From 6097e792d09d7caab54f7e9af3141de1c899ca36 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 24 Dec 2016 23:38:01 +0100
Subject: [PATCH] m 2 *: krebs.nginx -> services.nginx
---
2configs/bepasty-dual.nix | 29 +---
2configs/deployment/mycube.connector.one.nix | 15 +-
2configs/elchos/search.nix | 141 +++----------------
2configs/nginx/euer.blog.nix | 29 ++--
2configs/nginx/euer.test.nix | 14 +-
2configs/nginx/euer.wiki.nix | 84 ++++-------
2configs/nginx/icecult.nix | 20 ++-
2configs/nginx/public_html.nix | 17 ++-
2configs/nginx/update.connector.one.nix | 30 ++--
9 files changed, 108 insertions(+), 271 deletions(-)
diff --git a/2configs/bepasty-dual.nix b/2configs/bepasty-dual.nix
index a6be048..a4c6777 100644
--- a/2configs/bepasty-dual.nix
+++ b/2configs/bepasty-dual.nix
@@ -20,42 +20,27 @@ let
ext-dom = "paste.krebsco.de" ;
in {
- krebs.nginx.enable = mkDefault true;
+ services.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
internal = {
+ domain = "paste.r";
nginx = {
- server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
+ serverAliases = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
};
external = {
+ domain = ext-dom;
nginx = {
- server-names = [ ext-dom ];
- ssl = {
- enable = true;
- certificate = "${acmepath}/${ext-dom}/fullchain.pem";
- certificate_key = "${acmepath}/${ext-dom}/key.pem";
- # these certs will be needed if acme has not yet created certificates:
- #certificate = "${sec}/wildcard.krebsco.de.crt";
- #certificate_key = "${sec}/wildcard.krebsco.de.key";
- ciphers = "RC4:HIGH:!aNULL:!MD5" ;
- force_encryption = true;
- };
- locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '');
- extraConfig = ''
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 10m;
- ssl_verify_client off;
- proxy_ssl_session_reuse off;
- '';
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
};
defaultPermissions = "read";
secretKey = secKey;
diff --git a/2configs/deployment/mycube.connector.one.nix b/2configs/deployment/mycube.connector.one.nix
index 091b7f2..379176f 100644
--- a/2configs/deployment/mycube.connector.one.nix
+++ b/2configs/deployment/mycube.connector.one.nix
@@ -27,23 +27,18 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- mybox-connector-one = {
- listen = [ "${external-ip}:80" ];
- server-names = [
- "mycube.connector.one"
- "mybox.connector.one"
- ];
- locations = singleton (nameValuePair "/" ''
+ virtualHosts."mybox.connector.one" = {
+ locations = {
+ "/".extraConfig = ''
uwsgi_pass unix://${wsgi-sock};
uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages};
uwsgi_param UWSGI_MODULE mycube.websrv;
uwsgi_param UWSGI_CALLABLE app;
include ${pkgs.nginx}/conf/uwsgi_params;
- '');
+ '';
};
};
};
diff --git a/2configs/elchos/search.nix b/2configs/elchos/search.nix
index 5adaa0c..5777be3 100644
--- a/2configs/elchos/search.nix
+++ b/2configs/elchos/search.nix
@@ -1,11 +1,12 @@
{ config, lib, pkgs, ... }:
-# graphite-web on port 8080
-# carbon cache on port 2003 (tcp/udp)
+# search also generates ddclient entries for all other logs
+
with import <stockholm/lib>;
let
#primary-itf = "eth0";
- primary-itf = "wlp2s0";
+ #primary-itf = "wlp2s0";
+ primary-itf = config.makefu.server.primary-itf;
elch-sock = "${config.services.uwsgi.runDir}/uwsgi-elch.sock";
ddclientUser = "ddclient";
sec = toString <secrets>;
@@ -14,15 +15,7 @@ let
cfg = "${stateDir}/cfg";
ddclientPIDFile = "${stateDir}/ddclient.pid";
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
# TODO: correct cert generation requires a `real` internet ip address
- stats-dom = "stats.nsupdate.info";
- search-dom = "search.nsupdate.info";
- search_ssl_cert = "${acmepath}/${search-dom}/fullchain.pem";
- search_ssl_key = "${acmepath}/${search-dom}/key.pem";
- stats_ssl_cert = "${acmepath}/${stats-dom}/fullchain.pem";
- stats_ssl_key = "${acmepath}/${stats-dom}/key.pem";
gen-cfg = dict: ''
ssl=yes
@@ -64,75 +57,22 @@ in {
};
};
- security.acme.certs = {
- "${stats-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${stats-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- "${search-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${search-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains = {
- "${stats-dom}" = null ;
- };
- };
- };
-
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- elch-stats = {
- server-names = [ stats-dom ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = stats_ssl_cert;
- certificate_key = stats_ssl_key;
- force_encryption = true;
- };
+ virtualHosts = {
+ "search.nsupdate.info" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/".extraConfig = ''
+ uwsgi_pass unix://${elch-sock};
+ uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
+ uwsgi_param UWSGI_MODULE elchhub.wsgi;
+ uwsgi_param UWSGI_CALLABLE app;
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:3000/;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
- };
- elchhub = {
- server-names = [ "search.nsupdate.info" ];
- # listen = [ "80" "443 ssl" ];
- ssl = {
- enable = true;
- certificate = search_ssl_cert;
- certificate_key = search_ssl_key;
- force_encryption = true;
+ include ${pkgs.nginx}/conf/uwsgi_params;
+ '';
};
- locations = [ (nameValuePair "/" ''
- uwsgi_pass unix://${elch-sock};
- uwsgi_param UWSGI_CHDIR ${pkgs.elchhub}/${pkgs.python3.sitePackages};
- uwsgi_param UWSGI_MODULE elchhub.wsgi;
- uwsgi_param UWSGI_CALLABLE app;
-
- include ${pkgs.nginx}/conf/uwsgi_params;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${search-dom}/;
- '')
- ];
};
};
};
@@ -147,7 +87,7 @@ in {
ExecStart = "${pkgs.elchhub}/bin/elch-manager";
};
};
- register-elchos-nsupdate = {
+ ddclient-nsupdate-elchos = {
wantedBy = [ "multi-user.target" ];
after = [ "ip-up.target" ];
serviceConfig = {
@@ -163,49 +103,8 @@ in {
};
};
- services.grafana = {
- enable = true;
- addr = "127.0.0.1";
- users.allowSignUp = false;
- users.allowOrgCreate = false;
- users.autoAssignOrg = false;
- auth.anonymous.enable = true;
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
- };
-
- services.graphite = {
- api = {
- enable = true;
- listenAddress = "127.0.0.1";
- port = 8080;
- };
- carbon = {
- enableCache = true;
- # save disk usage by restricting to 1 bulk update per second
- config = ''
- [cache]
- MAX_CACHE_SIZE = inf
- MAX_UPDATES_PER_SECOND = 1
- MAX_CREATES_PER_MINUTE = 500
- '';
- storageSchemas = ''
- [carbon]
- pattern = ^carbon\.
- retentions = 60:90d
-
- [elchos]
- patterhn = ^elchos\.
- retentions = 10s:30d,60s:3y
-
- [default]
- pattern = .*
- retentions = 30s:30d,300s:1y
- '';
- };
- };
-
networking.firewall = {
- allowedTCPPorts = [ 2003 80 443 ];
- allowedUDPPorts = [ 2003 ];
+ allowedTCPPorts = [ 80 443 ];
+ allowedUDPPorts = [ ];
};
}
diff --git a/2configs/nginx/euer.blog.nix b/2configs/nginx/euer.blog.nix
index b2a965d..3fb6293 100644
--- a/2configs/nginx/euer.blog.nix
+++ b/2configs/nginx/euer.blog.nix
@@ -3,13 +3,9 @@
with import <stockholm/lib>;
let
sec = toString <secrets>;
- ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- ssl_key = "${sec}/wildcard.krebsco.de.key";
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
- internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
base-dir = "/var/www/blog.euer";
in {
# Prepare Blog directory
@@ -32,24 +28,15 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-blog = {
- listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
- "${internal-ip}:80" "${internal-ip}:443 ssl" ];
- server-names = [ "euer.krebsco.de" "blog.euer.krebsco.de" "blog.${hostname}" ];
- extraConfig = ''
- gzip on;
- gzip_buffers 4 32k;
- gzip_types text/plain application/x-javascript text/css;
- ssl_certificate ${ssl_cert};
- ssl_certificate_key ${ssl_key};
- default_type text/plain;
- '';
- locations = singleton (nameValuePair "/" ''
- root ${base-dir};
- '');
+ virtualHosts = {
+ "euer.krebsco.de" = {
+ #serverAliases = [ "blog.euer.krebsco.de" "blog.${hostname}" ];
+ enableSSL = true;
+ enableACME = true;
+ forceSSL = true;
+ root = base-dir;
};
};
};
diff --git a/2configs/nginx/euer.test.nix b/2configs/nginx/euer.test.nix
index bff652d..40c3761 100644
--- a/2configs/nginx/euer.test.nix
+++ b/2configs/nginx/euer.test.nix
@@ -8,18 +8,16 @@ let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-share = {
- listen = [ ];
- server-names = [ "share.euer.krebsco.de" ];
- locations = singleton (nameValuePair "/" ''
+ virtualHosts."share.euer.krebsco.de" = {
+ locations."/" = {
+ proxyPass = "http://localhost:8000/";
+ extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass http://localhost:8000/;
- '');
+ '';
};
};
};
diff --git a/2configs/nginx/euer.wiki.nix b/2configs/nginx/euer.wiki.nix
index 9d0b748..fefdd6d 100644
--- a/2configs/nginx/euer.wiki.nix
+++ b/2configs/nginx/euer.wiki.nix
@@ -4,13 +4,6 @@ with import <stockholm/lib>;
let
sec = toString <secrets>;
ext-dom = "wiki.euer.krebsco.de";
- acmepath = "/var/lib/acme/";
- acmechall = acmepath + "/challenges/";
-
- #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
- #ssl_key = "${sec}/wildcard.krebsco.de.key";
- ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
- ssl_key = "${acmepath}/${ext-dom}/key.pem";
user = config.services.nginx.user;
group = config.services.nginx.group;
@@ -25,8 +18,7 @@ let
# user1 = pass1
# userN = passN
tw-pass-file = "${sec}/tw-pass.ini";
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
- internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
+
in {
services.phpfpm = {
# phpfpm does not have an enable option
@@ -79,24 +71,18 @@ in {
};
};
- krebs.nginx = {
+ services.nginx = {
enable = mkDefault true;
- servers = {
- euer-wiki = {
- listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
- "${internal-ip}:80" "${internal-ip}:443 ssl" ];
- server-names = [
- ext-dom
- "wiki.makefu.retiolum"
- "wiki.makefu"
- ];
- ssl = {
- enable = true;
- # these certs will be needed if acme has not yet created certificates:
- certificate = ssl_cert;
- certificate_key = ssl_key;
- force_encryption = true;
- };
+ virtualHosts = {
+ "${ext-dom}" = {
+ #serverAliases = [
+ # "wiki.makefu.retiolum"
+ # "wiki.makefu"
+ #];
+ enableSSL = true;
+ forceSSL = true;
+ enableACME = true;
+ # recommendedGzipSettings = true;
extraConfig = ''
gzip on;
gzip_buffers 4 32k;
@@ -104,34 +90,26 @@ in {
default_type text/plain;
'';
- locations = [
- (nameValuePair "/" ''
- root ${wiki-dir};
- expires -1;
- autoindex on;
- '')
- (nameValuePair "/store.php" ''
- root ${tw-upload};
- client_max_body_size 200M;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:${fpm-socket};
- include ${pkgs.nginx}/conf/fastcgi_params;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root ${acmechall}/${ext-dom}/;
- '')
-
- ];
+ locations = {
+ "/" = {
+ root = wiki-dir;
+ extraConfig = ''
+ expires -1;
+ autoindex on;
+ '';
+ };
+ "/store.php" = {
+ root = tw-upload;
+ extraConfig = ''
+ client_max_body_size 200M;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass unix:${fpm-socket};
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '';
+ };
+ };
};
};
};
- security.acme.certs."${ext-dom}" = {
- email = "acme@syntax-fehler.de";
- webroot = "${acmechall}/${ext-dom}/";
- group = "nginx";
- allowKeysForGroup = true;
- postRun = "systemctl reload nginx.service";
- extraDomains."${ext-dom}" = null ;
- };
}
diff --git a/2configs/nginx/icecult.nix b/2configs/nginx/icecult.nix
index ce4f62e..e817e55 100644
--- a/2configs/nginx/icecult.nix
+++ b/2configs/nginx/icecult.nix
@@ -10,19 +10,17 @@ let
sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
};
in{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default = {
- extraConfig = ''
- root ${icecult}/app;
+ virtualHosts.default = {
+ root = "${icecult}/app";
+ locations = {
+ "/rpc".proxyPass = "http://10.42.22.163:3121";
+ "/rpc".extraConfig = ''
+ rewrite /rpc/(.*) /$1 break;
+ proxy_http_version 1.1;
'';
- locations = [
- (nameValuePair "/rpc" ''
- rewrite /rpc/(.*) /$1 break;
- proxy_http_version 1.1;
- proxy_pass http://10.42.22.163:3121;
- '')
- ];
+ };
};
};
}
diff --git a/2configs/nginx/public_html.nix b/2configs/nginx/public_html.nix
index 9545e98..676d1f1 100644
--- a/2configs/nginx/public_html.nix
+++ b/2configs/nginx/public_html.nix
@@ -3,13 +3,16 @@
with import <stockholm/lib>;
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default.locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- autoindex on;
- '')
- ];
+ virtualHosts.default = {
+ default = true;
+ locations = {
+ "~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ autoindex on;
+ '';
+ };
+ };
};
}
diff --git a/2configs/nginx/update.connector.one.nix b/2configs/nginx/update.connector.one.nix
index 593f231..44345dc 100644
--- a/2configs/nginx/update.connector.one.nix
+++ b/2configs/nginx/update.connector.one.nix
@@ -1,25 +1,19 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
-let
- hostname = config.krebs.build.host.name;
- external-ip = config.krebs.build.host.nets.internet.ip4.addr;
-in {
- krebs.nginx = {
+{
+ services.nginx = {
enable = mkDefault true;
- servers = {
- update-connector-one = {
- listen = [ "${external-ip}:80" ];
- server-names = [
- "update.connector.one"
- "firmware.connector.one"
- ];
- locations = singleton (nameValuePair "/" ''
- autoindex on;
- root /var/www/update.connector.one;
- sendfile on;
- gzip on;
- '');
+ virtualHosts."update.connector.one" = {
+ locations = {
+ "/" = {
+ root = "/var/www/update.connector.one";
+ extraConfig = ''
+ autoindex on;
+ sendfile on;
+ gzip on;
+ '';
+ };
};
};
};