2024-04-12 15:35:56 +00:00
|
|
|
{ config, lib, pkgs, self, ... }:
|
|
|
|
|
|
|
|
{
|
2023-07-04 17:40:45 +00:00
|
|
|
security.acme.defaults.email = "admins@clan.lol";
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
|
2023-07-19 18:28:03 +00:00
|
|
|
# www user to push website artifacts via ssh
|
|
|
|
users.users.www = {
|
2023-07-19 18:33:53 +00:00
|
|
|
openssh.authorizedKeys.keys =
|
|
|
|
config.users.users.root.openssh.authorizedKeys.keys
|
|
|
|
++ [
|
|
|
|
# ssh-homepage-key
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
2024-05-07 11:35:13 +00:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
|
2023-07-19 18:33:53 +00:00
|
|
|
];
|
2023-09-12 10:36:30 +00:00
|
|
|
isSystemUser = true;
|
2023-11-16 14:02:26 +00:00
|
|
|
shell = "/run/current-system/sw/bin/bash";
|
2023-09-12 10:36:30 +00:00
|
|
|
group = "www";
|
2023-07-19 18:28:03 +00:00
|
|
|
};
|
2023-09-12 10:36:30 +00:00
|
|
|
users.groups.www = { };
|
2023-07-19 18:28:03 +00:00
|
|
|
|
|
|
|
# ensure /var/www can be accessed by nginx and www user
|
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d /var/www 0755 www nginx"
|
|
|
|
];
|
|
|
|
|
2023-07-04 17:40:45 +00:00
|
|
|
services.nginx = {
|
2024-04-12 15:35:56 +00:00
|
|
|
|
2023-07-04 17:40:45 +00:00
|
|
|
virtualHosts."clan.lol" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
2023-07-17 21:26:10 +00:00
|
|
|
# to be deployed via rsync
|
2024-04-12 13:35:19 +00:00
|
|
|
root = "/var/www/clan.lol";
|
2023-07-04 17:40:45 +00:00
|
|
|
extraConfig = ''
|
|
|
|
charset utf-8;
|
|
|
|
source_charset utf-8;
|
|
|
|
'';
|
2024-03-19 06:11:43 +00:00
|
|
|
|
|
|
|
locations."/".extraConfig = ''
|
2024-05-16 12:50:07 +00:00
|
|
|
set $cors "false";
|
|
|
|
|
|
|
|
# Allow cross-origin requests from docs.clan.lol
|
|
|
|
if ($http_origin = "https://docs.clan.lol") {
|
|
|
|
set $cors "true";
|
|
|
|
}
|
|
|
|
|
|
|
|
# Allow cross-origin requests from localhost IPs with port 8000
|
|
|
|
if ($http_origin = "http://localhost:8000") {
|
|
|
|
set $cors "true";
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($http_origin = "http://127.0.0.1:8000") {
|
|
|
|
set $cors "true";
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($http_origin = "http://[::1]:8000") {
|
|
|
|
set $cors "true";
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($cors = "true") {
|
|
|
|
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($cors = "true") {
|
|
|
|
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
|
|
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
|
|
}
|
2024-03-19 06:11:43 +00:00
|
|
|
'';
|
2024-04-12 15:21:25 +00:00
|
|
|
locations."^~ /docs".extraConfig = ''
|
|
|
|
rewrite ^/docs(.*)$ https://docs.clan.lol permanent;
|
|
|
|
'';
|
2024-05-17 14:33:57 +00:00
|
|
|
locations."^~ /blog".extraConfig = ''
|
|
|
|
rewrite ^/blog(.*)$ https://docs.clan.lol/blog permanent;
|
|
|
|
'';
|
2024-02-12 06:26:59 +00:00
|
|
|
locations."/thaigersprint".return = "307 https://pad.lassul.us/s/clan-thaigersprint";
|
2023-07-04 17:40:45 +00:00
|
|
|
};
|
|
|
|
|
2024-04-12 13:49:02 +00:00
|
|
|
virtualHosts."docs.clan.lol" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
# to be deployed via rsync
|
|
|
|
root = "/var/www/docs.clan.lol";
|
|
|
|
extraConfig = ''
|
|
|
|
charset utf-8;
|
|
|
|
source_charset utf-8;
|
|
|
|
'';
|
|
|
|
|
2024-05-16 12:50:07 +00:00
|
|
|
# Make sure to expire the cache after 12 hour
|
2024-04-12 13:49:02 +00:00
|
|
|
locations."/".extraConfig = ''
|
2024-05-16 12:50:07 +00:00
|
|
|
add_header Cache-Control "public, max-age=43200";
|
2024-04-12 13:49:02 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2023-07-04 17:40:45 +00:00
|
|
|
virtualHosts."www.clan.lol" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
globalRedirect = "clan.lol";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|