makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

l: krebs.nginx -> services.nginx

Browse source
This commit is contained in:
lassulus 2016-12-26 14:18:08 +01:00
parent 0f34276090
commit b9e3b93105
10 changed files with 161 additions and 237 deletions

14
lass/1systems/mors.nix
View file

@ -66,20 +66,18 @@ with import <stockholm/lib>;
};
}
{
krebs.nginx = {
services.nginx = {
enable = true;
servers.default = {
server-names = [
virtualHosts.default = {
serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum"
];
locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
alias /home/$1/public_html$2;
'';
};
};
}

23
lass/1systems/prism.nix
View file

@ -179,11 +179,9 @@ in {
imports = [
../2configs/realwallpaper.nix
];
krebs.nginx.servers."lassul.us".locations = [
(lib.nameValuePair "/wallpaper.png" ''
alias /tmp/wallpaper.png;
'')
];
services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
alias /tmp/wallpaper.png;
'';
}
{
environment.systemPackages = with pkgs; [
@ -203,16 +201,13 @@ in {
};
}
{
krebs.nginx = {
services.nginx = {
enable = true;
servers.public = {
listen = [ "8088" ];
server-names = [ "default" ];
locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
virtualHosts.public = {
port = 8088;
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
alias /home/$1/public_html$2;
'';
};
};
krebs.iptables.tables.filter.INPUT.rules = [

10
lass/2configs/binary-cache/server.nix
View file

@ -17,13 +17,13 @@
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
krebs.nginx = {
services.nginx = {
enable = true;
servers.nix-serve = {
server-names = [ "cache.prism.r" ];
locations = lib.singleton (lib.nameValuePair "/" ''
virtualHosts.nix-serve = {
serverAliases = [ "cache.prism.r" ];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'');
'';
};
};
}

16
lass/2configs/go.nix
View file

@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = {
enable = true;
};
krebs.nginx = {
services.nginx = {
enable = true;
servers.go = {
locations = [
(nameValuePair "/" ''
proxy_set_header Host go;
proxy_pass http://localhost:1337;
'')
];
server-names = [
virtualHosts.go = {
locations."/".extraConfig = ''
proxy_set_header Host go;
proxy_pass http://localhost:1337;
'';
serverAliases = [
"go"
"go.retiolum"
];

12
lass/2configs/radio.nix
View file

@ -156,7 +156,7 @@ in {
})
];
};
krebs.nginx.servers."lassul.us".locations = let
services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" ''
<!DOCTYPE html>
<html lang="en">
@ -175,10 +175,8 @@ in {
</body>
</html>
'';
in [
(nameValuePair "/the_playlist" ''
default_type "text/html";
alias ${html};
'')
];
in ''
default_type "text/html";
alias ${html};
'';
}

12
lass/2configs/realwallpaper.nix
View file

@ -9,15 +9,13 @@ let
in {
krebs.realwallpaper.enable = true;
krebs.nginx.servers.wallpaper = {
server-names = [
services.nginx.virtualHosts.wallpaper = {
serverAliases = [
hostname
];
locations = [
(nameValuePair "/wallpaper.png" ''
root /tmp/;
'')
];
locations."/wallpaper.png".extraConfig = ''
root /tmp/;
'';
};
krebs.iptables = {

12
lass/2configs/websites/domsen.nix
View file

@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
(servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" ])
(ssl [
"ubikmedia.de"
@ -92,11 +92,9 @@ in {
])
];
krebs.nginx.servers."ubikmedia.de".locations = [
(lib.nameValuePair "/piwik" ''
try_files $uri $uri/ /index.php?$args;
'')
];
services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
lass.mysqlBackup.config.all.databases = [
"ubikmedia_de"

12
lass/2configs/websites/fritz.nix
View file

@ -62,18 +62,6 @@ in {
"ttf_kleinaspach_de"
];
#password protect some dirs
krebs.nginx.servers."biostase.de".locations = [
(nameValuePair "/old_biostase.de" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
'')
(nameValuePair "/mysqldumper" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
'')
];
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];

92
lass/2configs/websites/lassulus.nix
View file

@ -69,59 +69,53 @@ in {
"nginx"
];
krebs.nginx.servers."lassul.us" = {
server-names = [ "lassul.us" ];
locations = [
(nameValuePair "/" ''
root /srv/http/lassul.us;
'')
(nameValuePair "/.well-known/acme-challenge" ''
root /var/lib/acme/challenges/lassul.us/;
'')
(nameValuePair "= /retiolum-hosts.tar.bz2" ''
alias ${config.krebs.tinc.retiolum.hostsArchive};
'')
(nameValuePair "/tinc" ''
alias ${config.krebs.tinc_graphs.workingDir}/external;
'')
(let
script = pkgs.writeBash "test" ''
echo "hello world"
'';
#script = pkgs.execve "ddate-wrapper" {
# filename = "${pkgs.ddate}/bin/ddate";
# argv = [];
#};
in nameValuePair "= /ddate" ''
gzip off;
fastcgi_pass unix:/var/run/lass-stuff.socket;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param DOCUMENT_ROOT /var/empty;
fastcgi_param SCRIPT_FILENAME ${script};
fastcgi_param SCRIPT_NAME ${script};
'')
];
ssl = {
enable = true;
certificate = "/var/lib/acme/lassul.us/fullchain.pem";
certificate_key = "/var/lib/acme/lassul.us/key.pem";
};
services.nginx.virtualHosts."lassul.us" = {
serverAliases = [ "lassul.us" ];
locations."/".extraConfig = ''
root /srv/http/lassul.us;
'';
locations."/.well-known/acme-challenge".extraConfig = ''
root /var/lib/acme/challenges/lassul.us/;
'';
locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
alias ${config.krebs.tinc.retiolum.hostsArchive};
'';
locations."/tinc".extraConfig = ''
alias ${config.krebs.tinc_graphs.workingDir}/external;
'';
locations."= /ddate".extraConfig = let
script = pkgs.writeBash "test" ''
echo "hello world"
'';
#script = pkgs.execve "ddate-wrapper" {
# filename = "${pkgs.ddate}/bin/ddate";
# argv = [];
#};
in ''
gzip off;
fastcgi_pass unix:/var/run/lass-stuff.socket;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param DOCUMENT_ROOT /var/empty;
fastcgi_param SCRIPT_FILENAME ${script};
fastcgi_param SCRIPT_NAME ${script};
'';
enableSSL = true;
extraConfig = "listen 80;";
sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
krebs.nginx.servers.cgit = {
server-names = [
services.nginx.virtualHosts.cgit = {
serverAliases = [
"cgit.lassul.us"
];
locations = [
(nameValuePair "/.well-known/acme-challenge" ''
root /var/lib/acme/challenges/cgit.lassul.us/;
'')
];
ssl = {
enable = true;
certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
};
locations."/.well-known/acme-challenge".extraConfig = ''
root /var/lib/acme/acme-challenges;
'';
enableSSL = true;
sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {

195
lass/2configs/websites/util.nix
View file

@ -4,66 +4,24 @@ with lib;
rec {
manageCerts = domains:
ssl = domains :
let
domain = head domains;
in {
#security.acme = {
# certs."${domain}" = {
# email = "lassulus@gmail.com";
# webroot = "/var/lib/acme/challenges/${domain}";
# plugins = [
# "account_key.json"
# "key.pem"
# "fullchain.pem"
# ];
# group = "nginx";
# allowKeysForGroup = true;
# extraDomains = genAttrs domains (_: null);
# };
#};
krebs.nginx.servers."${domain}" = {
ssl.acmeEnable = true;
server-names = domains;
#locations = [
# (nameValuePair "/.well-known/acme-challenge" ''
# root /var/lib/acme/challenges/${domain}/;
# '')
#];
};
};
ssl = domains:
{
imports = [
( manageCerts domains )
#( activateACME (head domains) )
];
};
activateACME = domain:
{
krebs.nginx.servers.${domain} = {
ssl = {
enable = true;
certificate = "/var/lib/acme/${domain}/fullchain.pem";
certificate_key = "/var/lib/acme/${domain}/key.pem";
};
};
};
servePage = domains:
let
domain = head domains;
in {
krebs.nginx.servers.${domain} = {
server-names = domains;
locations = [
(nameValuePair "/" ''
root /srv/http/${domain};
'')
];
services.nginx.virtualHosts.${domain} = {
enableACME = true;
enableSSL = true;
extraConfig = "listen 80;";
serverAliases = domains;
locations."/".extraConfig = ''
root /srv/http/${domain};
'';
};
};
@ -71,9 +29,13 @@ rec {
let
domain = head domains;
in {
krebs.nginx.servers."${domain}" = {
server-names = domains;
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = ''
listen 80;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
locations = [
(nameValuePair "/robots.txt" ''
allow all;
log_not_found off;
access_log off;
'')
(nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
deny all;
'')
locations."/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
deny all;
'';
(nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
deny all;
'')
locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
deny all;
'';
(nameValuePair "/" ''
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
'')
locations."/".extraConfig = ''
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
'';
(nameValuePair "~ \.php(?:$|/)" ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'')
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
(nameValuePair "~* \.(?:css|js)$" ''
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
'')
# Optional: Don't log access to other assets
(nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
access_log off;
'')
];
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
locations."~* \.(?:css|js)$".extraConfig = ''
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
'';
# Optional: Don't log access to other assets
locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
access_log off;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
@ -183,9 +142,12 @@ rec {
domain = head domains;
in {
krebs.nginx.servers."${domain}" = {
server-names = domains;
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = ''
listen 80;
root /srv/http/${domain}/;
index index.php;
access_log /tmp/nginx_acc.log;
@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations = [
(nameValuePair "/" ''
try_files $uri $uri/ /index.php?$args;
'')
(nameValuePair "~ \.php$" ''
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
include ${pkgs.nginx}/conf/fastcgi.conf;
'')
#(nameValuePair "~ /\\." ''
# deny all;
#'')
#Directives to send expires headers and turn off 404 error logging.
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
access_log off;
log_not_found off;
expires max;
'')
];
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool