diff --git a/machines/renge/configuration.nix b/machines/renge/configuration.nix index 5d8d65e..9f4c4fa 100644 --- a/machines/renge/configuration.nix +++ b/machines/renge/configuration.nix @@ -33,6 +33,9 @@ }; wireguard.home.enable = true; infovhost.enable = true; + wkd = { + enable = true; + }; }; networking.hostName = "renge"; diff --git a/modules/default.nix b/modules/default.nix index fc198a8..342d74f 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -67,6 +67,7 @@ ./udev.nix ./unfree.nix ./wireguard + ./wkd ]; config = lib.mkMerge [ diff --git a/modules/wkd/default.nix b/modules/wkd/default.nix new file mode 100644 index 0000000..4c7bb86 --- /dev/null +++ b/modules/wkd/default.nix @@ -0,0 +1,49 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ config, lib, ... }: +let + cfg = config.sbruder.wkd; + + toFqdn = domain: "openpgpkey.${domain}"; +in +{ + options.sbruder.wkd = { + enable = lib.mkEnableOption "Web Key Directory"; + domain = lib.mkOption { + type = lib.types.str; + description = "The main domain to listen on. The actual fqdn will be openpgpkey.."; + default = "sbruder.de"; + }; + domains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "Additional domains to serve."; + default = [ ]; + }; + }; + + config = lib.mkIf cfg.enable { + sbruder.static-webserver.vhosts."${toFqdn cfg.domain}" = { + redirects = map toFqdn cfg.domains; + user.name = "wkd"; + }; + + services.nginx.virtualHosts."${toFqdn cfg.domain}" = { + locations."^~ /.well-known/openpgpkey" = + let + # workaround for nginx dropping parent headers + # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md + parentHeaders = lib.concatStringsSep "\n" (lib.filter + (lib.hasPrefix "add_header ") + (lib.splitString "\n" config.services.nginx.commonHttpConfig)); + in + { + extraConfig = '' + ${parentHeaders} + add_header Access-Control-Allow-Origin * always; + ''; + }; + }; + }; +}