2022-12-11 13:28:31 +01:00
|
|
|
{ lib, pkgs, config, baseDomain, ...}:
|
|
|
|
let
|
|
|
|
matrixWellKnown = {
|
|
|
|
client."m.homeserver".base_url = "https://matrix.${baseDomain}/";
|
|
|
|
server."m.server" = "matrix.${baseDomain}:443";
|
|
|
|
};
|
|
|
|
toJSONFile = name: value: pkgs.writeText name (builtins.toJSON value);
|
|
|
|
matrixWellKnownDir = pkgs.linkFarm "matrix-well-known" (builtins.mapAttrs toJSONFile matrixWellKnown);
|
2023-01-07 16:39:04 +01:00
|
|
|
isDev = (builtins.substring 0 3 baseDomain) == "dev";
|
|
|
|
webroot = "${config.users.users."web-deploy".home}/public";
|
|
|
|
deployPubKey = if isDev then
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINRmpgMjXQCjA/YPNJvaNdKMjr0jnLtwKKbLCIisjeBw dev-deploykey@chaos.jetzt"
|
|
|
|
else
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfluahnK/YEaj97EN5SjOfUw6vHK13cxfCKIj6wafdB prod-deploykey@chaos.jetzt"
|
|
|
|
;
|
|
|
|
restrictedPubkey = "command=\"${pkgs.rrsync}/bin/rrsync ${webroot}\" ${deployPubKey}";
|
2022-12-11 13:28:31 +01:00
|
|
|
in {
|
2022-12-11 12:19:04 +01:00
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
enableReload = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
2023-04-13 13:47:05 +02:00
|
|
|
commonHttpConfig = ''
|
|
|
|
map $http_accept $webp_suffix {
|
|
|
|
default "";
|
|
|
|
"~*webp" ".webp";
|
|
|
|
}
|
|
|
|
map $http_accept $avif_suffix {
|
|
|
|
default "";
|
|
|
|
"~*avif" ".avif";
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
|
2022-12-11 12:19:04 +01:00
|
|
|
virtualHosts.${baseDomain} = {
|
|
|
|
default = true;
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
2022-12-11 13:28:31 +01:00
|
|
|
serverAliases = [ "www.${baseDomain}" ];
|
2023-04-13 13:47:05 +02:00
|
|
|
root = webroot;
|
|
|
|
locations = {
|
2023-04-13 14:56:49 +02:00
|
|
|
# A ?version= is appeneded to the font files, so we can be quite liberal
|
|
|
|
"/theme/fonts/open-sans/fonts/".extraConfig = ''
|
|
|
|
expires 1M;
|
|
|
|
'';
|
2023-04-13 14:25:49 +02:00
|
|
|
"/".extraConfig = ''
|
|
|
|
log_not_found off;
|
|
|
|
error_page 404 /404.html;
|
|
|
|
'';
|
2023-04-13 13:47:05 +02:00
|
|
|
"~* ^(/images/.+)\\.(png|jpe?g)$".extraConfig = ''
|
|
|
|
set $base $1;
|
|
|
|
add_header Vary Accept;
|
|
|
|
expires 7d;
|
|
|
|
add_header Cache-Control "must-revalidate, s-maxage=86400";
|
|
|
|
try_files $request_uri$avif_suffix $base$avif_suffix $request_uri$webp_suffix $base$webp_suffix $request_uri =404;
|
|
|
|
'';
|
|
|
|
"/.well-known/matrix/".alias = matrixWellKnownDir + "/";
|
|
|
|
};
|
2022-12-11 12:19:04 +01:00
|
|
|
};
|
|
|
|
};
|
2023-01-07 16:39:04 +01:00
|
|
|
|
|
|
|
users.users."web-deploy" = {
|
|
|
|
shell = "/bin/sh";
|
|
|
|
createHome = true;
|
|
|
|
isSystemUser = true;
|
|
|
|
# Allow group to read
|
|
|
|
home = "/var/lib/website";
|
|
|
|
homeMode = "750";
|
|
|
|
group = config.services.nginx.group;
|
|
|
|
openssh.authorizedKeys.keys = [ restrictedPubkey ];
|
|
|
|
};
|
|
|
|
|
|
|
|
system.activationScripts.web-deploy-public = ''
|
|
|
|
mkdir -m 0750 -p ${webroot}
|
|
|
|
# https://stackoverflow.com/a/17902999
|
|
|
|
if [[ ! $(ls -A ${webroot} ) ]]; then
|
|
|
|
echo "${webroot} is empty"
|
|
|
|
cp -a ${pkgs.chaos-jetzt-website-pelican}/* ${webroot}/
|
|
|
|
chmod -R ${config.users.users."web-deploy".homeMode} ${webroot}
|
|
|
|
chown -R web-deploy:${config.services.nginx.group} ${webroot}
|
|
|
|
fi
|
|
|
|
'';
|
2023-06-13 21:55:02 +02:00
|
|
|
|
|
|
|
# Delete dev website builds older than 28 days
|
|
|
|
systemd.services."website-purge-old" = lib.mkIf isDev {
|
|
|
|
path = with pkgs; [ fd ];
|
|
|
|
script = ''
|
|
|
|
fd --print0 --changed-before 28d --type d --max-depth 1 --min-depth 1 . ${webroot} --exec-batch rm -vr {} \;
|
|
|
|
'';
|
|
|
|
startAt = "weekly";
|
|
|
|
serviceConfig.User = "web-deploy";
|
|
|
|
};
|
2023-01-07 16:39:04 +01:00
|
|
|
}
|