3 files changed, 86 insertions, 2 deletions

diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
             default = "";
           };
           ssl = mkOption {
-            type = with types; submodule ({
+            type = with types; submodule ({ config, ... }: {
               options = {
                 enable = mkEnableOption "ssl";
+                acmeEnable = mkOption {
+                  type = bool;
+                  apply = x:
+                    if x && config.enable
+                      #conflicts because of certificate/certificate_key location
+                      then throw "can't use ssl.enable and ssl.acmeEnable together"
+                      else x;
+                  default = false;
+                  description = ''
+                    enables automatical generation of lets-encrypt certificates and setting them as certificate
+                    conflicts with ssl.enable
+                  '';
+                };
                 certificate = mkOption {
                   type = str;
                 };
@@ -95,6 +108,7 @@ let
   };
 
   imp = {
+    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
     services.nginx = {
       enable = true;
       httpConfig = ''
@@ -117,13 +131,24 @@ let
 
   indent = replaceChars ["\n"] ["\n  "];
 
+  to-acme = { server-names, ssl, ... }:
+    optionalAttrs ssl.acmeEnable {
+      email = "lassulus@gmail.com";
+      webroot = "${config.security.acme.directory}/${head server-names}";
+    };
+
   to-location = { name, value }: ''
     location ${name} {
       ${indent value}
     }
   '';
 
-  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+    domain = head server-names;
+    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+      root ${config.security.acme.certs.${domain}.webroot};
+    '');
+  in ''
     server {
       server_name ${toString (unique server-names)};
       ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
         ssl_ciphers ${ssl.ciphers};
         ssl_protocols ${toString ssl.protocols};
       '')}
+      ${optionalString ssl.acmeEnable (indent ''
+        ${optionalString ssl.force_encryption ''
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+        ''}
+        listen 443 ssl;
+        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+        ${optionalString ssl.prefer_server_ciphers ''
+          ssl_prefer_server_ciphers On;
+        ''}
+        ssl_ciphers ${ssl.ciphers};
+        ssl_protocols ${toString ssl.protocols};
+      '')}
       ${indent extraConfig}
+      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
       ${indent (concatMapStrings to-location locations)}
     }
   '';
diff --git a/krebs/5pkgs/buildbot/default.nix b/krebs/5pkgs/buildbot/default.nix
index a0e6bb6a5..2e14b6b63 100644
--- a/krebs/5pkgs/buildbot/default.nix
+++ b/krebs/5pkgs/buildbot/default.nix
@@ -55,6 +55,9 @@ pythonPackages.buildPythonApplication (rec {
 
   ] ++ plugins;
 
+  patchPhase = ''
+    patch -p1 < ${./irc_messages.patch}
+  '';
   preInstall = ''
     # writes out a file that can't be read properly
     sed -i.bak -e '69,84d' buildbot/test/unit/test_www_config.py
diff --git a/krebs/5pkgs/buildbot/irc_messages.patch b/krebs/5pkgs/buildbot/irc_messages.patch
new file mode 100644
index 000000000..ab8597dbd
--- /dev/null
+++ b/krebs/5pkgs/buildbot/irc_messages.patch
@@ -0,0 +1,40 @@
+diff --git a/buildbot/reporters/words.py b/master/buildbot/reporters/words.py
+index a65147b..bf44118 100644
+--- a/buildbot/reporters/words.py
++++ b/buildbot/reporters/words.py
+@@ -550,14 +550,15 @@ class Contact(service.AsyncService):
+ 
+         if self.useRevisions:
+             revisions = yield self.getRevisionsForBuild(build)
+-            r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \
++            r = "Build %s containing revision(s) [%s] is complete: %s" % \
+                 (builderName, ','.join(revisions), results[0])
+         else:
+-            r = "Hey! build %s #%d is complete: %s" % \
++            r = "Build %s #%d is complete: %s" % \
+                 (builderName, buildNumber, results[0])
+ 
+         r += ' [%s]' % maybeColorize(build['state_string'],
+                                      results[1], self.useColors)
++        r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber)
+         self.send(r)
+ 
+         # FIXME: where do we get the list of changes for a build ?
+@@ -622,14 +623,15 @@ class Contact(service.AsyncService):
+         results = self.getResultsDescriptionAndColor(build['results'])
+         if self.useRevisions:
+             revisions = yield self.getRevisionsForBuild(build)
+-            r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \
++            r = "Build %s containing revision(s) [%s] is complete: %s" % \
+                 (builder_name, ','.join(revisions), results[0])
+         else:
+-            r = "Hey! build %s #%d is complete: %s" % \
++            r = "Build %s #%d is complete: %s" % \
+                 (builder_name, buildnum, results[0])
+ 
+         r += ' [%s]' % maybeColorize(build['state_string'],
+                                      results[1], self.useColors)
++        r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber)
+         self.send(r)
+ 
+         # FIXME: where do we get the base_url? Then do we use the build Link to