central: add personal website

hosts/thegeneralist-central/archive/archivebox.nix

@@ -20,14 +20,14 @@
       };
     };
 
-    pywb = {
-      image = "docker.io/webrecorder/pywb";
-      ports = [ "127.0.0.1:8001:8001" ];
-      volumes = [
-        "/mnt/usb/services/browsertrix/webrecorder/:/"
-        "/mnt/usb/services/browsertrix/webrecorder/webarchive:/webarchive"
-      ];
-    };
+    # pywb = {
+    #   image = "docker.io/webrecorder/pywb";
+    #   ports = [ "127.0.0.1:8001:8001" ];
+    #   volumes = [
+    #     "/mnt/usb/services/browsertrix/webrecorder/:/"
+    #     "/mnt/usb/services/browsertrix/webrecorder/webarchive:/webarchive"
+    #   ];
+    # };
   };
 
   environment.systemPackages = [ pkgs.docker ];

hosts/thegeneralist-central/credentials_personal.age

@@ -0,0 +1,5 @@
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>

hosts/thegeneralist-central/site.nix

@@ -1,31 +1,38 @@
-{ config, pkgs, ... }: let
+{ config, pkgs, ... }:
+let
   domain = "thegeneralist01.com";
+	family_domain = builtins.getEnv "FAMILY_DOMAIN";
 
   ssl = {
-    quic        = true;
+    quic = true;
     useACMEHost = domain;
   };
-in {
-  imports = [ ./acme ./dns.nix ./jellyfin ];
+in
+{
+  imports = [
+    ./acme
+    ./dns.nix
+    ./jellyfin
+  ];
 
   # Nginx
   services.nginx = {
-    enable                        = true;
-    package                       = pkgs.nginxQuic;
-    enableQuicBPF                 = true;
+    enable = true;
+    package = pkgs.nginxQuic;
+    enableQuicBPF = true;
 
-    experimentalZstdSettings      = true;
-    recommendedUwsgiSettings      = true;
-    recommendedTlsSettings        = true;
-    recommendedProxySettings      = true;
-    recommendedOptimisation       = true;
-    recommendedGzipSettings       = true;
-    recommendedBrotliSettings     = true;
+    experimentalZstdSettings = true;
+    recommendedUwsgiSettings = true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
 
-    statusPage                    = true;
-    validateConfigFile            = true;
+    statusPage = true;
+    validateConfigFile = true;
 
-    virtualHosts."${domain}"      = ssl // {
+    virtualHosts."${domain}" = ssl // {
       root = "/var/www/${domain}";
       locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
 
@@ -43,13 +50,35 @@ in {
       '';
     };
 
-    virtualHosts."www.${domain}"  = ssl // {
+    virtualHosts."www.${domain}" = ssl // {
       locations."/".return = "306 https://${domain}$request_uri";
     };
 
-    virtualHosts._ = ssl // {
-      locations."/".return = "307 https://${domain}/404";
+    virtualHosts."${family_domain}" = {
+      root = "/var/www/${family_domain}";
+      locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
+
+      extraConfig = ''
+        if ($http_x_forwarded_proto = "http") {
+          return 301 https://${family_domain}$request_uri;
+        }
+
+        location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ {
+          expires 1d;
+          add_header Cache-Control "public";
+        }
+
+        error_page 404 /404.html;
+      '';
     };
+
+    virtualHosts."www.${family_domain}" = {
+      locations."/".return = "306 https://${family_domain}$request_uri";
+    };
+
+    # virtualHosts._ = ssl // {
+    #   locations."/".return = "307 https://${domain}/404";
+    # };
   };
 
   # Cloudflare
@@ -57,21 +86,34 @@ in {
 
   age.secrets.cftcert.file = ./cert.pem.age;
   age.secrets.cftcredentials.file = ./credentials.age;
+  age.secrets.cftcredentials_personal.file = ./credentials_personal.age;
 
   services.cloudflared = {
     enable = true;
     certificateFile = config.age.secrets.cftcert.path;
 
-    tunnels."site" = {
-      ingress = {
-        "thegeneralist01.com" = "http://localhost:80";
-        "www.thegeneralist01.com" = "http://localhost:80";
-        "cache.thegeneralist01.com" = "http://localhost:80";
-      };
-      default = "http_status:404";
+    tunnels = {
+      "site" = {
+        ingress = {
+          "thegeneralist01.com" = "http://localhost:80";
+          "www.thegeneralist01.com" = "http://localhost:80";
+          "cache.thegeneralist01.com" = "http://localhost:80";
+        };
+        default = "http_status:404";
 
-      credentialsFile = config.age.secrets.cftcredentials.path;
-      certificateFile = config.age.secrets.cftcert.path;
+        credentialsFile = config.age.secrets.cftcredentials.path;
+        certificateFile = config.age.secrets.cftcert.path;
+      };
+      "personal" = {
+        ingress = {
+          "${family_domain}" = "http://localhost:80";
+          "www.${family_domain}" = "http://localhost:80";
+        };
+        default = "http_status:404";
+
+        credentialsFile = config.age.secrets.cftcredentials_personal.path;
+        certificateFile = config.age.secrets.cftcert.path;
+      };
     };
   };
 }

secrets.nix

@@ -7,6 +7,7 @@ in {
   "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];