diff options
author | makefu <github@syntax-fehler.de> | 2016-11-27 15:24:22 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2016-11-27 15:24:22 +0100 |
commit | b94fc3265b92f70ecb4507484e378e8f8084477c (patch) | |
tree | e9acdb99cafdd1362bb98a8f00139dde6edef6a4 /krebs/3modules/nginx.nix | |
parent | bcc2b327c4dbd34162db8cf81fbbc7688feafd9a (diff) | |
parent | da3022389d1da7ac9c2ca42eb2d16582b96e0074 (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'krebs/3modules/nginx.nix')
-rw-r--r-- | krebs/3modules/nginx.nix | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 1577c5b64..933c2e513 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -53,9 +53,22 @@ let default = ""; }; ssl = mkOption { - type = with types; submodule ({ + type = with types; submodule ({ config, ... }: { options = { enable = mkEnableOption "ssl"; + acmeEnable = mkOption { + type = bool; + apply = x: + if x && config.enable + #conflicts because of certificate/certificate_key location + then throw "can't use ssl.enable and ssl.acmeEnable together" + else x; + default = false; + description = '' + enables automatical generation of lets-encrypt certificates and setting them as certificate + conflicts with ssl.enable + ''; + }; certificate = mkOption { type = str; }; @@ -95,6 +108,7 @@ let }; imp = { + security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); services.nginx = { enable = true; httpConfig = '' @@ -117,13 +131,24 @@ let indent = replaceChars ["\n"] ["\n "]; + to-acme = { server-names, ssl, ... }: + optionalAttrs ssl.acmeEnable { + email = "lassulus@gmail.com"; + webroot = "${config.security.acme.directory}/${head server-names}"; + }; + to-location = { name, value }: '' location ${name} { ${indent value} } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let + domain = head server-names; + acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' + root ${config.security.acme.certs.${domain}.webroot}; + ''); + in '' server { server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} @@ -142,7 +167,23 @@ let ssl_ciphers ${ssl.ciphers}; ssl_protocols ${toString ssl.protocols}; '')} + ${optionalString ssl.acmeEnable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} + listen 443 ssl; + ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; + ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} ${indent extraConfig} + ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} ${indent (concatMapStrings to-location locations)} } ''; |