summaryrefslogtreecommitdiffstats
path: root/krebs/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/2configs')
-rw-r--r--krebs/2configs/acme.nix67
-rw-r--r--krebs/2configs/buildbot-stockholm.nix17
-rw-r--r--krebs/2configs/default.nix10
-rw-r--r--krebs/2configs/shack/ssh-keys.nix1
-rw-r--r--krebs/2configs/wiki.nix21
5 files changed, 91 insertions, 25 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
new file mode 100644
index 000000000..056aa7ae4
--- /dev/null
+++ b/krebs/2configs/acme.nix
@@ -0,0 +1,67 @@
+# generate intermediate certificate with generate-krebs-intermediate-ca
+{ config, lib, pkgs, ... }: let
+ domain = "ca.r";
+in {
+ security.acme = {
+ acceptTerms = true; # kinda pointless since we never use upstream
+ email = "spam@krebsco.de";
+ certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
+ };
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ virtualHosts.${domain} = {
+ addSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "https://localhost:1443";
+ };
+ locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
+ };
+ };
+ krebs.secret.files.krebsAcme = {
+ path = "/var/lib/step-ca/intermediate_ca.key";
+ owner.name = "root";
+ mode = "1444";
+ source-path = builtins.toString <secrets> + "/acme_ca.key";
+ };
+ services.step-ca = {
+ enable = true;
+ intermediatePasswordFile = "/dev/null";
+ address = "0.0.0.0";
+ port = 1443;
+ settings = {
+ root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
+ crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
+ key = "/var/lib/step-ca/intermediate_ca.key";
+ dnsNames = [ domain ];
+ logger.format = "text";
+ db = {
+ type = "badger";
+ dataSource = "/var/lib/step-ca/db";
+ };
+ authority = {
+ provisioners = [{
+ type = "ACME";
+ name = "acme";
+ forceCN = true;
+ }];
+ claims = {
+ maxTLSCertDuration = "2160h";
+ defaultTLSCertDuration = "2160h";
+ };
+ backdate = "1m0s";
+ };
+ tls = {
+ cipherSuites = [
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+ ];
+ minVersion = 1.2;
+ maxVersion = 1.3;
+ renegotiation = false;
+ };
+ };
+ };
+}
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix
index 43a38a9f8..9fc6a79e5 100644
--- a/krebs/2configs/buildbot-stockholm.nix
+++ b/krebs/2configs/buildbot-stockholm.nix
@@ -6,11 +6,13 @@
enable = true;
virtualHosts.build = {
serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ];
- locations."/".extraConfig = ''
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
- '';
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.buildbot-master.port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_read_timeout 3600s;
+ '';
+ };
};
};
krebs.ci = {
@@ -18,25 +20,20 @@
repos = {
disko.urls = [
"http://cgit.gum.r/disko"
- "http://cgit.hotdog.r/disko"
"http://cgit.ni.r/disko"
"http://cgit.prism.r/disko"
];
krops.urls = [
- "http://cgit.hotdog.r/krops"
"http://cgit.ni.r/krops"
"http://cgit.prism.r/krops"
"https://github.com/krebs/krops.git"
];
nix_writers.urls = [
- "http://cgit.hotdog.r/nix-writers"
"http://cgit.ni.r/nix-writers"
"http://cgit.prism.r/nix-writers"
];
stockholm.urls = [
- "http://cgit.enklave.r/stockholm"
"http://cgit.gum.r/stockholm"
- "http://cgit.hotdog.r/stockholm"
"http://cgit.ni.r/stockholm"
"http://cgit.prism.r/stockholm"
];
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 8a84d4465..9200d41fe 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -4,18 +4,14 @@ with import <stockholm/lib>;
{
imports = [
./backup.nix
- (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
- environment.variables = {
- CURL_CA_BUNDLE = ca-bundle;
- GIT_SSL_CAINFO = ca-bundle;
- SSL_CERT_FILE = ca-bundle;
- };
- })
];
krebs.announce-activation.enable = true;
krebs.enable = true;
krebs.tinc.retiolum.enable = mkDefault true;
+ # trust krebs ACME CA
+ krebs.ssl.trustIntermediate = true;
+
krebs.build.user = mkDefault config.krebs.users.krebs;
networking.hostName = config.krebs.build.host.name;
diff --git a/krebs/2configs/shack/ssh-keys.nix b/krebs/2configs/shack/ssh-keys.nix
index 50bb93809..80957f3a5 100644
--- a/krebs/2configs/shack/ssh-keys.nix
+++ b/krebs/2configs/shack/ssh-keys.nix
@@ -7,6 +7,7 @@
config.krebs.users.raute.pubkey
config.krebs.users.ulrich.pubkey
config.krebs.users.xq.pubkey
+ config.krebs.users.xkey.pubkey
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDb9NPa2Hf51afcG1H13UPbE5E02J8aC9a1sGCRls592wAVlQbmojYR1jWDPA2m32Bsyv0ztqi81zDyndWWZPQVJVBk00VjYBcgk6D5ifqoAuWLzfuHJPWZGOvBf/U74/LNFNUkj1ywjneK7HYTRPXrRBBfBSQNmQzkvue7s599L2vdueZKyjNsMpx2m6nm2SchaMuDskSQut/168JgU1l4M8BeT68Bo4WdelhBYnhSI1a59FGkgdu2SCjyighLQRy2sOH3ksnkHWENPkA+wwQOlKl7R3DsEybrNd4NU9FSwFDyDmdhfv5gJp8UGSFdjAwx43+8zM5t5ruZ25J0LnVb0PuTuRA00UsW83MkLxFpDQLrQV08tlsY6iGrqxP67C3VJ6t4v6oTp7/vaRLhEFc1PhOLh+sZ18o8MLO+e2rGmHGHQnSKfBOLUvDMGa4jb01XBGjdnIXLOkVo79YR5jZn7jJb2gTZ95OD6bWSDADoURSuwuLa7kh4ti1ItAKuhkIvbuky3rRVvQEc92kJ6aNUswIUXJa0K2ibbIY6ycKAA3Ljksl3Mm9KzOn6yc/i/lSF+SOrTGhabPJigKkIoqKIwnV5IU3gkfsxPQJOBMPqHDGAOeYQe3WpWedEPYuhQEczw4exMb9TkNE96F71PzuQPJDl5sPAWyPLeMKpy5XbfRiF2by4nxN3ZIQvjtoyVkjNV+qM0q0yKBzLxuRAEQOZ2yCEaBudZQkQiwHD97H2vu4SRQ/2aOie1XiOnmdbQRDZSO3BsoDK569K1w+gDfSnqY7zVUMj6tw+uKx6Gstck5lbvYMtdWKsfPv/pDM8eyIVFLL93dKTX+ertcQj6xDwLfOiNubE5ayFXhYkjwImV6NgfBuq+3hLK0URP2rPlOZbbZTQ0WlKD6CCRZPMSZCU9oD2zYfqpvRArBUcdkAwGePezORkfJQLE6mYEJp6pdFkJ/IeFLbO6M0lZVlfnpzAC9kjjkMCRofZUETcFSppyTImCbgo3+ok59/PkNU5oavBXyW80ue2tWHr08HX/QALNte3UITmIIlU6SFMCPMWJqadK1eDPWfJ4H4iDXRNn3D5wqN++iMloKvpaj0wieqXLY4+YfvNTNr177OU48GEWW8DnoEkbpwsCbjPxznGDQhdDqdYyMY/fDgRQReKITvKYGHRzesGysw5cKsp9LEfXD0R6WE2TeiiENla5AWzTgXJB0AyZEcOiIfqOgT9Nr9S8q5gc/BdA7P+jhGGJgEHhV3dVlfIZ7pmZc27Yu7UTQ0lbAKWqcMSTOdne+QL6ILzbvLrQwdvax4tQdm5opfU16SrOox1AMwAbkdq84z6uJqYVx3cUXfMJgTyDNrVv3or root@plattenschwein" # for backup
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Lx5MKtVjB/Ef6LpEiIAgVwY5xKQFdHuLQR+odQO4cAgxj1QaIXGN0moixY52DebVQhAtiCNiFZ83uJyOj8kmu30yuXwtSOQeqziA859qMJKZ4ZcYdKvbXwnf2Chm5Ck/0FvtpjTWHIZAogwP1wQto/lcqHOjrTAnZeJfQuHTswYUSnmUU5zdsEZ9HidDPUc2Gv0wkBNd+KMQyOZl0HkaxHWvn0h4KK4hYZisOpeTfXJxD87bo+Eg4LL2vvnHW6dF6Ygrbd/0XRMsRRI8OAReVBUoJn7IE1wwAl/FpblNmhaF9hlL7g7hR1ADvaWMMw0e8SSzW6Y+oIa8qFQL6wR1 gitlab-builder" # for being deployed by gitlab ci
];
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index 9a18b8dff..40d946f7d 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -29,6 +29,7 @@ in
{
services.gollum = {
enable = true;
+ address = "::1";
extraConfig = ''
Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
system('${pushCgit}')
@@ -38,16 +39,20 @@ in
systemd.services.gollum.environment.LC_ALL = "en_US.UTF-8";
- networking.firewall.allowedTCPPorts = [ 80 ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security.acme.certs."wiki.r".server = config.krebs.ssl.acmeURL;
services.nginx = {
enable = true;
- virtualHosts.wiki = {
- serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ];
- locations."/".extraConfig = ''
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_pass http://127.0.0.1:${toString config.services.gollum.port};
- '';
+ virtualHosts."wiki.r" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/" = {
+ proxyPass = "http://[::1]:${toString config.services.gollum.port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_set_header Host $host;
+ '';
+ };
};
};