services: web: Add c8h4.io deployment

Signed-off-by: Christoph Heiss <christoph@c8h4.io>

machines/fort.nix

@@ -18,6 +18,7 @@ in {
     ../secrets/morph/acme.nix
     ../secrets/morph/wireguard
     ../services/nginx.nix
+    ../services/web/c8h4-io.nix
     ../system/virtual-machine.nix
   ];
 

services/web/c8h4-io.nix

@@ -0,0 +1,28 @@
+{
+  imports = [ ../../system/deploy-target.nix ];
+
+  system.activationScripts.var-www = ''
+    mkdir -p /var/www/c8h4.io
+    chown -R deploy:deploy /var/www
+    chmod -R u=rwX,go=rX /var/www
+  '';
+
+  services.nginx.virtualHosts."c8h4.io" = {
+    forceSSL = true;
+    enableACME = true;
+    default = true;
+    root = "/var/www/c8h4.io";
+  };
+
+  services.nginx.virtualHosts."christoph-heiss.me" = {
+    forceSSL = true;
+    enableACME = true;
+    globalRedirect = "c8h4.io";
+  };
+
+  services.nginx.virtualHosts."christoph-heiss.at" = {
+    forceSSL = true;
+    enableACME = true;
+    globalRedirect = "c8h4.io";
+  };
+}

system/deploy-target.nix

@@ -0,0 +1,18 @@
+{ lib, pkgs, ... }:
+
+{
+  users.groups.deploy.gid = 2000;
+  users.users.deploy = {
+    isNormalUser = true;
+    uid = 2000;
+    createHome = false;
+    group = "deploy";
+    shell = pkgs.deploy-sink;
+    home = "/var/empty";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBf2khUKpvOYvMEUbh+ETNh9J3p51VSjUFIRERH7zQz deploy@c8h4.io"
+    ];
+  };
+
+  services.openssh.settings.AllowUsers = lib.mkForce "christoph deploy";
+}