Qubasa
3fe170102a
All checks were successful
buildbot/nix-build .#checks.x86_64-linux.package-clan-merge Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-merge Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-merge Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.package-action-flake-update Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-action-ensure-tea-login Build done.
buildbot/nix-build .#checks.x86_64-linux.package-action-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gitea Build done.
buildbot/nix-build .#checks.x86_64-linux.package-action-flake-update-pr-clan Build done.
buildbot/nix-build .#checks.x86_64-linux.package-job-flake-update-clan-homepage Build done.
buildbot/nix-build .#checks.x86_64-linux.package-job-flake-update-clan-core Build done.
buildbot/nix-build .#checks.x86_64-linux.package-job-flake-update-clan-infra Build done.
buildbot/nix-build .#checks.x86_64-linux.package-renovate Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-web01 Build done.
buildbot/nix-eval Build done.
101 lines
3.0 KiB
Nix
101 lines
3.0 KiB
Nix
{ config, lib, pkgs, self, ... }:
|
|
|
|
{
|
|
security.acme.defaults.email = "admins@clan.lol";
|
|
security.acme.acceptTerms = true;
|
|
|
|
# www user to push website artifacts via ssh
|
|
users.users.www = {
|
|
openssh.authorizedKeys.keys =
|
|
config.users.users.root.openssh.authorizedKeys.keys
|
|
++ [
|
|
# ssh-homepage-key
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
|
|
];
|
|
isSystemUser = true;
|
|
shell = "/run/current-system/sw/bin/bash";
|
|
group = "www";
|
|
};
|
|
users.groups.www = { };
|
|
|
|
# ensure /var/www can be accessed by nginx and www user
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/www 0755 www nginx"
|
|
];
|
|
|
|
services.nginx = {
|
|
|
|
virtualHosts."clan.lol" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
# to be deployed via rsync
|
|
root = "/var/www/clan.lol";
|
|
extraConfig = ''
|
|
charset utf-8;
|
|
source_charset utf-8;
|
|
'';
|
|
|
|
locations."/".extraConfig = ''
|
|
set $cors "false";
|
|
|
|
# Allow cross-origin requests from docs.clan.lol
|
|
if ($http_origin = "https://docs.clan.lol") {
|
|
set $cors "true";
|
|
}
|
|
|
|
# Allow cross-origin requests from localhost IPs with port 8000
|
|
if ($http_origin = "http://localhost:8000") {
|
|
set $cors "true";
|
|
}
|
|
|
|
if ($http_origin = "http://127.0.0.1:8000") {
|
|
set $cors "true";
|
|
}
|
|
|
|
if ($http_origin = "http://[::1]:8000") {
|
|
set $cors "true";
|
|
}
|
|
|
|
if ($cors = "true") {
|
|
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
}
|
|
|
|
if ($cors = "true") {
|
|
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
|
|
}
|
|
'';
|
|
locations."^~ /docs".extraConfig = ''
|
|
rewrite ^/docs(.*)$ https://docs.clan.lol permanent;
|
|
'';
|
|
locations."/thaigersprint".return = "307 https://pad.lassul.us/s/clan-thaigersprint";
|
|
};
|
|
|
|
virtualHosts."docs.clan.lol" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
# to be deployed via rsync
|
|
root = "/var/www/docs.clan.lol";
|
|
extraConfig = ''
|
|
charset utf-8;
|
|
source_charset utf-8;
|
|
'';
|
|
|
|
# Make sure to expire the cache after 12 hour
|
|
locations."/".extraConfig = ''
|
|
add_header Cache-Control "public, max-age=43200";
|
|
'';
|
|
};
|
|
|
|
virtualHosts."www.clan.lol" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
globalRedirect = "clan.lol";
|
|
};
|
|
};
|
|
}
|