nixos-config/2configs/bepasty-dual.nix

59 lines
1.5 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
# 1systems should configure itself:
# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
# 80 is redirected to 443 ssl
# secrets used:
# wildcard.krebsco.de.crt
# wildcard.krebsco.de.key
# bepasty-secret.nix <- contains single string
2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
2015-10-29 10:55:54 +01:00
let
sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>;
acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/";
ext-dom = "paste.krebsco.de" ;
2015-10-29 10:55:54 +01:00
in {
2016-12-24 23:38:01 +01:00
services.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
internal = {
2016-12-24 23:38:01 +01:00
domain = "paste.r";
nginx = {
2016-12-24 23:38:01 +01:00
serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
2015-10-29 10:55:54 +01:00
secretKey = secKey;
};
external = {
2016-12-24 23:38:01 +01:00
domain = ext-dom;
nginx = {
2016-12-24 23:38:01 +01:00
enableSSL = true;
forceSSL = true;
enableACME = true;
};
defaultPermissions = "read";
2015-10-29 10:55:54 +01:00
secretKey = secKey;
};
};
};
security.acme.certs."${ext-dom}" = {
email = "acme@syntax-fehler.de";
webroot = "${acmechall}/${ext-dom}/";
group = "nginx";
allowKeysForGroup = true;
postRun = "systemctl reload nginx.service";
extraDomains."${ext-dom}" = null ;
};
}