[terakoda.com] Moves www2 to the main site.

system/hosts/mcp/containers/public-homepage.nix

@@ -7,7 +7,10 @@ let
     blazestar
     ;
   mkStaticSite =
-    host:
+    {
+      host,
+      dir ? "public",
+    }:
     let
       cleanHost = lib.strings.stringAsChars (c: if c == "." then "-" else c) host;
     in
@@ -16,7 +19,7 @@ let
         image = "nginx:alpine";
         autoStart = true;
         volumes = [
-          "/tank/web/${host}/public:/usr/share/nginx/html:ro"
+          "/tank/web/${host}/${dir}:/usr/share/nginx/html:ro"
         ];
         labels = {
           "traefik.enable" = "true";
@@ -33,27 +36,10 @@ let
 in
 {
   virtualisation.oci-containers.containers =
-    mkStaticSite terakoda
-    // mkStaticSite havenisms
-    // mkStaticSite blazestar
-    // (
-      let
-        host = "www2.terakoda.com";
-        cleanHost = lib.strings.stringAsChars (c: if c == "." then "-" else c) host;
-      in
-      {
-        "${cleanHost}-static" = {
-          image = "nginx:alpine";
-          autoStart = true;
-          volumes = [
-            "/tank/web/www2.terakoda.com/dist:/usr/share/nginx/html:ro"
-          ];
-          labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.${cleanHost}.rule" = "Host(`${host}`)";
-            "traefik.http.services.${cleanHost}.loadbalancer.server.port" = "80";
-          };
-        };
-      }
-    );
+    mkStaticSite {
+      host = terakoda;
+      dir = "dist";
+    }
+    // mkStaticSite { host = havenisms; }
+    // mkStaticSite { host = blazestar; };
 }

system/hosts/mcp/static-site-hooks.nix

@@ -38,9 +38,6 @@ let
     };
 in
 {
-  # [ ] Make sure the hook can operate on that directory
-  # [ ] Run the build command
-
   sops.secrets = {
     "deploy-key/terakoda.com" = {
       restartUnits = [ "webhook.service" ];
@@ -54,22 +51,40 @@ in
     port = 9000;
     openFirewall = true;
     hooks = {
-      "deploy-www2-terakoda-com" = {
-        id = "deploy-www2-terakoda-com";
+      "deploy-terakoda-com" = {
+        id = "deploy-terakoda-com";
         http-methods = [ "POST" ];
-        command-working-directory = "/tank/web/www2.terakoda.com";
-        include-command-output-in-response = true;
+        command-working-directory = "/tank/web/terakoda.com";
         include-command-output-in-response-on-error = true;
         execute-command = "${testHook}/bin/deploy-astro-app";
+        trigger-rule-mismatch-http-response-code = 400;
         trigger-rule = {
-          match = {
-            type = "payload-mac-sha256";
-            secret = "test123";
-            parameter = {
-              source = "header";
-              name = "X-Hub-Signature-256";
-            };
-          };
+          or = [
+            # There were some issues getting the payload signature validation to work.
+            # Switching to only accepting requests from internal IPs.
+            # {
+            #   match = {
+            #     type = "payload-hmac-sha1";
+            #     secret = "mysecret";
+            #     parameter = {
+            #       source = "header";
+            #       name = "X-Hub-Signature";
+            #     };
+            #   };
+            # }
+            {
+              match = {
+                type = "ip-whitelist";
+                ip-range = "192.168.0.0/16";
+              };
+            }
+            {
+              match = {
+                type = "ip-whitelist";
+                ip-range = "10.88.0.0/16";
+              };
+            }
+          ];
         };
       };
     };