URL normalization

Pandoks · Dec 4, 2024 · 449c153 · 449c153
1 parent 598bfcf
commit 449c153
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 35 deletions.
diff --git a/config/deploy.yml b/config/deploy.yml
@@ -1,41 +1,32 @@
 # Name of your application. Used to uniquely configure containers.
 service: homelab-template
 
-# Name of the container image.
 image: pandoks/homelab-template-web
 
-# Deploy to these servers.
 servers:
   web:
     - 5.78.129.11
 
-# TODO: add read-only flag to docker containers
 # NOTE: you need to add "service" label for images that you don't want to build
 # Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
 # If using something like Cloudflare, it is recommended to set encryption mode
 # in Cloudflare's SSL/TLS setting to "Full" to enable end-to-end encryption.
+# Set ssl: false if you're using Cloudflare
 proxy:
-  ssl: true
+  ssl: false
   hosts:
     - ziji.dev
-    - www.ziji.dev
-  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.
   app_port: 3000
 
-# Credentials for your image host.
 registry:
-  # Specify the registry server, if you're not using Docker Hub
   server: ghcr.io
   username: Pandoks
 
-  # Always use an access token rather than real password (pulled from .kamal/secrets).
   password:
     - KAMAL_REGISTRY_PASSWORD
-# Configure builder setup.
+
 builder:
   arch: amd64
-# Inject ENV variables into containers (secrets come from .kamal/secrets).
-#
 # env:
 #   clear:
 #     DB_HOST: 192.168.0.2
@@ -48,7 +39,6 @@ builder:
 # aliases:
 #   shell: app exec --interactive --reuse "bash"
 
-# Use a different ssh user than root
 ssh:
   user: pandoks
   port: 61189

diff --git a/infra/dns.ts b/infra/dns.ts
@@ -2,29 +2,70 @@ import { generateRandomString } from "./utils";
 import { vps } from "./vps";
 
 const hash = generateRandomString(10);
-const base = "ziji.dev";
+const baseDomain = "ziji.dev";
 
 export const domain =
   {
-    production: base,
-    staging: `staging-${hash}.${base}`,
+    production: baseDomain,
+    staging: `${hash}.${baseDomain}`,
   }[$app.stage] || "localhost";
 
-export const zone = cloudflare.getZoneOutput({ name: base });
-
-// NOTE: Once you start going multi servers, make sure this is pointing to the load balancer
-const dnsVPSRecord = new cloudflare.Record("VPSConnection", {
-  zoneId: zone.id,
-  name: base,
-  type: "A",
-  value: vps.ipv4Address,
-  proxied: true, // if proxied is true, you don't really need to set TTL cause cloudflare takes care of it
-});
-
-const wwwDnsRecord = new cloudflare.Record("wwwDnsRecord", {
-  zoneId: zone.id,
-  name: `www.${base}`,
-  type: "A", // could be CNAME too but cloudflare flattens the records on their end so it don't matter
-  value: vps.ipv4Address,
-  proxied: true,
-});
+// NOTE: Authentication error (10000) is probably an API token permissions problem
+if (!$dev) {
+  var zone = cloudflare.getZoneOutput({ name: baseDomain });
+
+  const directRecordTypes = ["A", "AAAA"];
+  for (const recordType of directRecordTypes) {
+    const ipAddress = recordType === "A" ? vps.ipv4Address : vps.ipv6Address;
+    // NOTE: Once you start going multi servers, make sure this is pointing to the load balancer
+    new cloudflare.Record(`VPSConnection${recordType}`, {
+      zoneId: zone.id,
+      name: baseDomain,
+      type: recordType,
+      value: ipAddress,
+      proxied: true, // make sure this is true so that Cloudflare can run their middleware
+    });
+
+    new cloudflare.Record(`APIConnection${recordType}`, {
+      zoneId: zone.id,
+      name: `api.${baseDomain}`,
+      type: recordType,
+      value: ipAddress, // change this when moving api to another machine
+      proxied: true,
+    });
+  }
+
+  new cloudflare.Record("CatchAll", {
+    zoneId: zone.id,
+    name: `*.${baseDomain}`,
+    type: "CNAME",
+    value: baseDomain,
+    proxied: true,
+  });
+
+  new cloudflare.Ruleset("RedirectToRoot", {
+    name: "Redirect subdomains to root",
+    kind: "custom",
+    zoneId: zone.id,
+    phase: "http_request_dynamic_redirect", // https://developers.cloudflare.com/ruleset-engine/reference/phases-list/
+    rules: [
+      {
+        expression: `(http.request.full_uri wildcard "https://*.${baseDomain}*")`,
+        actionParameters: {
+          fromValue: {
+            preserveQueryString: true,
+            statusCode: 301,
+            targetUrl: {
+              expression: `wildcard_replace(http.request.full_uri, "https://*.${baseDomain}*", "https://${baseDomain}\$\{2\}")`,
+            },
+          },
+        },
+        action: "redirect",
+        enabled: true,
+        description: "Redirects subdomains to root domain",
+      },
+    ],
+  });
+}
+
+export { zone };
diff --git a/infra/vps.ts b/infra/vps.ts
@@ -227,7 +227,7 @@ runcmd:
     },
     { ignoreChanges: ["userData"] }, // don't want to restart server if eg. ssh key changes (keeps prod up)
   );
-  vps.ipv4Address.apply((ip) => console.log(`IP: ${ip}, Port: ${sshPort}`));
+  vps.ipv4Address.apply((ip) => console.log(`ssh pandoks@${ip} -p ${sshPort}`));
 
   const vpsInfo = new sst.Linkable("Vps", {
     properties: { ipv4: vps.ipv4Address },