2015-10-21 18:49:20 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
# 1systems should configure itself:
|
|
|
|
# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
|
|
|
|
# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
|
|
|
|
# 80 is redirected to 443 ssl
|
|
|
|
|
|
|
|
# secrets used:
|
|
|
|
# wildcard.krebsco.de.crt
|
|
|
|
# wildcard.krebsco.de.key
|
|
|
|
# bepasty-secret.nix <- contains single string
|
|
|
|
|
|
|
|
with lib;
|
2015-10-29 10:55:54 +01:00
|
|
|
let
|
|
|
|
sec = toString <secrets>;
|
|
|
|
# secKey is nothing worth protecting on a local machine
|
|
|
|
secKey = import <secrets/bepasty-secret.nix>;
|
|
|
|
in {
|
2015-10-21 18:49:20 +02:00
|
|
|
|
|
|
|
krebs.nginx.enable = mkDefault true;
|
|
|
|
krebs.bepasty = {
|
|
|
|
enable = true;
|
|
|
|
serveNginx= true;
|
|
|
|
|
|
|
|
servers = {
|
|
|
|
internal = {
|
|
|
|
nginx = {
|
|
|
|
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
|
|
|
|
};
|
|
|
|
defaultPermissions = "admin,list,create,read,delete";
|
2015-10-29 10:55:54 +01:00
|
|
|
secretKey = secKey;
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
external = {
|
|
|
|
nginx = {
|
|
|
|
server-names = [ "paste.krebsco.de" ];
|
|
|
|
extraConfig = ''
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
|
|
ssl_session_timeout 10m;
|
2015-10-29 10:55:54 +01:00
|
|
|
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
|
|
|
|
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
|
2015-10-21 18:49:20 +02:00
|
|
|
ssl_verify_client off;
|
|
|
|
proxy_ssl_session_reuse off;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
if ($scheme = http){
|
|
|
|
return 301 https://$server_name$request_uri;
|
|
|
|
}'';
|
|
|
|
};
|
|
|
|
defaultPermissions = "read";
|
2015-10-29 10:55:54 +01:00
|
|
|
secretKey = secKey;
|
2015-10-21 18:49:20 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|