summaryrefslogtreecommitdiffstats
path: root/makefu
diff options
context:
space:
mode:
Diffstat (limited to 'makefu')
-rw-r--r--makefu/1systems/wry.nix73
-rw-r--r--makefu/2configs/bepasty-dual.nix52
2 files changed, 95 insertions, 30 deletions
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index a7ed93c43..63b1f47f7 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -1,59 +1,72 @@
{ config, lib, pkgs, ... }:
+with lib;
let
- ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
+ external-ip = head config.krebs.build.host.nets.internet.addrs4;
+ internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
imports = [
# TODO: copy this config or move to krebs
../../tv/2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
- ../2configs/base-sources.nix
+ ../2configs/unstable-sources.nix
../2configs/tinc-basic-retiolum.nix
+ ../2configs/bepasty-dual.nix
+
../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
];
- krebs.Reaktor.enable = true;
+ krebs.build = {
+ user = config.krebs.users.makefu;
+ target = "root@wry";
+ host = config.krebs.hosts.wry;
+ };
- networking.firewall.allowPing = true;
- networking.interfaces.enp2s1.ip4 = [
- {
- address = ip;
- prefixLength = 24;
- }
- ];
- networking.defaultGateway = "104.233.87.1";
- networking.nameservers = [
- "8.8.8.8"
- ];
- # based on ../../tv/2configs/CAC-Developer-2.nix
- sound.enable = false;
- # prepare graphs
- nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+ krebs.Reaktor.enable = true;
+
+ # bepasty to listen only on the correct interfaces
+ krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
+ krebs.bepasty.servers.external.nginx.listen = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
+ # prepare graphs
krebs.nginx.enable = true;
krebs.retiolum-bootstrap.enable = true;
- makefu.tinc_graphs.enable = true;
- makefu.tinc_graphs.krebsNginx = {
+ nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+ makefu.tinc_graphs = {
enable = true;
- # TODO: remove hard-coded hostname
- hostnames_complete = [ "graphs.wry" ];
- hostnames_anonymous = [ "graphs.krebsco.de" ];
+ nginx = {
+ enable = true;
+ # TODO: remove hard-coded hostname
+ complete = {
+ listen = [ "${internal-ip}:80" ];
+ server-names = [ "graphs.wry" ];
+ };
+ anonymous = {
+ listen = [ "${external-ip}:80" ] ;
+ server-names = [ "graphs.krebsco.de" ];
+ };
+ };
};
-
- networking.firewall.allowedTCPPorts = [ 53 80 443 ];
-
- krebs.build = {
- user = config.krebs.users.makefu;
- target = "root@${ip}";
- host = config.krebs.hosts.wry;
+ networking = {
+ firewall.allowPing = true;
+ firewall.allowedTCPPorts = [ 53 80 443 ];
+ interfaces.enp2s1.ip4 = [{
+ address = external-ip;
+ prefixLength = 24;
+ }];
+ defaultGateway = "104.233.87.1";
+ nameservers = [ "8.8.8.8" ];
};
+
+ # based on ../../tv/2configs/CAC-Developer-2.nix
+ sound.enable = false;
}
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
new file mode 100644
index 000000000..fb170957a
--- /dev/null
+++ b/makefu/2configs/bepasty-dual.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+# 1systems should configure itself:
+# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
+# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
+# 80 is redirected to 443 ssl
+
+# secrets used:
+# wildcard.krebsco.de.crt
+# wildcard.krebsco.de.key
+# bepasty-secret.nix <- contains single string
+
+with lib;
+{
+
+ krebs.nginx.enable = mkDefault true;
+ krebs.bepasty = {
+ enable = true;
+ serveNginx= true;
+
+ servers = {
+ internal = {
+ nginx = {
+ server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+ };
+ defaultPermissions = "admin,list,create,read,delete";
+ secretKey = import <secrets/bepasty-secret.nix>;
+ };
+
+ external = {
+ nginx = {
+ server-names = [ "paste.krebsco.de" ];
+ extraConfig = ''
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_timeout 10m;
+ ssl_certificate /root/secrets/wildcard.krebsco.de.crt;
+ ssl_certificate_key /root/secrets/wildcard.krebsco.de.key;
+ ssl_verify_client off;
+ proxy_ssl_session_reuse off;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }'';
+ };
+ defaultPermissions = "read";
+ secretKey = import <secrets/bepasty-secret.nix>;
+ };
+ };
+ };
+}