summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-12-23 00:26:59 +0100
committertv <tv@krebsco.de>2016-12-23 00:26:59 +0100
commit224f28061d10d9cc5ef94414d17d5fe89706dd90 (patch)
tree91fe98e1ca9217a4c7bc6f23f13032753a1e0736
parentc69d8b169f6a4bfc35a7d6906ebc062e76197528 (diff)
[WIP] upstream-nginxni/upstream-nginx
-rw-r--r--default.nix230
1 files changed, 226 insertions, 4 deletions
diff --git a/default.nix b/default.nix
index b582d8e..4febfd0 100644
--- a/default.nix
+++ b/default.nix
@@ -1,11 +1,229 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
{
imports = [
- <stockholm/krebs/5pkgs>
+ <stockholm/krebs>
+ # TODO TLS
+ <stockholm/tv/2configs/exim-smarthost.nix>
+ <stockholm/tv/2configs/backup.nix>
+ <stockholm/tv/2configs/git.nix>
+ <stockholm/tv/2configs/retiolum.nix>
+ <stockholm/tv/2configs/urlwatch.nix>
<stockholm/tv/3modules/iptables.nix>
+ <stockholm/tv/3modules/ejabberd>
+ <stockholm/tv/3modules/charybdis>
<stockholm/tv/5pkgs>
./base.nix
+ {
+ krebs.exim-smarthost.dkim = mkForce (singleton rec {
+ domain = "viljetic.de";
+ private_key = {
+ path = "/run/krebs.secret/${domain}.dkim_private_key";
+ owner.name = "exim";
+ source-path = "${config.ni-key-path}/${domain}.dkim.priv";
+ };
+ });
+ krebs.tinc.retiolum = {
+ privkey = {
+ path = "${config.krebs.tinc.retiolum.user.home}/tinc.rsa_key.priv";
+ owner = config.krebs.tinc.retiolum.user;
+ source-path = "${config.ni-key-path}/retiolum.rsa_key.priv";
+ };
+ };
+ }
+ {
+ services.nginx.enable = true;
+
+ services.nginx.appendHttpConfig = ''
+ server {
+ listen 80 default_server;
+ server_name _;
+ return 404;
+ }
+ server {
+ listen 443 default_server;
+ server_name _;
+ return 404;
+ }
+ '';
+
+
+ services.nginx.virtualHosts.cgit.serverAliases = [
+ "cgit.krebsco.de"
+ "cgit.ni.krebsco.de"
+ "cgit.ni.viljetic.de"
+ "cgit.viljetic.de"
+ ];
+ }
+ # [upstream-nginx] {
+ # [upstream-nginx] krebs.nginx.servers.cgit.server-names = [
+ # [upstream-nginx] "cgit.krebsco.de"
+ # [upstream-nginx] "cgit.ni.krebsco.de"
+ # [upstream-nginx] "cgit.ni.viljetic.de"
+ # [upstream-nginx] "cgit.viljetic.de"
+ # [upstream-nginx] ];
+ # [upstream-nginx] }
+ {
+ services.nginx.virtualHosts."viljetic.de" = {
+ enableACME = true;
+ forceSSL = true;
+ sslCertificate = "/var/lib/acme/viljetic.de/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/viljetic.de/key.pem";
+ root = pkgs.viljetic-pages;
+ };
+ # [upstream-nginx] #krebs.nginx.servers.ni-retiolum = {
+ # [upstream-nginx] # server-names = singleton "ni.r";
+ # [upstream-nginx] # locations = [
+ # [upstream-nginx] # (nameValuePair "= /retiolum-hosts.tar.bz2" ''
+ # [upstream-nginx] # root ${config.krebs.tinc.retiolum.hostsArchive};
+ # [upstream-nginx] # '')
+ # [upstream-nginx] # ];
+ # [upstream-nginx] #};
+ # [upstream-nginx] # TODO make public_html also available to ni, ni.retiolum (AKA default)
+ # [upstream-nginx] krebs.nginx.servers."https://viljetic.de" = {
+ # [upstream-nginx] server-names = singleton "viljetic.de";
+ # [upstream-nginx] listen = mkForce []; # disable default
+ # [upstream-nginx] ssl = {
+ # [upstream-nginx] enable = true;
+ # [upstream-nginx] certificate = "/var/lib/acme/viljetic.de/fullchain.pem";
+ # [upstream-nginx] certificate_key = "/var/lib/acme/viljetic.de/key.pem";
+ # [upstream-nginx] };
+ # [upstream-nginx] locations = [
+ # [upstream-nginx] (nameValuePair "/" ''
+ # [upstream-nginx] root ${pkgs.viljetic-pages};
+ # [upstream-nginx] '')
+ # [upstream-nginx] (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ # [upstream-nginx] alias /home/$1/public_html$2;
+ # [upstream-nginx] '')
+ # [upstream-nginx] ];
+ # [upstream-nginx] };
+ # [upstream-nginx] krebs.nginx.servers."http://viljetic.de" = {
+ # [upstream-nginx] server-names = singleton "viljetic.de";
+ # [upstream-nginx] locations = [
+ # [upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" ''
+ # [upstream-nginx] root /var/lib/acme/viljetic.de/;
+ # [upstream-nginx] '')
+ # [upstream-nginx] (nameValuePair "/" ''
+ # [upstream-nginx] return 301 https://viljetic.de$request_uri;
+ # [upstream-nginx] '')
+ # [upstream-nginx] ];
+ # [upstream-nginx] };
+ security.acme = {
+ certs."viljetic.de" = {
+ email = "tomislav@viljetic.de";
+ #webroot = "/var/lib/acme/viljetic.de";
+ plugins = [
+ "account_key.json"
+ "key.pem"
+ "fullchain.pem"
+ ];
+ user = "nginx";
+ postRun = /* sh */ ''
+ ${pkgs.systemd}/bin/systemctl reload nginx
+ '';
+ };
+ };
+ }
+ {
+ krebs.github-hosts-sync = {
+ enable = true;
+ ssh-identity-file =
+ "${config.ni-key-path}/github-hosts-sync.ssh.id_ed25519";
+ };
+ tv.iptables.input-internet-accept-tcp =
+ singleton config.krebs.github-hosts-sync.port;
+ }
+ {
+ tv.charybdis = {
+ enable = true;
+ ssl_cert = ./certs/charybdis.crt.pem;
+ ssl_dh_params = {
+ path = "${config.tv.charybdis.user.home}/charybdis.dh.pem";
+ owner = config.tv.charybdis.user;
+ source-path = "${config.ni-key-path}/charybdis.dh.pem";
+ };
+ ssl_private_key = {
+ path = "${config.tv.charybdis.user.home}/charybdis.key.pem";
+ owner = config.tv.charybdis.user;
+ source-path = "${config.ni-key-path}/charybdis.key.pem";
+ };
+ };
+ tv.iptables.input-retiolum-accept-tcp = [
+ config.tv.charybdis.port
+ config.tv.charybdis.sslport
+ ];
+ }
+ {
+ services.nginx.virtualHosts."jabber.viljetic.de" = {
+ enableACME = true;
+ forceSSL = true;
+ sslCertificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/jabber.viljetic.de/key.pem";
+ };
+ #[upstream-nginx] # TODO we define krebs.nginx.servers."https://jabber.viljetic.de" only
+ #[upstream-nginx] # because krebs.nginx.servers."https://viljetic.de" will serve
+ #[upstream-nginx] # jabber.viljetic.de otherwise.
+ #[upstream-nginx] krebs.nginx.servers."https://jabber.viljetic.de" = {
+ #[upstream-nginx] server-names = singleton "jabber.viljetic.de";
+ #[upstream-nginx] listen = mkForce []; # disable default
+ #[upstream-nginx] ssl = {
+ #[upstream-nginx] enable = true;
+ #[upstream-nginx] certificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem";
+ #[upstream-nginx] certificate_key = "/var/lib/acme/jabber.viljetic.de/key.pem";
+ #[upstream-nginx] };
+ #[upstream-nginx] };
+ #[upstream-nginx] krebs.nginx.servers."http://jabber.viljetic.de" = {
+ #[upstream-nginx] server-names = singleton "jabber.viljetic.de";
+ #[upstream-nginx] locations = [
+ #[upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" ''
+ #[upstream-nginx] root /var/lib/acme/jabber.viljetic.de/;
+ #[upstream-nginx] '')
+ #[upstream-nginx] (nameValuePair "/" ''
+ #[upstream-nginx] return 301 http://jabber.viljetic.de$request_uri;
+ #[upstream-nginx] '')
+ #[upstream-nginx] ];
+ #[upstream-nginx] };
+ # TODO do we need to restart ejabberd when certfile changes?
+ # TODO restart ejabberd when /etc/hosts changes?
+ tv.ejabberd = {
+ enable = true;
+ hosts = [ "jabber.viljetic.de" ];
+ certfile = {
+ path = "${config.tv.ejabberd.user.home}/ejabberd.pem";
+ owner = config.tv.ejabberd.user;
+ source-path = "/var/lib/acme/jabber.viljetic.de/key+fullchain.pem";
+ };
+ };
+ tv.iptables.input-internet-accept-tcp = [
+ "xmpp-client"
+ "xmpp-server"
+ ];
+ security.acme = {
+ certs."jabber.viljetic.de" = {
+ email = "tomislav@viljetic.de";
+ #webroot = "/var/lib/acme/jabber.viljetic.de";
+ plugins = [
+ "account_key.json"
+ "key.pem"
+ "fullchain.pem"
+ ];
+ user = "nginx";
+ postRun = /* sh */ ''
+ (
+ set -efu
+ # XXX add missing newline
+ ${pkgs.coreutils}/bin/cat \
+ /var/lib/acme/jabber.viljetic.de/key.pem \
+ /var/lib/acme/jabber.viljetic.de/fullchain.pem \
+ > /var/lib/acme/jabber.viljetic.de/key+fullchain.pem
+ # TODO restarting secret will restart ejabberd (and others :/)
+ # TODO reload
+ ${pkgs.systemd}/bin/systemctl restart secret
+ )
+ '';
+ };
+ };
+ }
];
boot.loader.grub.devices = [ config.ni-disk ];
@@ -51,5 +269,9 @@
tv.iptables.enable = true;
tv.iptables.accept-echo-request = "internet";
- tv.iptables.input-internet-accept-tcp = [ "ssh" ];
+ tv.iptables.input-internet-accept-tcp = [
+ "http"
+ "https"
+ "ssh"
+ ];
}