From 98c3c807c42bc0ae842775d23bdeb1ffbb431de1 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Tue, 27 Apr 2021 10:10:17 +0200
Subject: [PATCH 1/5] shortcut domains for services

as per Zauberberg's idea in mattermost last night [1], this adds an
extra domain, which just exists to make links to the various services
shorter, using a nix to keep the whole thing easily changable.

In particular, the "shortdomain" binding should be set to some domain we
actually own before anyone deploys this (I've set it to "i4f.de" as a
dummy value for now).

Potential caveats:
 - this uses ACME to get a certificate for each of the redirect domains,
   which may run into rate limits if we have too many of them.
 - there's nothing on the shortdomain itself. I suggest we could either
   use it as a general linkshortener, or generate a list of available
   domain shortcuts into html from nix

[1] https://mattermost.infra4future.de/hacc/pl/xks5naezcbn8myh79bq3dehmso
---
 hosts/parsons/configuration.nix |  1 +
 services/shortdomains.nix       | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 services/shortdomains.nix

diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix
index fb75f26..0051054 100644
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@@ -22,6 +22,7 @@
     ../../services/unifi.nix
     ../../services/lantifa.nix
     ../../services/vaultwarden.nix
+    ../../services/shortdomains.nix
 
     ./lxc.nix
   ];
diff --git a/services/shortdomains.nix b/services/shortdomains.nix
new file mode 100644
index 0000000..2f24d8c
--- /dev/null
+++ b/services/shortdomains.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+let
+  shortdomain = "i4f.de";
+  short = abbrv: target: {
+    name = "${abbrv}.${shortdomain}";
+    value = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".return = "301 https://${target}$request_uri";
+    };
+  };
+in
+{
+  services.nginx.virtualHosts = lib.listToAttrs [
+    (short "d" "discuss.infra4future.de")
+    (short "m" "mattermost.infra4future.de")
+  ];
+}

From 03ce987c907cd02df24687574e71e87f490db470 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Mon, 3 May 2021 11:50:37 +0200
Subject: [PATCH 2/5] shortcutdomains: 301 redirect -> 302 redirect

To prevent interference from indefinite caching of 301 redirects, this
now uses 302 redirects instead.
---
 services/shortdomains.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/shortdomains.nix b/services/shortdomains.nix
index 2f24d8c..e45045b 100644
--- a/services/shortdomains.nix
+++ b/services/shortdomains.nix
@@ -7,7 +7,7 @@ let
     value = {
       forceSSL = true;
       enableACME = true;
-      locations."/".return = "301 https://${target}$request_uri";
+      locations."/".return = "302 https://${target}$request_uri";
     };
   };
 in

From e07d23e2ee0c44aba117f3ccf5f5fc9f23085b87 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Mon, 3 May 2021 11:51:39 +0200
Subject: [PATCH 3/5] shortcutdomains: more shortcuts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

tbh, I'm not entirely sure about these — if we have single-letter
domains only, we'll run into trouble pretty quickly (e.g. with
mattermost/mumble). I've kept it limited to only *.infra4future.de,
where that is less of a problem (for now).
---
 services/shortdomains.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/services/shortdomains.nix b/services/shortdomains.nix
index e45045b..6c53b95 100644
--- a/services/shortdomains.nix
+++ b/services/shortdomains.nix
@@ -15,5 +15,8 @@ in
   services.nginx.virtualHosts = lib.listToAttrs [
     (short "d" "discuss.infra4future.de")
     (short "m" "mattermost.infra4future.de")
+    (short "c" "cloud.infra4future.de")
+    (short "s" "survey.infra4future.de")
+    (short "g" "gitlab.infra4future.de")
   ];
 }

From 9eed435ea3b5ba964f19da24e20297aa2ce2fccd Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Mon, 3 May 2021 12:08:25 +0200
Subject: [PATCH 4/5] shortcutdomains: generate an index page

misusing nix as an html templating language, yay!

We could (and maybe should) also use something more reasonable instead,
e.g. jekyll or hakyll, but for a simple listing nix turns out to be
quite enough.

The page doesn't look all too well for now; I haven't set any css, or
even added some <div>-tags for basic styling.
---
 services/shortdomains.nix | 40 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/services/shortdomains.nix b/services/shortdomains.nix
index 6c53b95..a1e75f8 100644
--- a/services/shortdomains.nix
+++ b/services/shortdomains.nix
@@ -2,21 +2,51 @@
 
 let
   shortdomain = "i4f.de";
-  short = abbrv: target: {
-    name = "${abbrv}.${shortdomain}";
+  short = name: target: {
+    inherit name target;
+  };
+  toVirtualHosts = {name, target, ...}: {
+    name = "${name}.${shortdomain}";
     value = {
       forceSSL = true;
       enableACME = true;
       locations."/".return = "302 https://${target}$request_uri";
     };
   };
-in
-{
-  services.nginx.virtualHosts = lib.listToAttrs [
+  redirects = [
     (short "d" "discuss.infra4future.de")
     (short "m" "mattermost.infra4future.de")
     (short "c" "cloud.infra4future.de")
     (short "s" "survey.infra4future.de")
     (short "g" "gitlab.infra4future.de")
   ];
+in
+{
+  services.nginx.virtualHosts =
+    lib.listToAttrs (map toVirtualHosts redirects)
+    // {
+      ${shortdomain} = {
+        enableACME = true;
+        forceSSL = true;
+        root = pkgs.writeText "index.html" ''
+          <html lang="en">
+            <head>
+              <title>Infra4future shortlinks</title>
+              <meta charset="UTF-8">
+            </head>
+            <body><h1>Shortlinks for infra4future.de</h1>
+              ${lib.strings.concatStrings
+                (map ({name, target,...}:
+                  ''
+                    <p>
+                      <a href="https://${target}">${name}.${shortdomain} → ${target}</a>
+                    </p>
+                  '')
+                  redirects)
+               }
+            </body>
+          </html>
+        '';
+      };
+    };
 }

From 5e7c46a4e96150bf22b674d671362ada79a2247d Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Thu, 7 Oct 2021 18:04:25 +0200
Subject: [PATCH 5/5] wildcard dns with ACME
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

this is just me procrastinating …

(not tested, not deployed – we don't actually own i4f.de)
---
 services/shortdomains.nix | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/services/shortdomains.nix b/services/shortdomains.nix
index a1e75f8..36f7d08 100644
--- a/services/shortdomains.nix
+++ b/services/shortdomains.nix
@@ -2,17 +2,6 @@
 
 let
   shortdomain = "i4f.de";
-  short = name: target: {
-    inherit name target;
-  };
-  toVirtualHosts = {name, target, ...}: {
-    name = "${name}.${shortdomain}";
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "302 https://${target}$request_uri";
-    };
-  };
   redirects = [
     (short "d" "discuss.infra4future.de")
     (short "m" "mattermost.infra4future.de")
@@ -20,8 +9,27 @@ let
     (short "s" "survey.infra4future.de")
     (short "g" "gitlab.infra4future.de")
   ];
+
+
+  short = name: target: {
+    inherit name target;
+  };
+  toVirtualHosts = {name, target, ...}: {
+    name = "${name}.${shortdomain}";
+    value = {
+      forceSSL = true;
+      useACMEHost = "*.i4f.de";
+      locations."/".return = "302 https://${target}$request_uri";
+    };
+  };
 in
 {
+  security.acme.certs."wildcard.i4f.de" = {
+    domain = "*.i4f.de";
+    dnsProvider = "cloudflare";
+    credentialsFile = "/persist/var/shortdomains/dns-secrents.env";
+  };
+
   services.nginx.virtualHosts =
     lib.listToAttrs (map toVirtualHosts redirects)
     // {