2015-10-21 18:49:20 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
# 1systems should configure itself:
|
|
|
|
# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
|
|
|
|
# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
|
|
|
|
# 80 is redirected to 443 ssl
|
|
|
|
|
|
|
|
# secrets used:
|
|
|
|
# wildcard.krebsco.de.crt
|
|
|
|
# wildcard.krebsco.de.key
|
|
|
|
# bepasty-secret.nix <- contains single string
|
|
|
|
|
2016-10-20 20:54:38 +02:00
|
|
|
with import <stockholm/lib>;
|
2015-10-29 10:55:54 +01:00
|
|
|
let
|
|
|
|
sec = toString <secrets>;
|
|
|
|
# secKey is nothing worth protecting on a local machine
|
|
|
|
secKey = import <secrets/bepasty-secret.nix>;
|
2016-07-18 15:34:46 +02:00
|
|
|
acmepath = "/var/lib/acme/";
|
|
|
|
acmechall = acmepath + "/challenges/";
|
|
|
|
ext-dom = "paste.krebsco.de" ;
|
2015-10-29 10:55:54 +01:00
|
|
|
in {
|
2015-10-21 18:49:20 +02:00
|
|
|
|
|
|
|
krebs.nginx.enable = mkDefault true;
|
|
|
|
krebs.bepasty = {
|
|
|
|
enable = true;
|
|
|
|
serveNginx= true;
|
|
|
|
|
|
|
|
servers = {
|
|
|
|
internal = {
|
|
|
|
nginx = {
|
2016-07-18 15:34:46 +02:00
|
|
|
server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
defaultPermissions = "admin,list,create,read,delete";
|
2015-10-29 10:55:54 +01:00
|
|
|
secretKey = secKey;
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
external = {
|
|
|
|
nginx = {
|
2016-07-18 15:34:46 +02:00
|
|
|
server-names = [ ext-dom ];
|
|
|
|
ssl = {
|
|
|
|
enable = true;
|
|
|
|
certificate = "${acmepath}/${ext-dom}/fullchain.pem";
|
|
|
|
certificate_key = "${acmepath}/${ext-dom}/key.pem";
|
|
|
|
# these certs will be needed if acme has not yet created certificates:
|
|
|
|
#certificate = "${sec}/wildcard.krebsco.de.crt";
|
|
|
|
#certificate_key = "${sec}/wildcard.krebsco.de.key";
|
|
|
|
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
|
2016-07-21 16:19:07 +02:00
|
|
|
force_encryption = true;
|
2016-07-18 15:34:46 +02:00
|
|
|
};
|
|
|
|
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
|
|
|
|
root ${acmechall}/${ext-dom}/;
|
|
|
|
'');
|
2015-10-21 18:49:20 +02:00
|
|
|
extraConfig = ''
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
|
|
ssl_session_timeout 10m;
|
|
|
|
ssl_verify_client off;
|
|
|
|
proxy_ssl_session_reuse off;
|
2016-07-21 16:19:07 +02:00
|
|
|
'';
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
defaultPermissions = "read";
|
2015-10-29 10:55:54 +01:00
|
|
|
secretKey = secKey;
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2016-07-18 15:34:46 +02:00
|
|
|
security.acme.certs."${ext-dom}" = {
|
|
|
|
email = "acme@syntax-fehler.de";
|
|
|
|
webroot = "${acmechall}/${ext-dom}/";
|
|
|
|
group = "nginx";
|
|
|
|
allowKeysForGroup = true;
|
|
|
|
postRun = "systemctl reload nginx.service";
|
|
|
|
extraDomains."${ext-dom}" = null ;
|
|
|
|
};
|
2015-10-21 18:49:20 +02:00
|
|
|
}
|