From 1c931a1f45d0c1fa6f0a1f9010f1430eb416e167 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 12:20:18 +0200 Subject: m 2 default: rev -> ref --- makefu/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index f3bf0c46e..4562a123f 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -25,7 +25,7 @@ with config.krebs.lib; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - rev = "0546a4a"; # stable @ 2016-06-11 + ref = "0546a4a"; # stable @ 2016-06-11 }; secrets.file = if getEnv "dummy_secrets" == "true" -- cgit v1.2.3 From 01ee8749acb258431eee769e3993fa12bf716e24 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:13:22 +0200 Subject: k 3 retiolum-bootstrap: use secrets path as default, not /root/secrets --- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 40382d098..9d393c90b 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -27,12 +27,12 @@ let ssl_certificate_key = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.key"; + default = "${toString }/tinc.krebsco.de.key"; }; ssl_certificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.crt" ; + default = "${toString }/tinc.krebsco.de.crt" ; }; # in use: # -- cgit v1.2.3 From 34e628453dda4e7aec9f715703eb6c21b05a8a82 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:34:46 +0200 Subject: k 2 bepasty-dual: use krebs.nginx.ssl + acme --- makefu/2configs/bepasty-dual.nix | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 5682f5eb6..f675c4ac8 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -15,6 +15,9 @@ let sec = toString ; # secKey is nothing worth protecting on a local machine secKey = import ; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "paste.krebsco.de" ; in { krebs.nginx.enable = mkDefault true; @@ -25,7 +28,7 @@ in { servers = { internal = { nginx = { - server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; @@ -33,17 +36,25 @@ in { external = { nginx = { - server-names = [ "paste.krebsco.de" ]; + server-names = [ ext-dom ]; + ssl = { + enable = true; + certificate = "${acmepath}/${ext-dom}/fullchain.pem"; + certificate_key = "${acmepath}/${ext-dom}/key.pem"; + # these certs will be needed if acme has not yet created certificates: + #certificate = "${sec}/wildcard.krebsco.de.crt"; + #certificate_key = "${sec}/wildcard.krebsco.de.key"; + ciphers = "RC4:HIGH:!aNULL:!MD5" ; + }; + locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + ''); extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate ${sec}/wildcard.krebsco.de.crt; - ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + if ($scheme = http){ return 301 https://$server_name$request_uri; }''; @@ -53,4 +64,12 @@ in { }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } -- cgit v1.2.3