diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index fcc007a78a..e8de9a61b3 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -8,6 +8,7 @@ let in { imports = [ ../lib/bvm.nix + ../lib/as205479-web.nix ./radius.nix ]; @@ -28,6 +29,8 @@ in { defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; extraCommands = '' # Allow JANET inbound RADIUS traffic. # roaming0.ja.net @@ -52,12 +55,13 @@ in { acceptTerms = true; email = "letsencrypt@lukegb.com"; certs."as205479.net" = { + extraDomainNames = [ "www.as205479.net" ]; dnsProvider = "gcloud"; credentialsFile = secrets.gcpDNSCredentials; dnsPropagationCheck = false; - #postRun = '' - # systemctl restart freeradius - #''; + postRun = '' + systemctl restart freeradius + ''; }; }; diff --git a/ops/nixos/lib/as205479-web.nix b/ops/nixos/lib/as205479-web.nix new file mode 100644 index 0000000000..9ebd5bb339 --- /dev/null +++ b/ops/nixos/lib/as205479-web.nix @@ -0,0 +1,21 @@ +{ config, depot, lib, ... }: + +{ + security.acme = { + acceptTerms = true; + email = lib.mkDefault "letsencrypt@lukegb.com"; + certs."as205479.net" = { + dnsProvider = "gcloud"; + credentialsFile = depot.ops.secrets.gcpDNSCredentials; + dnsPropagationCheck = false; + }; + }; + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."as205479.net" = { + useACMEHost = "as205479.net"; + forceSSL = true; + locations."/".root = depot.web.as205479 config.networking.hostName; + }; + }; +} diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index 6f98cf73d9..4cb246ef12 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 35 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -14,6 +14,11 @@ $INCLUDE tmpl.ns @ 3600 IN MX 10 alt3.aspmx.l.google.com. @ 3600 IN MX 10 alt4.aspmx.l.google.com. +# bvm-radius serves HTTP(S) for root +@ 3600 IN A 92.118.28.9 +@ 3600 IN AAAA 2a09:a441::9 +www 3600 IN CNAME bvm-radius.as205479.net. + _acme-challenge 3600 IN NS ns-cloud-c1.googledomains.com. _acme-challenge 3600 IN NS ns-cloud-c2.googledomains.com. _acme-challenge 3600 IN NS ns-cloud-c3.googledomains.com. diff --git a/web/as205479/eduroam/index.html b/web/as205479/eduroam/index.html new file mode 100644 index 0000000000..c26f111a65 --- /dev/null +++ b/web/as205479/eduroam/index.html @@ -0,0 +1,19 @@ + + + + +eduroam @ AS205479 + + + +

eduroam @ AS205479

+ +

AS205479 offers eduroam(UK) service to visiting members of institutions that are part of the eduroam confederation (aka "Visited" type service).

+

This service is offered as the eduroam SSID at AS205479 home locations. Devices should support the "WPA3 Enterprise" specification - legacy "WPA2"-only devices may experience difficulty connection to AS205479-hosted SSIDs.

+

Users of the service need to abide by the eduroam(UK) Policy. Violations of this policy will be reported to their home organisation.

+ +
+

You've reached {{NODENAME}}, serving from {{DEPOT_VERSION}}.

+
+ + diff --git a/web/as205479/eduroam/logo.png b/web/as205479/eduroam/logo.png new file mode 100644 index 0000000000..8729b7613b Binary files /dev/null and b/web/as205479/eduroam/logo.png differ diff --git a/web/as205479/index.html b/web/as205479/index.html new file mode 100644 index 0000000000..ccfb3f3bc4 --- /dev/null +++ b/web/as205479/index.html @@ -0,0 +1,16 @@ + + + + +AS205479 + + + +

AS205479

+

...is a private autonomous system operated by Luke Granger-Brown.

+ +
+

You've reached {{NODENAME}}, serving from {{DEPOT_VERSION}}.

+
+ + diff --git a/web/as205479/style.css b/web/as205479/style.css new file mode 100644 index 0000000000..65dddebad4 --- /dev/null +++ b/web/as205479/style.css @@ -0,0 +1,41 @@ +@import url('https://fonts.googleapis.com/css2?family=Overpass+Mono:wght@300&display=swap'); + +* { box-sizing: border-box; } + +body { + background: #fafafa; + font-family: sans-serif; + padding: 20px 50px; +} + +.home { + text-align: center; +} + +h1 { + font-family: 'Overpass Mono', monospace; +} + +.home-title { + font-size: 8rem; +} + +.eduroam-logo-link { + float: right; + margin-left: 20px; +} + +.eduroam-logo { + width: 140px; + height: auto; +} + +.per-server { + position: absolute; + bottom: 0; + left: 0; + width: 100%; + font-size: small; + color: #606060; + text-align: center; +} diff --git a/web/default.nix b/web/default.nix index dd743029cb..43d01fd366 100644 --- a/web/default.nix +++ b/web/default.nix @@ -2,10 +2,23 @@ # # SPDX-License-Identifier: Apache-2.0 -{ pkgs, ... }@args: +{ depot, pkgs, ... }@args: { int = pkgs.copyPathToStore ./int; logged-out-int = pkgs.copyPathToStore ./logged-out-int; quotes = import ./quotes args; fup = import ./fup args; + as205479 = hostName: pkgs.runCommand "as205479-web" { + inherit hostName; + depotVersion = depot.version; + } '' + cp -Rv ${./as205479} $out + chmod -R +w $out + + find $out -name '*.html' | while read filename; do + substituteInPlace "$filename" \ + --replace "{{NODENAME}}" "$hostName" \ + --replace "{{DEPOT_VERSION}}" "$depotVersion" + done + ''; }