diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 55121d0951..cb9f57beac 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -8,6 +8,7 @@ let in { imports = [ ../lib/blade.nix + ../lib/fup.nix ]; boot.loader.grub.device = "/dev/disk/by-id/usb-USB_SanDisk_3.2Gen1_0101cabb1ebdbdc0fd7b18edd207d43717c39c4a59d1b138b363e315841eca15743400000000000000000000443273100087260091558107b6a8e06e-0:0"; diff --git a/ops/nixos/lib/fup.nix b/ops/nixos/lib/fup.nix new file mode 100644 index 0000000000..5f95231e5f --- /dev/null +++ b/ops/nixos/lib/fup.nix @@ -0,0 +1,72 @@ +{ config, options, depot, lib, ... }: + +let + inherit (depot.ops) secrets; + sock = "/run/fup.sock"; + pkg = depot.web.fup; +in +{ + options = with lib; { + my.fup.listen = lib.mkOption { + type = with types; listOf str; + default = [ "127.0.0.1" "[::1]" ]; + }; + }; + + config = let + nginxListen = (map (addr: { + inherit addr; + port = 80; + ssl = false; + }) config.my.fup.listen) ++ (map (addr: { + inherit addr; + port = 443; + ssl = true; + }) config.my.fup.listen); + in { + security.acme = { + acceptTerms = true; + email = lib.mkDefault "letsencrypt@lukegb.com"; + certs."p.lukegb.com" = { + group = config.services.nginx.group; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + }; + }; + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."p.lukegb.com" = { + listen = nginxListen; + useACMEHost = "p.lukegb.com"; + forceSSL = true; + locations."/" = { + proxyPass = "http://unix:${sock}"; + }; + }; + }; + + systemd.sockets.fup = { + listenStreams = [ sock ]; + wantedBy = [ "sockets.target" ]; + socketConfig = { + SocketUser = config.services.nginx.user; + SocketGroup = config.services.nginx.group; + SocketMode = "0700"; + }; + }; + + systemd.services.fup = { + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + after = [ "network.target" "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + EnvironmentFile = secrets.fup.environment; + ExecStart = "${pkg}/bin/fup serve --listen=systemd --root=https://p.lukegb.com/ --bucket-url=s3://public-lukegb-fup?endpoint=objdump.zxcvbnm.ninja®ion=london"; + DynamicUser = true; + }; + }; + }; +}