + services.nginx.virtualHosts.default = { + serverName = null; + default = true; + forceSSL = true; + useACMEHost = "qyliss.net"; + + locations."/".return = "https://alyssa.is/"; + locations."/dns-query".proxyPass = "http://[::1]:4448/"; + }; + + services.nginx.virtualHosts."git.qyliss.net" = { + forceSSL = true; + useACMEHost = "qyliss.net"; + + locations = { + "= /cgit.css".alias = cgitCss.outPath; + }; + }; users.groups.spectrum.members = [ "qyliss" ]; system.activationScripts.spectrum-home = lib.stringAfter [ "users" ] '' |