summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/iptables.nix51
-rw-r--r--krebs/3modules/nginx.nix45
2 files changed, 60 insertions, 36 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..a4a4de6f9 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
let
inherit (pkgs) writeText;
@@ -7,27 +9,6 @@ let
elem
;
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- hasPrefix
- mkEnableOption
- mkOption
- mkIf
- types
- sort
- ;
-
cfg = config.krebs.iptables;
out = {
@@ -65,6 +46,14 @@ let
type = int;
default = 0;
};
+ v4 = mkOption {
+ type = bool;
+ default = true;
+ };
+ v6 = mkOption {
+ type = bool;
+ default = true;
+ };
};
})));
default = null;
@@ -93,7 +82,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} krebs-iptables_start";
+ ExecStart = startScript;
};
};
};
@@ -109,7 +98,8 @@ let
buildChain = tn: cn:
let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+ filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
+ sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in
#TODO: double check should be unneccessary, refactor!
@@ -123,13 +113,6 @@ let
buildRule = tn: cn: rule:
- #target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
@@ -149,7 +132,7 @@ let
#=====
- rules4 = iptables-version:
+ rules = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
@@ -171,14 +154,14 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "krebs-iptables-rules${toString iptables-version}" ''
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
+ iptables-restore < ${rules "v4"}
+ ip6tables-restore < ${rules "v6"}
'';
in
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
default = "";
};
ssl = mkOption {
- type = with types; submodule ({
+ type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
+ acmeEnable = mkOption {
+ type = bool;
+ apply = x:
+ if x && config.enable
+ #conflicts because of certificate/certificate_key location
+ then throw "can't use ssl.enable and ssl.acmeEnable together"
+ else x;
+ default = false;
+ description = ''
+ enables automatical generation of lets-encrypt certificates and setting them as certificate
+ conflicts with ssl.enable
+ '';
+ };
certificate = mkOption {
type = str;
};
@@ -95,6 +108,7 @@ let
};
imp = {
+ security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
@@ -117,13 +131,24 @@ let
indent = replaceChars ["\n"] ["\n "];
+ to-acme = { server-names, ssl, ... }:
+ optionalAttrs ssl.acmeEnable {
+ email = "lassulus@gmail.com";
+ webroot = "${config.security.acme.directory}/${head server-names}";
+ };
+
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+ domain = head server-names;
+ acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+ root ${config.security.acme.certs.${domain}.webroot};
+ '');
+ in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
+ ${optionalString ssl.acmeEnable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
+ listen 443 ssl;
+ ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+ ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+ ${optionalString ssl.prefer_server_ciphers ''
+ ssl_prefer_server_ciphers On;
+ ''}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ '')}
${indent extraConfig}
+ ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';