web/sites: add home portal

author: Alejandro Soto <alejandro@34project.org> 2024-07-20 18:01:02 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-07-20 18:04:28 -0600
commit: c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (patch)
tree: 5eccacfe94e63fd40e6747fb4b53f6b09fd38159 /sys/web/sites
parent: 181200e62d929df7e632e581547a01c71eeefc2a (diff)
2 files changed, 41 insertions, 0 deletions
diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix
index b453d24..a131aaf 100644
--- a/sys/web/sites/default.nix
+++ b/sys/web/sites/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./home.nix
     ./portal.nix
   ];
 }
diff --git a/sys/web/sites/home.nix b/sys/web/sites/home.nix
new file mode 100644
index 0000000..74f698c
--- /dev/null
+++ b/sys/web/sites/home.nix
@@ -0,0 +1,40 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.home;
+  inherit (config.local) domains;
+in
+{
+  options.local.web.sites.home = {
+    enable = mkEnableOption "home site";
+
+    proxyUrl = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ "home" ];
+    };
+
+    services.nginx.virtualHosts.${domains.home.main} = {
+      forceSSL = true;
+      useACMEHost = domains.home.main;
+
+      extraConfig = ''
+        ssl_verify_depth 2;
+        ssl_verify_client on;
+        ssl_client_certificate ${config.local.pki.ca.home.fullchain};
+
+        if ($ssl_client_verify != "SUCCESS") {
+          return 403;
+        }
+      '';
+
+      locations."/".extraConfig = ''
+        proxy_pass ${cfg.proxyUrl};
+      '';
+    };
+  };
+}
author	Alejandro Soto <alejandro@34project.org>	2024-07-20 18:01:02 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-07-20 18:04:28 -0600
commit	c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (patch)
tree	5eccacfe94e63fd40e6747fb4b53f6b09fd38159 /sys/web/sites
parent	181200e62d929df7e632e581547a01c71eeefc2a (diff)