summaryrefslogtreecommitdiffstats
path: root/lass/2configs/websites
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2016-12-28 03:40:28 +0100
committermakefu <github@syntax-fehler.de>2016-12-28 03:40:28 +0100
commitc422632d0370f15d4f0b0a5ce35e79a90e49740c (patch)
treeba271e34c75085970889d62dfc76e12b4c5a1374 /lass/2configs/websites
parent096d83fe893f5134be957bf6dfe3da99e038e8a5 (diff)
parent0d61093e18929e48ebfd984c1e0f2b6b1f0c6c58 (diff)
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs/websites')
-rw-r--r--lass/2configs/websites/domsen.nix13
-rw-r--r--lass/2configs/websites/fritz.nix18
-rw-r--r--lass/2configs/websites/lassulus.nix97
-rw-r--r--lass/2configs/websites/util.nix203
4 files changed, 132 insertions, 199 deletions
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 76e13412b..2bbfe7333 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
- (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+ (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
- (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+ (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [
"ubikmedia.de"
@@ -88,15 +88,12 @@ in {
"www.illucloud.eu"
"www.illucloud.de"
"www.illucloud.com"
- "*.ubikmedia.de"
])
];
- krebs.nginx.servers."ubikmedia.de".locations = [
- (lib.nameValuePair "/piwik" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- ];
+ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
lass.mysqlBackup.config.all.databases = [
"ubikmedia_de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 52914f444..f9035dd13 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -7,7 +7,6 @@ let
head
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
- manageCerts
ssl
servePage
serveWordpress
@@ -26,8 +25,6 @@ let
in {
imports = [
./sqlBackup.nix
- (ssl [ "biostase.de" "www.biostase.de" ])
- (serveWordpress [ "biostase.de" "www.biostase.de" ])
(ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@@ -50,30 +47,17 @@ in {
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
- (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
+ (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
];
lass.mysqlBackup.config.all.databases = [
- "biostase_de"
"eastuttgart_de"
"radical_dreamers_de"
"spielwaren_kern_de"
"ttf_kleinaspach_de"
];
- #password protect some dirs
- krebs.nginx.servers."biostase.de".locations = [
- (nameValuePair "/old_biostase.de" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
- '')
- (nameValuePair "/mysqldumper" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
- '')
- ];
-
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 29374e97d..cfdda05db 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -14,7 +14,7 @@ in {
security.acme = {
certs."lassul.us" = {
email = "lass@lassul.us";
- webroot = "/var/lib/acme/challenges/lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -26,7 +26,7 @@ in {
};
certs."cgit.lassul.us" = {
email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -69,59 +69,54 @@ in {
"nginx"
];
- krebs.nginx.servers."lassul.us" = {
- server-names = [ "lassul.us" ];
- locations = [
- (nameValuePair "/" ''
- root /srv/http/lassul.us;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/lassul.us/;
- '')
- (nameValuePair "= /retiolum-hosts.tar.bz2" ''
- alias ${config.krebs.tinc.retiolum.hostsArchive};
- '')
- (nameValuePair "/tinc" ''
- alias ${config.krebs.tinc_graphs.workingDir}/external;
- '')
- (let
- script = pkgs.writeBash "test" ''
- echo "hello world"
- '';
- #script = pkgs.execve "ddate-wrapper" {
- # filename = "${pkgs.ddate}/bin/ddate";
- # argv = [];
- #};
- in nameValuePair "= /ddate" ''
- gzip off;
- fastcgi_pass unix:/var/run/lass-stuff.socket;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param DOCUMENT_ROOT /var/empty;
- fastcgi_param SCRIPT_FILENAME ${script};
- fastcgi_param SCRIPT_NAME ${script};
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/lassul.us/key.pem";
- };
+ services.nginx.virtualHosts."lassul.us" = {
+ serverAliases = [ "lassul.us" ];
+ locations."/".extraConfig = ''
+ root /srv/http/lassul.us;
+ '';
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/challenges/lassul.us/;
+ '';
+ locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+ alias ${config.krebs.tinc.retiolum.hostsArchive};
+ '';
+ locations."/tinc".extraConfig = ''
+ alias ${config.krebs.tinc_graphs.workingDir}/external;
+ '';
+ locations."= /ddate".extraConfig = let
+ script = pkgs.writeBash "test" ''
+ echo "hello world"
+ '';
+ #script = pkgs.execve "ddate-wrapper" {
+ # filename = "${pkgs.ddate}/bin/ddate";
+ # argv = [];
+ #};
+ in ''
+ gzip off;
+ fastcgi_pass unix:/var/run/lass-stuff.socket;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param DOCUMENT_ROOT /var/empty;
+ fastcgi_param SCRIPT_FILENAME ${script};
+ fastcgi_param SCRIPT_NAME ${script};
+ '';
+
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
- krebs.nginx.servers.cgit = {
- server-names = [
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
"cgit.lassul.us"
];
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/cgit.lassul.us/;
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
- };
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/acme-challenges;
+ '';
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 0b2a6faac..6e236ab63 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -4,66 +4,24 @@ with lib;
rec {
- manageCerts = domains:
+ ssl = domains :
let
domain = head domains;
in {
- #security.acme = {
- # certs."${domain}" = {
- # email = "lassulus@gmail.com";
- # webroot = "/var/lib/acme/challenges/${domain}";
- # plugins = [
- # "account_key.json"
- # "key.pem"
- # "fullchain.pem"
- # ];
- # group = "nginx";
- # allowKeysForGroup = true;
- # extraDomains = genAttrs domains (_: null);
- # };
- #};
-
- krebs.nginx.servers."${domain}" = {
- ssl.acmeEnable = true;
- server-names = domains;
- #locations = [
- # (nameValuePair "/.well-known/acme-challenge" ''
- # root /var/lib/acme/challenges/${domain}/;
- # '')
- #];
- };
- };
-
- ssl = domains:
- {
- imports = [
- ( manageCerts domains )
- #( activateACME (head domains) )
- ];
- };
-
- activateACME = domain:
- {
- krebs.nginx.servers.${domain} = {
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/${domain}/fullchain.pem";
- certificate_key = "/var/lib/acme/${domain}/key.pem";
- };
- };
};
servePage = domains:
let
domain = head domains;
in {
- krebs.nginx.servers.${domain} = {
- server-names = domains;
- locations = [
- (nameValuePair "/" ''
- root /srv/http/${domain};
- '')
- ];
+ services.nginx.virtualHosts.${domain} = {
+ enableACME = true;
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ serverAliases = domains;
+ locations."/".extraConfig = ''
+ root /srv/http/${domain};
+ '';
};
};
@@ -71,9 +29,13 @@ rec {
let
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
+
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
- locations = [
- (nameValuePair "/robots.txt" ''
- allow all;
- log_not_found off;
- access_log off;
- '')
- (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
- deny all;
- '')
-
- (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
- deny all;
- '')
-
- (nameValuePair "/" ''
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- '')
-
- (nameValuePair "~ \.php(?:$|/)" ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- fastcgi_intercept_errors on;
- '')
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- (nameValuePair "~* \.(?:css|js)$" ''
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- # Optional: Don't log access to assets
- access_log off;
- '')
-
- # Optional: Don't log access to other assets
- (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
- access_log off;
- '')
- ];
+ locations."/robots.txt".extraConfig = ''
+ allow all;
+ log_not_found off;
+ access_log off;
+ '';
+ locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+ deny all;
+ '';
+
+ locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
+ deny all;
+ '';
+
+ locations."/".extraConfig = ''
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+ '';
+
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ fastcgi_intercept_errors on;
+ '';
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+ locations."~* \.(?:css|js)$".extraConfig = ''
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ # Optional: Don't log access to assets
+ access_log off;
+ '';
+ # Optional: Don't log access to other assets
+ locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+ access_log off;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
@@ -183,9 +142,12 @@ rec {
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
root /srv/http/${domain}/;
index index.php;
access_log /tmp/nginx_acc.log;
@@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
- locations = [
- (nameValuePair "/" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- (nameValuePair "~ \.php$" ''
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- #(nameValuePair "~ /\\." ''
- # deny all;
- #'')
- #Directives to send expires headers and turn off 404 error logging.
- (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
- access_log off;
- log_not_found off;
- expires max;
- '')
- ];
+ locations."/".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
+ locations."~ \.php$".extraConfig = ''
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '';
+ #Directives to send expires headers and turn off 404 error logging.
+ locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+ access_log off;
+ log_not_found off;
+ expires max;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool