summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/retiolum-bootstrap.nix4
-rw-r--r--makefu/2configs/bepasty-dual.nix33
-rw-r--r--makefu/2configs/default.nix2
3 files changed, 29 insertions, 10 deletions
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 40382d098..9d393c90b 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -27,12 +27,12 @@ let
ssl_certificate_key = mkOption {
type = types.str;
description = "Certificate key to use for ssl";
- default = "/root/secrets/tinc.krebsco.de.key";
+ default = "${toString <secrets>}/tinc.krebsco.de.key";
};
ssl_certificate = mkOption {
type = types.str;
description = "Certificate file to use for ssl";
- default = "/root/secrets/tinc.krebsco.de.crt" ;
+ default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
};
# in use:
# <secrets/tinc.krebsco.de.crt>
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index 5682f5eb6..f675c4ac8 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -15,6 +15,9 @@ let
sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>;
+ acmepath = "/var/lib/acme/";
+ acmechall = acmepath + "/challenges/";
+ ext-dom = "paste.krebsco.de" ;
in {
krebs.nginx.enable = mkDefault true;
@@ -25,7 +28,7 @@ in {
servers = {
internal = {
nginx = {
- server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+ server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
@@ -33,17 +36,25 @@ in {
external = {
nginx = {
- server-names = [ "paste.krebsco.de" ];
+ server-names = [ ext-dom ];
+ ssl = {
+ enable = true;
+ certificate = "${acmepath}/${ext-dom}/fullchain.pem";
+ certificate_key = "${acmepath}/${ext-dom}/key.pem";
+ # these certs will be needed if acme has not yet created certificates:
+ #certificate = "${sec}/wildcard.krebsco.de.crt";
+ #certificate_key = "${sec}/wildcard.krebsco.de.key";
+ ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+ };
+ locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
+ root ${acmechall}/${ext-dom}/;
+ '');
extraConfig = ''
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
- ssl_certificate ${sec}/wildcard.krebsco.de.crt;
- ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
ssl_verify_client off;
proxy_ssl_session_reuse off;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers RC4:HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
+
if ($scheme = http){
return 301 https://$server_name$request_uri;
}'';
@@ -53,4 +64,12 @@ in {
};
};
};
+ security.acme.certs."${ext-dom}" = {
+ email = "acme@syntax-fehler.de";
+ webroot = "${acmechall}/${ext-dom}/";
+ group = "nginx";
+ allowKeysForGroup = true;
+ postRun = "systemctl reload nginx.service";
+ extraDomains."${ext-dom}" = null ;
+ };
}
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index f3bf0c46e..4562a123f 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -25,7 +25,7 @@ with config.krebs.lib;
source = let inherit (config.krebs.build) host user; in {
nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- rev = "0546a4a"; # stable @ 2016-06-11
+ ref = "0546a4a"; # stable @ 2016-06-11
};
secrets.file =
if getEnv "dummy_secrets" == "true"