website: initial ooknet website commit

2024-10-31 17:27:08 +11:00 · 2024-10-31 17:27:08 +11:00 · a9280b78cd
commit a9280b78cd
parent 97be7a19c6
55 changed files with 2424 additions and 2 deletions
--- a/modules/nixos/server/options.nix
+++ b/modules/nixos/server/options.nix
@ -14,7 +14,7 @@ in {
      description = "The server profile the host will use as a base";
    };
    services = mkOption {
-      type = listOf (enum []);
+      type = listOf (enum ["website"]);
      default = [];
      description = "List of services the server will host";
    };
--- a/modules/nixos/server/services/default.nix
+++ b/modules/nixos/server/services/default.nix
@ -1,2 +1,5 @@
 {
+  imports = [
+    ./website
+  ];
 }
--- a/modules/nixos/server/services/website/default.nix
+++ b/modules/nixos/server/services/website/default.nix
@ -0,0 +1,73 @@
+{
+  lib,
+  config,
+  self',
+  ...
+}: let
+  inherit (lib) mkIf elem;
+  inherit (config.ooknet.server) services;
+  inherit (self'.packages) website;
+in {
+  config = mkIf (elem "website" services) {
+    users.groups.www = {};
+
+    systemd.tmpfiles.rules = [
+      "d /var/www 0775 caddy www"
+      "d /var/www/ooknet.org 0775 caddy www"
+    ];
+
+    # cursed activation script
+    # need to find a better way
+
+    system.activationScripts.copyWebsite = {
+      text =
+        # sh
+        ''
+          # clean-up
+          rm -rf /var/www/ooknet.org/*
+
+          # ensure dir exists
+          mkdir -p /var/www/ooknet.org
+
+          # copy files from pkg
+          cp -r ${website}/* /var/www/ooknet.org/
+
+          # set permissions
+          chown -R caddy:www /var/www/ooknet.org
+          chmod -R 775 /var/www/ooknet.org
+        '';
+      deps = ["users" "groups"];
+    };
+
+    # using caddy because it makes my life easy
+    services.caddy = {
+      enable = true;
+      group = "www";
+
+      virtualHosts = {
+        "ooknet.org".extraConfig =
+          # sh
+          ''
+            encode zstd gzip
+
+            header {
+              Strict-Transport-Security "max-age=31536000;"
+              X-XSS-Protection "1; mode=block"
+              X-Frame-Options "DENY"
+              X-Content-Type-Options "nosniff"
+              -Server
+
+
+              Referrer-Policy: no-referrer
+            }
+
+            root * /var/www/ooknet.org/
+            file_server
+          '';
+        "www.ooknet.org".extraConfig = ''
+          redir https://ooknet.org{uri}
+        '';
+      };
+    };
+  };
+}