diff options
author | lassulus <lass@aidsballs.de> | 2015-10-31 00:14:35 +0100 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2015-10-31 00:14:35 +0100 |
commit | 10779f3cb9b7e00aac50faa98adbd2ebd9a675a0 (patch) | |
tree | 7aef8997e959c346cb9ae61f7bc1626a8c5bb473 /makefu/2configs/bepasty-dual.nix | |
parent | 5b4a34062462311973bb1798fe3e4538e6eb5706 (diff) | |
parent | 546469e18d24252360279ea276eb9a502670c712 (diff) |
Merge remote-tracking branch 'pnp/master'
Diffstat (limited to 'makefu/2configs/bepasty-dual.nix')
-rw-r--r-- | makefu/2configs/bepasty-dual.nix | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index fb90f4c9f..123ae3cf9 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -11,7 +11,11 @@ # bepasty-secret.nix <- contains single string with lib; -{ +let + sec = toString <secrets>; + # secKey is nothing worth protecting on a local machine + secKey = import <secrets/bepasty-secret.nix>; +in { krebs.nginx.enable = mkDefault true; krebs.bepasty = { @@ -24,28 +28,28 @@ with lib; server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; - secretKey = import <secrets/bepasty-secret.nix>; + secretKey = secKey; }; external = { nginx = { server-names = [ "paste.krebsco.de" ]; extraConfig = '' - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_certificate /root/secrets/wildcard.krebsco.de.crt; - ssl_certificate_key /root/secrets/wildcard.krebsco.de.key; - ssl_verify_client off; - proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - if ($scheme = http){ - return 301 https://$server_name$request_uri; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_certificate ${sec}/wildcard.krebsco.de.crt; + ssl_certificate_key ${sec}/wildcard.krebsco.de.key; + ssl_verify_client off; + proxy_ssl_session_reuse off; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + if ($scheme = http){ + return 301 https://$server_name$request_uri; }''; }; defaultPermissions = "read"; - secretKey = import <secrets/bepasty-secret.nix>; + secretKey = secKey; }; }; }; |