Add mdBook infra runbook served by Caddy on control
Docs live in docs/ (DNS, ZeroTier mesh, monitoring), built at Nix-build time and served as static files over the ZeroTier mesh on control:8080. Commit-to-edit: change the markdown and redeploy to publish.
This commit is contained in:
Berwn
@@ -0,0 +1,40 @@
|
||||
# Infra runbook (mdBook), built at Nix-build time from ./docs and served by Caddy.
|
||||
# Reachable only over the ZeroTier mesh (firewall rule below); the public side is
|
||||
# already closed by the Hetzner cloud firewall. Imported by control only.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
mesh = import ./mesh-hosts.nix { inherit config lib; };
|
||||
port = 8080;
|
||||
|
||||
site = pkgs.stdenvNoCC.mkDerivation {
|
||||
name = "cnx-infra-docs";
|
||||
src = ../docs;
|
||||
nativeBuildInputs = [ pkgs.mdbook ];
|
||||
# mdbook writes a state dir under $HOME; the build sandbox has none.
|
||||
buildPhase = ''
|
||||
export HOME=$TMPDIR
|
||||
mdbook build -d $out
|
||||
'';
|
||||
dontInstall = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
# ":port" makes Caddy serve plain HTTP (no automatic TLS) on all interfaces;
|
||||
# the mesh-scoped firewall rule below is what constrains reachability.
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts.":${toString port}".extraConfig = ''
|
||||
root * ${site}
|
||||
file_server
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.extraInputRules = ''
|
||||
ip6 saddr ${mesh.subnet} tcp dport ${toString port} accept
|
||||
'';
|
||||
}
|
||||
Reference in New Issue
Block a user