From 754ea55ab89cdeffaac7b4b66ca792558fed9237 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:50:08 +0200
Subject: krebs 3 retiolum-bootstrap: init module

---
 krebs/3modules/retiolum-bootstrap.nix | 60 +++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 krebs/3modules/retiolum-bootstrap.nix

(limited to 'krebs/3modules/retiolum-bootstrap.nix')

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
new file mode 100644
index 000000000..5cce4c2af
--- /dev/null
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.krebs.retiolum-bootstrap;
+
+  out = {
+    options.krebs.retiolum-bootstrap = api;
+    config = mkIf cfg.enable imp ;
+  };
+
+  api = {
+    enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
+    hostname = mkOption {
+        type = types.str;
+        description = "hostname which serves tinc boot";
+        default = "tinc.krebsco.de" ;
+    };
+    ssl_certificate_key = mkOption {
+        type = types.str;
+        description = "Certificate key to use for ssl";
+        default = "/root/secrets/tinc.krebsco.de.key";
+    };
+    ssl_certificate = mkOption {
+        type = types.str;
+        description = "Certificate file to use for ssl";
+        default = "/root/secrets/tinc.krebsco.de.crt" ;
+    };
+    # in use:
+    #  <secrets/tinc.krebsco.de.crt>
+    #  <secrets/tinc.krebsco.de.key>
+  };
+
+  imp = {
+    # TODO: assert krebs nginx
+
+    krebs.nginx.servers = {
+      retiolum-boot-redir = {
+        server-names = singleton cfg.hostname;
+        extraConfig = ''
+          return 301 https://$server_name$request_uri;
+        '';
+        locations = [];
+      };
+      retiolum-boot-ssl = {
+        server-names = singleton cfg.hostname;
+        listen = "443 ssl";
+        extraConfig = ''
+          ssl_certificate ${cfg.ssl_certificate};
+          ssl_certificate_key ${cfg.ssl_certificate_key};
+          root ${pkgs.retiolum-bootstrap};
+          try_files $uri $uri/retiolum.sh;
+        '';
+        locations = [];
+      };
+    };
+  };
+
+in
+out
-- 
cgit v1.2.3


From 8d3ebfc096c10e9d498ca0bed934ad9e35e6c022 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:57:05 +0200
Subject: krebs 3 retiolum-bootstrap: fix assert todo

---
 krebs/3modules/retiolum-bootstrap.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'krebs/3modules/retiolum-bootstrap.nix')

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 5cce4c2af..eed11642f 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -32,9 +32,7 @@ let
   };
 
   imp = {
-    # TODO: assert krebs nginx
-
-    krebs.nginx.servers = {
+    krebs.nginx.servers = assert config.krebs.nginx.enable; {
       retiolum-boot-redir = {
         server-names = singleton cfg.hostname;
         extraConfig = ''
-- 
cgit v1.2.3


From 0bc015bf3c2b8f70952793cc117cd9b976ebc96e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 20 Oct 2015 19:59:59 +0200
Subject: krebs 3 retiolum-bootstra: use nginx listen list

consolidate nginx servers into 1, provide a means to override the listen
addresses.
---
 krebs/3modules/retiolum-bootstrap.nix | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'krebs/3modules/retiolum-bootstrap.nix')

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index eed11642f..65bb51193 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -16,6 +16,14 @@ let
         description = "hostname which serves tinc boot";
         default = "tinc.krebsco.de" ;
     };
+    listen = mkOption {
+        type = with types; listOf str;
+        description = ''Addresses to listen on (nginx-syntax).
+        ssl will be configured, http will be redirected to ssl.
+        Make sure to have at least 1 ssl port configured.
+        '';
+        default = [ "80" "443 ssl" ] ;
+    };
     ssl_certificate_key = mkOption {
         type = types.str;
         description = "Certificate key to use for ssl";
@@ -33,19 +41,17 @@ let
 
   imp = {
     krebs.nginx.servers = assert config.krebs.nginx.enable; {
-      retiolum-boot-redir = {
-        server-names = singleton cfg.hostname;
-        extraConfig = ''
-          return 301 https://$server_name$request_uri;
-        '';
-        locations = [];
-      };
       retiolum-boot-ssl = {
         server-names = singleton cfg.hostname;
-        listen = "443 ssl";
+        listen = cfg.listen;
         extraConfig = ''
           ssl_certificate ${cfg.ssl_certificate};
           ssl_certificate_key ${cfg.ssl_certificate_key};
+
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+
           root ${pkgs.retiolum-bootstrap};
           try_files $uri $uri/retiolum.sh;
         '';
-- 
cgit v1.2.3

[cgit] Unable to lock slot /tmp/cgit/b7000000.lock: No such file or directory (2)