sys/web/sites: add host site

author: Alejandro Soto <alejandro@34project.org> 2025-04-17 16:18:20 -0600
committer: Alejandro Soto <alejandro@34project.org> 2025-04-19 11:10:00 -0600
commit: 92554d8615a5fe3b45073a62eb5341f4598463d5 (patch)
tree: 9b4ac40931680d43c78a7e36902d32566c78fe9f /sys/web/sites/host.nix
parent: 94082eb5943f483dda4c1c71e50e57ee665bcddf (diff)
1 files changed, 79 insertions, 0 deletions
diff --git a/sys/web/sites/host.nix b/sys/web/sites/host.nix
new file mode 100644
index 0000000..62abe1a
--- /dev/null
+++ b/sys/web/sites/host.nix
@@ -0,0 +1,79 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.host;
+
+  inherit (config.local) domains users;
+  inherit (config.local.net) hostname;
+
+  hostDomain = domains.${hostDomainName};
+  hostDomainName = "host-${hostname}";
+
+  userCerts = flatten (flatten (mapAttrsToList
+    (name: user: map
+      (cert: {
+        fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower;
+        inherit name;
+      })
+      user.mail.certs)
+    users));
+in
+{
+  options.local.web.sites.host = {
+    enable = mkEnableOption "host site, restricted to per-user client certs";
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ hostDomainName ];
+    };
+
+    services = {
+      nginx = {
+        appendHttpConfig = ''
+          map $ssl_client_fingerprint $host_user_from_fprint {
+            default "";
+            ${concatMapStringsSep "\n  " (pair: "\"${escapeRegex pair.fprint}\" \"${pair.name}\";") userCerts}
+          }
+        '';
+
+        virtualHosts = {
+          ${hostDomain.main} = {
+            forceSSL = true;
+            useACMEHost = hostDomain.main;
+
+            extraConfig = ''
+              ssl_verify_depth 2;
+              ssl_verify_client optional;
+              ssl_client_certificate ${config.local.pki.ca.mail.fullchain};
+
+              #if ($ssl_client_verify != "SUCCESS") {
+                #return 403;
+              #}
+            '';
+
+            locations = {
+              "/".return = 403;
+            } // concatMapAttrs
+              (name: user:
+                let
+                  userLocation = config: {
+                    extraConfig = ''
+                      if ($host_user_from_fprint != "${name}") {
+                        return 403;
+                      }
+                    '' + config;
+                  };
+                in
+                mapAttrs (_: userLocation) {
+                  "/${name}" = ''
+                    return 404;
+                  '';
+                })
+              (filterAttrs (_: user: user.mail.certs != [ ]) users);
+          };
+        };
+      };
+    };
+  };
+}
author	Alejandro Soto <alejandro@34project.org>	2025-04-17 16:18:20 -0600
committer	Alejandro Soto <alejandro@34project.org>	2025-04-19 11:10:00 -0600
commit	92554d8615a5fe3b45073a62eb5341f4598463d5 (patch)
tree	9b4ac40931680d43c78a7e36902d32566c78fe9f /sys/web/sites/host.nix
parent	94082eb5943f483dda4c1c71e50e57ee665bcddf (diff)