{ config, lib, pkgs, ... }: # 1systems should configure itself: # krebs.bepasty.servers.internal.nginx.listen = [ "80" ] # krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ] # 80 is redirected to 443 ssl # secrets used: # wildcard.krebsco.de.crt # wildcard.krebsco.de.key # bepasty-secret.nix <- contains single string with lib; let sec = toString <secrets>; # secKey is nothing worth protecting on a local machine secKey = import <secrets/bepasty-secret.nix>; in { krebs.nginx.enable = mkDefault true; krebs.bepasty = { enable = true; serveNginx= true; servers = { internal = { nginx = { server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; }; external = { nginx = { server-names = [ "paste.krebsco.de" ]; extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_certificate ${sec}/wildcard.krebsco.de.crt; ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($scheme = http){ return 301 https://$server_name$request_uri; }''; }; defaultPermissions = "read"; secretKey = secKey; }; }; }; }