From 224f28061d10d9cc5ef94414d17d5fe89706dd90 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 23 Dec 2016 00:26:59 +0100 Subject: [WIP] upstream-nginx --- default.nix | 230 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 226 insertions(+), 4 deletions(-) diff --git a/default.nix b/default.nix index b582d8e..4febfd0 100644 --- a/default.nix +++ b/default.nix @@ -1,11 +1,229 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: +with import ; { imports = [ - + + # TODO TLS + + + + + + + ./base.nix + { + krebs.exim-smarthost.dkim = mkForce (singleton rec { + domain = "viljetic.de"; + private_key = { + path = "/run/krebs.secret/${domain}.dkim_private_key"; + owner.name = "exim"; + source-path = "${config.ni-key-path}/${domain}.dkim.priv"; + }; + }); + krebs.tinc.retiolum = { + privkey = { + path = "${config.krebs.tinc.retiolum.user.home}/tinc.rsa_key.priv"; + owner = config.krebs.tinc.retiolum.user; + source-path = "${config.ni-key-path}/retiolum.rsa_key.priv"; + }; + }; + } + { + services.nginx.enable = true; + + services.nginx.appendHttpConfig = '' + server { + listen 80 default_server; + server_name _; + return 404; + } + server { + listen 443 default_server; + server_name _; + return 404; + } + ''; + + + services.nginx.virtualHosts.cgit.serverAliases = [ + "cgit.krebsco.de" + "cgit.ni.krebsco.de" + "cgit.ni.viljetic.de" + "cgit.viljetic.de" + ]; + } + # [upstream-nginx] { + # [upstream-nginx] krebs.nginx.servers.cgit.server-names = [ + # [upstream-nginx] "cgit.krebsco.de" + # [upstream-nginx] "cgit.ni.krebsco.de" + # [upstream-nginx] "cgit.ni.viljetic.de" + # [upstream-nginx] "cgit.viljetic.de" + # [upstream-nginx] ]; + # [upstream-nginx] } + { + services.nginx.virtualHosts."viljetic.de" = { + enableACME = true; + forceSSL = true; + sslCertificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/viljetic.de/key.pem"; + root = pkgs.viljetic-pages; + }; + # [upstream-nginx] #krebs.nginx.servers.ni-retiolum = { + # [upstream-nginx] # server-names = singleton "ni.r"; + # [upstream-nginx] # locations = [ + # [upstream-nginx] # (nameValuePair "= /retiolum-hosts.tar.bz2" '' + # [upstream-nginx] # root ${config.krebs.tinc.retiolum.hostsArchive}; + # [upstream-nginx] # '') + # [upstream-nginx] # ]; + # [upstream-nginx] #}; + # [upstream-nginx] # TODO make public_html also available to ni, ni.retiolum (AKA default) + # [upstream-nginx] krebs.nginx.servers."https://viljetic.de" = { + # [upstream-nginx] server-names = singleton "viljetic.de"; + # [upstream-nginx] listen = mkForce []; # disable default + # [upstream-nginx] ssl = { + # [upstream-nginx] enable = true; + # [upstream-nginx] certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + # [upstream-nginx] certificate_key = "/var/lib/acme/viljetic.de/key.pem"; + # [upstream-nginx] }; + # [upstream-nginx] locations = [ + # [upstream-nginx] (nameValuePair "/" '' + # [upstream-nginx] root ${pkgs.viljetic-pages}; + # [upstream-nginx] '') + # [upstream-nginx] (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + # [upstream-nginx] alias /home/$1/public_html$2; + # [upstream-nginx] '') + # [upstream-nginx] ]; + # [upstream-nginx] }; + # [upstream-nginx] krebs.nginx.servers."http://viljetic.de" = { + # [upstream-nginx] server-names = singleton "viljetic.de"; + # [upstream-nginx] locations = [ + # [upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" '' + # [upstream-nginx] root /var/lib/acme/viljetic.de/; + # [upstream-nginx] '') + # [upstream-nginx] (nameValuePair "/" '' + # [upstream-nginx] return 301 https://viljetic.de$request_uri; + # [upstream-nginx] '') + # [upstream-nginx] ]; + # [upstream-nginx] }; + security.acme = { + certs."viljetic.de" = { + email = "tomislav@viljetic.de"; + #webroot = "/var/lib/acme/viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + postRun = /* sh */ '' + ${pkgs.systemd}/bin/systemctl reload nginx + ''; + }; + }; + } + { + krebs.github-hosts-sync = { + enable = true; + ssh-identity-file = + "${config.ni-key-path}/github-hosts-sync.ssh.id_ed25519"; + }; + tv.iptables.input-internet-accept-tcp = + singleton config.krebs.github-hosts-sync.port; + } + { + tv.charybdis = { + enable = true; + ssl_cert = ./certs/charybdis.crt.pem; + ssl_dh_params = { + path = "${config.tv.charybdis.user.home}/charybdis.dh.pem"; + owner = config.tv.charybdis.user; + source-path = "${config.ni-key-path}/charybdis.dh.pem"; + }; + ssl_private_key = { + path = "${config.tv.charybdis.user.home}/charybdis.key.pem"; + owner = config.tv.charybdis.user; + source-path = "${config.ni-key-path}/charybdis.key.pem"; + }; + }; + tv.iptables.input-retiolum-accept-tcp = [ + config.tv.charybdis.port + config.tv.charybdis.sslport + ]; + } + { + services.nginx.virtualHosts."jabber.viljetic.de" = { + enableACME = true; + forceSSL = true; + sslCertificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/jabber.viljetic.de/key.pem"; + }; + #[upstream-nginx] # TODO we define krebs.nginx.servers."https://jabber.viljetic.de" only + #[upstream-nginx] # because krebs.nginx.servers."https://viljetic.de" will serve + #[upstream-nginx] # jabber.viljetic.de otherwise. + #[upstream-nginx] krebs.nginx.servers."https://jabber.viljetic.de" = { + #[upstream-nginx] server-names = singleton "jabber.viljetic.de"; + #[upstream-nginx] listen = mkForce []; # disable default + #[upstream-nginx] ssl = { + #[upstream-nginx] enable = true; + #[upstream-nginx] certificate = "/var/lib/acme/jabber.viljetic.de/fullchain.pem"; + #[upstream-nginx] certificate_key = "/var/lib/acme/jabber.viljetic.de/key.pem"; + #[upstream-nginx] }; + #[upstream-nginx] }; + #[upstream-nginx] krebs.nginx.servers."http://jabber.viljetic.de" = { + #[upstream-nginx] server-names = singleton "jabber.viljetic.de"; + #[upstream-nginx] locations = [ + #[upstream-nginx] (nameValuePair "/.well-known/acme-challenge/" '' + #[upstream-nginx] root /var/lib/acme/jabber.viljetic.de/; + #[upstream-nginx] '') + #[upstream-nginx] (nameValuePair "/" '' + #[upstream-nginx] return 301 http://jabber.viljetic.de$request_uri; + #[upstream-nginx] '') + #[upstream-nginx] ]; + #[upstream-nginx] }; + # TODO do we need to restart ejabberd when certfile changes? + # TODO restart ejabberd when /etc/hosts changes? + tv.ejabberd = { + enable = true; + hosts = [ "jabber.viljetic.de" ]; + certfile = { + path = "${config.tv.ejabberd.user.home}/ejabberd.pem"; + owner = config.tv.ejabberd.user; + source-path = "/var/lib/acme/jabber.viljetic.de/key+fullchain.pem"; + }; + }; + tv.iptables.input-internet-accept-tcp = [ + "xmpp-client" + "xmpp-server" + ]; + security.acme = { + certs."jabber.viljetic.de" = { + email = "tomislav@viljetic.de"; + #webroot = "/var/lib/acme/jabber.viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + postRun = /* sh */ '' + ( + set -efu + # XXX add missing newline + ${pkgs.coreutils}/bin/cat \ + /var/lib/acme/jabber.viljetic.de/key.pem \ + /var/lib/acme/jabber.viljetic.de/fullchain.pem \ + > /var/lib/acme/jabber.viljetic.de/key+fullchain.pem + # TODO restarting secret will restart ejabberd (and others :/) + # TODO reload + ${pkgs.systemd}/bin/systemctl restart secret + ) + ''; + }; + }; + } ]; boot.loader.grub.devices = [ config.ni-disk ]; @@ -51,5 +269,9 @@ tv.iptables.enable = true; tv.iptables.accept-echo-request = "internet"; - tv.iptables.input-internet-accept-tcp = [ "ssh" ]; + tv.iptables.input-internet-accept-tcp = [ + "http" + "https" + "ssh" + ]; } -- cgit v1.2.3