infra/modules/nginx-website/default.nix

86 lines
2.5 KiB
Nix

{ lib, ... }: {
systemd.tmpfiles.rules = [
"d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
];
services.nginx.virtualHosts = {
"www.pub.solar" = {
enableACME = true;
addSSL = true;
extraConfig = ''
error_log /dev/null;
access_log /dev/null;
'';
locations."/" = {
extraConfig = ''
return 301 https://pub.solar$request_uri;
'';
};
};
"pub.solar" = {
default = true;
enableACME = true;
forceSSL = true;
extraConfig = ''
error_log /dev/null;
access_log /dev/null;
'';
locations = {
# serve base domain pub.solar for mastodon.pub.solar
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
"/.well-known/host-meta" = {
extraConfig = ''
return 301 https://mastodon.pub.solar$request_uri;
'';
};
# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
"/.well-known/webfinger" = {
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
extraConfig = ''
if ($arg_resource) {
return 301 https://mastodon.pub.solar$request_uri;
}
add_header Content-Type text/plain;
return 200 '{\n "subject": "acct:admins@pub.solar",\n "links": [\n {\n "rel": "http://openid.net/specs/connect/1.0/issuer",\n "href": "https://auth.pub.solar/realms/pub.solar"\n }\n ]\n}';
'';
};
# Responsible disclosure information https://securitytxt.org/
"/.well-known/security.txt" = let
securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [
"Contact: mailto:admins@pub.solar"
"Expires: 2025-01-04T23:00:00.000Z"
"Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
"Preferred-Languages: en,de"
"Canonical: https://pub.solar/.well-known/security.txt"
];
in {
extraConfig = ''
add_header Content-Type text/plain;
return 200 '${securityTXT}';
'';
};
"/satzung" = {
extraConfig = ''
return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs;
'';
};
"/" = {
root = "/srv/www/pub.solar";
index = "index.html";
tryFiles = "$uri $uri/ =404";
};
};
};
};
}