diff options
Diffstat (limited to 'krebs/2configs')
-rw-r--r-- | krebs/2configs/acme.nix | 67 | ||||
-rw-r--r-- | krebs/2configs/buildbot-stockholm.nix | 17 | ||||
-rw-r--r-- | krebs/2configs/default.nix | 10 | ||||
-rw-r--r-- | krebs/2configs/shack/ssh-keys.nix | 1 | ||||
-rw-r--r-- | krebs/2configs/wiki.nix | 21 |
5 files changed, 91 insertions, 25 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix new file mode 100644 index 000000000..056aa7ae4 --- /dev/null +++ b/krebs/2configs/acme.nix @@ -0,0 +1,67 @@ +# generate intermediate certificate with generate-krebs-intermediate-ca +{ config, lib, pkgs, ... }: let + domain = "ca.r"; +in { + security.acme = { + acceptTerms = true; # kinda pointless since we never use upstream + email = "spam@krebsco.de"; + certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts.${domain} = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "https://localhost:1443"; + }; + locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt; + }; + }; + krebs.secret.files.krebsAcme = { + path = "/var/lib/step-ca/intermediate_ca.key"; + owner.name = "root"; + mode = "1444"; + source-path = builtins.toString <secrets> + "/acme_ca.key"; + }; + services.step-ca = { + enable = true; + intermediatePasswordFile = "/dev/null"; + address = "0.0.0.0"; + port = 1443; + settings = { + root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA; + crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA; + key = "/var/lib/step-ca/intermediate_ca.key"; + dnsNames = [ domain ]; + logger.format = "text"; + db = { + type = "badger"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [{ + type = "ACME"; + name = "acme"; + forceCN = true; + }]; + claims = { + maxTLSCertDuration = "2160h"; + defaultTLSCertDuration = "2160h"; + }; + backdate = "1m0s"; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + minVersion = 1.2; + maxVersion = 1.3; + renegotiation = false; + }; + }; + }; +} diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 43a38a9f8..9fc6a79e5 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -6,11 +6,13 @@ enable = true; virtualHosts.build = { serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; - ''; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.buildbot-master.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 3600s; + ''; + }; }; }; krebs.ci = { @@ -18,25 +20,20 @@ repos = { disko.urls = [ "http://cgit.gum.r/disko" - "http://cgit.hotdog.r/disko" "http://cgit.ni.r/disko" "http://cgit.prism.r/disko" ]; krops.urls = [ - "http://cgit.hotdog.r/krops" "http://cgit.ni.r/krops" "http://cgit.prism.r/krops" "https://github.com/krebs/krops.git" ]; nix_writers.urls = [ - "http://cgit.hotdog.r/nix-writers" "http://cgit.ni.r/nix-writers" "http://cgit.prism.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.enklave.r/stockholm" "http://cgit.gum.r/stockholm" - "http://cgit.hotdog.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.prism.r/stockholm" ]; diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 8a84d4465..9200d41fe 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -4,18 +4,14 @@ with import <stockholm/lib>; { imports = [ ./backup.nix - (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { - environment.variables = { - CURL_CA_BUNDLE = ca-bundle; - GIT_SSL_CAINFO = ca-bundle; - SSL_CERT_FILE = ca-bundle; - }; - }) ]; krebs.announce-activation.enable = true; krebs.enable = true; krebs.tinc.retiolum.enable = mkDefault true; + # trust krebs ACME CA + krebs.ssl.trustIntermediate = true; + krebs.build.user = mkDefault config.krebs.users.krebs; networking.hostName = config.krebs.build.host.name; diff --git a/krebs/2configs/shack/ssh-keys.nix b/krebs/2configs/shack/ssh-keys.nix index 50bb93809..80957f3a5 100644 --- a/krebs/2configs/shack/ssh-keys.nix +++ b/krebs/2configs/shack/ssh-keys.nix @@ -7,6 +7,7 @@ config.krebs.users.raute.pubkey config.krebs.users.ulrich.pubkey config.krebs.users.xq.pubkey + config.krebs.users.xkey.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDb9NPa2Hf51afcG1H13UPbE5E02J8aC9a1sGCRls592wAVlQbmojYR1jWDPA2m32Bsyv0ztqi81zDyndWWZPQVJVBk00VjYBcgk6D5ifqoAuWLzfuHJPWZGOvBf/U74/LNFNUkj1ywjneK7HYTRPXrRBBfBSQNmQzkvue7s599L2vdueZKyjNsMpx2m6nm2SchaMuDskSQut/168JgU1l4M8BeT68Bo4WdelhBYnhSI1a59FGkgdu2SCjyighLQRy2sOH3ksnkHWENPkA+wwQOlKl7R3DsEybrNd4NU9FSwFDyDmdhfv5gJp8UGSFdjAwx43+8zM5t5ruZ25J0LnVb0PuTuRA00UsW83MkLxFpDQLrQV08tlsY6iGrqxP67C3VJ6t4v6oTp7/vaRLhEFc1PhOLh+sZ18o8MLO+e2rGmHGHQnSKfBOLUvDMGa4jb01XBGjdnIXLOkVo79YR5jZn7jJb2gTZ95OD6bWSDADoURSuwuLa7kh4ti1ItAKuhkIvbuky3rRVvQEc92kJ6aNUswIUXJa0K2ibbIY6ycKAA3Ljksl3Mm9KzOn6yc/i/lSF+SOrTGhabPJigKkIoqKIwnV5IU3gkfsxPQJOBMPqHDGAOeYQe3WpWedEPYuhQEczw4exMb9TkNE96F71PzuQPJDl5sPAWyPLeMKpy5XbfRiF2by4nxN3ZIQvjtoyVkjNV+qM0q0yKBzLxuRAEQOZ2yCEaBudZQkQiwHD97H2vu4SRQ/2aOie1XiOnmdbQRDZSO3BsoDK569K1w+gDfSnqY7zVUMj6tw+uKx6Gstck5lbvYMtdWKsfPv/pDM8eyIVFLL93dKTX+ertcQj6xDwLfOiNubE5ayFXhYkjwImV6NgfBuq+3hLK0URP2rPlOZbbZTQ0WlKD6CCRZPMSZCU9oD2zYfqpvRArBUcdkAwGePezORkfJQLE6mYEJp6pdFkJ/IeFLbO6M0lZVlfnpzAC9kjjkMCRofZUETcFSppyTImCbgo3+ok59/PkNU5oavBXyW80ue2tWHr08HX/QALNte3UITmIIlU6SFMCPMWJqadK1eDPWfJ4H4iDXRNn3D5wqN++iMloKvpaj0wieqXLY4+YfvNTNr177OU48GEWW8DnoEkbpwsCbjPxznGDQhdDqdYyMY/fDgRQReKITvKYGHRzesGysw5cKsp9LEfXD0R6WE2TeiiENla5AWzTgXJB0AyZEcOiIfqOgT9Nr9S8q5gc/BdA7P+jhGGJgEHhV3dVlfIZ7pmZc27Yu7UTQ0lbAKWqcMSTOdne+QL6ILzbvLrQwdvax4tQdm5opfU16SrOox1AMwAbkdq84z6uJqYVx3cUXfMJgTyDNrVv3or root@plattenschwein" # for backup "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Lx5MKtVjB/Ef6LpEiIAgVwY5xKQFdHuLQR+odQO4cAgxj1QaIXGN0moixY52DebVQhAtiCNiFZ83uJyOj8kmu30yuXwtSOQeqziA859qMJKZ4ZcYdKvbXwnf2Chm5Ck/0FvtpjTWHIZAogwP1wQto/lcqHOjrTAnZeJfQuHTswYUSnmUU5zdsEZ9HidDPUc2Gv0wkBNd+KMQyOZl0HkaxHWvn0h4KK4hYZisOpeTfXJxD87bo+Eg4LL2vvnHW6dF6Ygrbd/0XRMsRRI8OAReVBUoJn7IE1wwAl/FpblNmhaF9hlL7g7hR1ADvaWMMw0e8SSzW6Y+oIa8qFQL6wR1 gitlab-builder" # for being deployed by gitlab ci ]; diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index 9a18b8dff..40d946f7d 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,6 +29,7 @@ in { services.gollum = { enable = true; + address = "::1"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -38,16 +39,20 @@ in systemd.services.gollum.environment.LC_ALL = "en_US.UTF-8"; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.certs."wiki.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; - virtualHosts.wiki = { - serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://127.0.0.1:${toString config.services.gollum.port}; - ''; + virtualHosts."wiki.r" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.gollum.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; }; }; |