diff options
Diffstat (limited to 'makefu')
-rw-r--r-- | makefu/1systems/wry.nix | 73 | ||||
-rw-r--r-- | makefu/2configs/bepasty-dual.nix | 52 |
2 files changed, 95 insertions, 30 deletions
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index a7ed93c43..63b1f47f7 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -1,59 +1,72 @@ { config, lib, pkgs, ... }: +with lib; let - ip = (lib.head config.krebs.build.host.nets.internet.addrs4); + external-ip = head config.krebs.build.host.nets.internet.addrs4; + internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; in { imports = [ # TODO: copy this config or move to krebs ../../tv/2configs/CAC-CentOS-7-64bit.nix ../2configs/base.nix - ../2configs/base-sources.nix + ../2configs/unstable-sources.nix ../2configs/tinc-basic-retiolum.nix + ../2configs/bepasty-dual.nix + ../2configs/iodined.nix # Reaktor ../2configs/Reaktor/simpleExtend.nix ]; - krebs.Reaktor.enable = true; + krebs.build = { + user = config.krebs.users.makefu; + target = "root@wry"; + host = config.krebs.hosts.wry; + }; - networking.firewall.allowPing = true; - networking.interfaces.enp2s1.ip4 = [ - { - address = ip; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.233.87.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - # based on ../../tv/2configs/CAC-Developer-2.nix - sound.enable = false; - # prepare graphs - nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.Reaktor.enable = true; + + # bepasty to listen only on the correct interfaces + krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ]; + krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ]; + # prepare graphs krebs.nginx.enable = true; krebs.retiolum-bootstrap.enable = true; - makefu.tinc_graphs.enable = true; - makefu.tinc_graphs.krebsNginx = { + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + makefu.tinc_graphs = { enable = true; - # TODO: remove hard-coded hostname - hostnames_complete = [ "graphs.wry" ]; - hostnames_anonymous = [ "graphs.krebsco.de" ]; + nginx = { + enable = true; + # TODO: remove hard-coded hostname + complete = { + listen = [ "${internal-ip}:80" ]; + server-names = [ "graphs.wry" ]; + }; + anonymous = { + listen = [ "${external-ip}:80" ] ; + server-names = [ "graphs.krebsco.de" ]; + }; + }; }; - - networking.firewall.allowedTCPPorts = [ 53 80 443 ]; - - krebs.build = { - user = config.krebs.users.makefu; - target = "root@${ip}"; - host = config.krebs.hosts.wry; + networking = { + firewall.allowPing = true; + firewall.allowedTCPPorts = [ 53 80 443 ]; + interfaces.enp2s1.ip4 = [{ + address = external-ip; + prefixLength = 24; + }]; + defaultGateway = "104.233.87.1"; + nameservers = [ "8.8.8.8" ]; }; + + # based on ../../tv/2configs/CAC-Developer-2.nix + sound.enable = false; } diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix new file mode 100644 index 000000000..fb170957a --- /dev/null +++ b/makefu/2configs/bepasty-dual.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +# 1systems should configure itself: +# krebs.bepasty.servers.internal.nginx.listen = [ "80" ] +# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ] +# 80 is redirected to 443 ssl + +# secrets used: +# wildcard.krebsco.de.crt +# wildcard.krebsco.de.key +# bepasty-secret.nix <- contains single string + +with lib; +{ + + krebs.nginx.enable = mkDefault true; + krebs.bepasty = { + enable = true; + serveNginx= true; + + servers = { + internal = { + nginx = { + server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + }; + defaultPermissions = "admin,list,create,read,delete"; + secretKey = import <secrets/bepasty-secret.nix>; + }; + + external = { + nginx = { + server-names = [ "paste.krebsco.de" ]; + extraConfig = '' + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 10m; + ssl_certificate /root/secrets/wildcard.krebsco.de.crt; + ssl_certificate_key /root/secrets/wildcard.krebsco.de.key; + ssl_verify_client off; + proxy_ssl_session_reuse off; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + if ($scheme = http){ + return 301 https://$server_name$request_uri; + }''; + }; + defaultPermissions = "read"; + secretKey = import <secrets/bepasty-secret.nix>; + }; + }; + }; +} |