From 57b4a87962e273525a0e3a955ae4a13ca45c59f3 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:20:05 +0200 Subject: retiolum-bootstrap: krebs.nginx -> services.nginx --- krebs/3modules/retiolum-bootstrap.nix | 56 ++++++++++++----------------------- 1 file changed, 19 insertions(+), 37 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 4bcd596d4..53b06a702 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -1,53 +1,38 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: with import ; let cfg = config.krebs.retiolum-bootstrap; - - out = { - options.krebs.retiolum-bootstrap = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; - hostname = mkOption { +in +{ + options.krebs.retiolum-bootstrap = { + enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}"; + serverName = mkOption { type = types.str; description = "hostname which serves tinc boot"; default = "tinc.krebsco.de" ; }; - listen = mkOption { - type = with types; listOf str; - description = ''Addresses to listen on (nginx-syntax). - ssl will be configured, http will be redirected to ssl. - Make sure to have at least 1 ssl port configured. - ''; - default = [ "80" "443 ssl" ] ; + sslCertificate = mkOption { + type = types.str; + description = "Certificate file to use for ssl"; + default = "${toString }/tinc.krebsco.de.crt" ; }; - ssl_certificate_key = mkOption { + sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; default = "${toString }/tinc.krebsco.de.key"; }; - ssl_certificate = mkOption { - type = types.str; - description = "Certificate file to use for ssl"; - default = "${toString }/tinc.krebsco.de.crt" ; - }; # in use: # # }; - imp = { - krebs.nginx.servers = assert config.krebs.nginx.enable; { - retiolum-boot-ssl = { - server-names = singleton cfg.hostname; - listen = cfg.listen; - extraConfig = '' - ssl_certificate ${cfg.ssl_certificate}; - ssl_certificate_key ${cfg.ssl_certificate_key}; - + config = mkIf cfg.enable { + services.nginx = { + enable = mkDefault true; + virtualHosts.retiolum-bootstrap = { + inherit (cfg) serverName sslCertificate sslCertificateKey; + enableSSL = true; + extraConfig ='' if ($scheme = http){ return 301 https://$server_name$request_uri; } @@ -55,10 +40,7 @@ let root ${pkgs.retiolum-bootstrap}; try_files $uri $uri/retiolum.sh; ''; - locations = []; }; }; }; - -in -out +} -- cgit v1.2.3 From c577d6b9972203941c577d9fb5488345d5fe84b5 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:22:09 +0200 Subject: krebs.nginx: RIP --- krebs/3modules/bepasty-server.nix | 2 +- krebs/3modules/buildbot/master.nix | 1 - krebs/3modules/default.nix | 1 - krebs/3modules/nginx.nix | 190 ------------------------------------- 4 files changed, 1 insertion(+), 193 deletions(-) delete mode 100644 krebs/3modules/nginx.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 4e035e725..0ca13366b 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -37,7 +37,7 @@ let # TODO use the correct type type = with types; attrsOf unspecified; description = '' - additional nginx configuration. see krebs.nginx for all options + Additional nginx configuration. ''; }; secretKey = mkOption { diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index b31661572..d75e6c880 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -78,7 +78,6 @@ let # stopAllBuilds = 'auth', # cancelPendingBuild = 'auth' #) - # TODO: configure krebs.nginx c['www'] = dict( port = ${toString cfg.web.port}, plugins = { 'waterfall_view':{}, 'console_view':{} } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 37db5bfe7..d539d4166 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -26,7 +26,6 @@ let ./kapacitor.nix ./monit.nix ./newsbot-js.nix - ./nginx.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix deleted file mode 100644 index b28e97e37..000000000 --- a/krebs/3modules/nginx.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - default404 = mkOption { - type = types.bool; - default = true; - description = '' - By default all requests not directed to an explicit hostname are - replied with a 404 error to avoid accidental exposition of nginx - services. - - Set this value to `false` to disable this behavior - you will then be - able to configure a new `default_server` in the listen address entries - again. - ''; - }; - - servers = mkOption { - type = types.attrsOf (types.submodule { - options = { - server-names = mkOption { - type = with types; listOf str; - default = - [config.krebs.build.host.name] ++ - concatMap (getAttr "aliases") - (attrValues config.krebs.build.host.nets); - }; - listen = mkOption { - type = with types; either str (listOf str); - default = "80"; - apply = x: - if typeOf x != "list" - then [x] - else x; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - default = []; - }; - extraConfig = mkOption { - type = with types; string; - default = ""; - }; - ssl = mkOption { - type = with types; submodule ({ config, ... }: { - options = { - enable = mkEnableOption "ssl"; - acmeEnable = mkOption { - type = bool; - apply = x: - if x && config.enable - #conflicts because of certificate/certificate_key location - then throw "can't use ssl.enable and ssl.acmeEnable together" - else x; - default = false; - description = '' - enables automatical generation of lets-encrypt certificates and setting them as certificate - conflicts with ssl.enable - ''; - }; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - #TODO: check for valid cipher - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - prefer_server_ciphers = mkOption { - type = bool; - default = true; - }; - force_encryption = mkOption { - type = bool; - default = false; - description = '' - redirect all `http` traffic to the same domain but with ssl - protocol. - ''; - }; - protocols = mkOption { - type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); - default = [ "TLSv1.1" "TLSv1.2" ]; - - }; - }; - }); - default = {}; - }; - }; - }); - default = {}; - }; - }; - - imp = { - security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); - services.nginx = { - enable = true; - httpConfig = '' - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - - ${optionalString cfg.default404 '' - server { - listen 80 default_server; - server_name _; - return 404; - }''} - - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - to-acme = { server-names, ssl, ... }: - optionalAttrs ssl.acmeEnable { - email = "lassulus@gmail.com"; - webroot = "${config.security.acme.directory}/${head server-names}"; - }; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let - domain = head server-names; - acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' - root ${config.security.acme.certs.${domain}.webroot}; - ''); - in '' - server { - server_name ${toString (unique server-names)}; - ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} - ${optionalString ssl.enable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${optionalString ssl.acmeEnable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; - ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${indent extraConfig} - ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} - ${indent (concatMapStrings to-location locations)} - } - ''; - -in -out -- cgit v1.2.3