diff --git a/applications/skynet_users.nix b/applications/skynet_users.nix new file mode 100644 index 0000000..8fa1058 --- /dev/null +++ b/applications/skynet_users.nix @@ -0,0 +1,72 @@ +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.skynet_users; + in { + + imports = [ + ./acme.nix + ./dns.nix + ./nginx.nix + ]; + + options.services.skynet_users = { + host = { + ip = mkOption { + type = types.str; + }; + name = mkOption { + type = types.str; + }; + }; + }; + + config = { + # ssh access + + # allow more than admins access + services.skynet_ldap_client = { + groups = [ + "skynet-admins-linux" + "skynet-users-linux" + ]; + }; + + + # Website config + skynet_acme.domains = [ + "users.skynet.ie" + "*.users.skynet.ie" + ]; + + skynet_dns.records = [ + {record ="users"; r_type="CNAME"; value=cfg.host.name;} + {record="*.users"; r_type="CNAME"; value=cfg.host.name;} + ]; + + networking.firewall.allowedTCPPorts = [80 443]; + + # normally services cannot read home dirs + systemd.services.nginx.serviceConfig.ProtectHome="read-only"; + + services.nginx.virtualHosts = { + # main site + "*.users.skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + serverName = "~^(?.+)\.users\.skynet\.ie"; + + # username.users.skynet.ie/ + # user goes: + # chmod 711 ~ + # chmod -R 755 ~/public_html + + locations."/" = { + alias = "/home/$user/public_html/"; + index = "index.html"; + extraConfig = "autoindex on;"; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/machines/skynet.nix b/machines/skynet.nix index c81cc7f..e497217 100644 --- a/machines/skynet.nix +++ b/machines/skynet.nix @@ -20,7 +20,7 @@ let in { imports = [ - #../applications/skynet.ie.nix + ../applications/skynet_users.nix ]; deployment = { @@ -31,7 +31,6 @@ in { tags = [ "active-core" ]; }; - # it has two network devices so two skynet_dns.records = [ {record=name; r_type="A"; value=ip_pub; server=true;} {record=ip_pub; r_type="PTR"; value=hostname;} @@ -42,21 +41,12 @@ in { name = name; }; - # allow more than admins access - services.skynet_ldap_client = { - groups = [ - "skynet-admins-linux" - "skynet-users-linux" - ]; - }; - proxmoxLXC.manageNetwork = true; networking = { hostName = name; # needed to use the dmz first defaultGateway = lib.mkForce "193.1.96.161"; - interfaces = { # need it for dns validation for letsencrypt eth0.ipv4 = { @@ -75,7 +65,6 @@ in { ]; }; - # primary ip for logging in eth1.ipv4.addresses = [ { @@ -86,11 +75,10 @@ in { }; }; -# services.skynet = { -# host = { -# # website is still hosted on the internal IP -# ip = ip_priv; -# name = name; -# }; -# }; + services.skynet_users = { + host = { + ip = ip_pub; + name = name; + }; + }; } \ No newline at end of file