krebs.nginx: RIP

4 files changed, 1 insertions, 193 deletions

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 4e035e72..0ca13366 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -37,7 +37,7 @@ let
           # TODO use the correct type
           type = with types; attrsOf unspecified;
           description = ''
-            additional nginx configuration. see krebs.nginx for all options
+            Additional nginx configuration.
           '';
         };
         secretKey = mkOption {
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index b3166157..d75e6c88 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -78,7 +78,6 @@ let
       #    stopAllBuilds = 'auth',
       #    cancelPendingBuild = 'auth'
       #)
-      # TODO: configure krebs.nginx
       c['www'] = dict(
         port = ${toString cfg.web.port},
         plugins = { 'waterfall_view':{}, 'console_view':{} }
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index a46b8af1..605ed28b 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -25,7 +25,6 @@ let
       ./kapacitor.nix
       ./monit.nix
       ./newsbot-js.nix
-      ./nginx.nix
       ./nixpkgs.nix
       ./on-failure.nix
       ./os-release.nix
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
deleted file mode 100644
index b28e97e3..00000000
--- a/krebs/3modules/nginx.nix
+++ /dev/null
@@ -1,190 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  cfg = config.krebs.nginx;
-
-  out = {
-    options.krebs.nginx = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "krebs.nginx";
-
-    default404 = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        By default all requests not directed to an explicit hostname are
-        replied with a 404 error to avoid accidental exposition of nginx
-        services.
-
-        Set this value to `false` to disable this behavior - you will then be
-        able to configure a new `default_server` in the listen address entries
-        again.
-      '';
-    };
-
-    servers = mkOption {
-      type = types.attrsOf (types.submodule {
-        options = {
-          server-names = mkOption {
-            type = with types; listOf str;
-            default =
-              [config.krebs.build.host.name] ++
-              concatMap (getAttr "aliases")
-                        (attrValues config.krebs.build.host.nets);
-          };
-          listen = mkOption {
-            type = with types; either str (listOf str);
-            default = "80";
-            apply = x:
-              if typeOf x != "list"
-                then [x]
-                else x;
-          };
-          locations = mkOption {
-            type = with types; listOf (attrsOf str);
-            default = [];
-          };
-          extraConfig = mkOption {
-            type = with types; string;
-            default = "";
-          };
-          ssl = mkOption {
-            type = with types; submodule ({ config, ... }: {
-              options = {
-                enable = mkEnableOption "ssl";
-                acmeEnable = mkOption {
-                  type = bool;
-                  apply = x:
-                    if x && config.enable
-                      #conflicts because of certificate/certificate_key location
-                      then throw "can't use ssl.enable and ssl.acmeEnable together"
-                      else x;
-                  default = false;
-                  description = ''
-                    enables automatical generation of lets-encrypt certificates and setting them as certificate
-                    conflicts with ssl.enable
-                  '';
-                };
-                certificate = mkOption {
-                  type = str;
-                };
-                certificate_key = mkOption {
-                  type = str;
-                };
-                #TODO: check for valid cipher
-                ciphers = mkOption {
-                  type = str;
-                  default = "AES128+EECDH:AES128+EDH";
-                };
-                prefer_server_ciphers = mkOption {
-                  type = bool;
-                  default = true;
-                };
-                force_encryption = mkOption {
-                  type = bool;
-                  default = false;
-                  description = ''
-                    redirect all `http` traffic to the same domain but with ssl
-                    protocol.
-                  '';
-                };
-                protocols = mkOption {
-                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
-                  default = [ "TLSv1.1" "TLSv1.2" ];
-
-                };
-              };
-            });
-            default = {};
-          };
-        };
-      });
-      default = {};
-    };
-  };
-
-  imp = {
-    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
-    services.nginx = {
-      enable = true;
-      httpConfig = ''
-        default_type      application/octet-stream;
-        sendfile          on;
-        keepalive_timeout 65;
-        gzip              on;
-
-        ${optionalString cfg.default404 ''
-          server {
-            listen 80 default_server;
-            server_name _;
-            return 404;
-          }''}
-
-        ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
-      '';
-    };
-  };
-
-  to-acme = { server-names, ssl, ... }:
-    optionalAttrs ssl.acmeEnable {
-      email = "lassulus@gmail.com";
-      webroot = "${config.security.acme.directory}/${head server-names}";
-    };
-
-  to-location = { name, value }: ''
-    location ${name} {
-      ${indent value}
-    }
-  '';
-
-  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
-    domain = head server-names;
-    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
-      root ${config.security.acme.certs.${domain}.webroot};
-    '');
-  in ''
-    server {
-      server_name ${toString (unique server-names)};
-      ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
-      ${optionalString ssl.enable (indent ''
-        ${optionalString ssl.force_encryption ''
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-        ''}
-        listen 443 ssl;
-        ssl_certificate ${ssl.certificate};
-        ssl_certificate_key ${ssl.certificate_key};
-        ${optionalString ssl.prefer_server_ciphers ''
-          ssl_prefer_server_ciphers On;
-        ''}
-        ssl_ciphers ${ssl.ciphers};
-        ssl_protocols ${toString ssl.protocols};
-      '')}
-      ${optionalString ssl.acmeEnable (indent ''
-        ${optionalString ssl.force_encryption ''
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-        ''}
-        listen 443 ssl;
-        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
-        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
-        ${optionalString ssl.prefer_server_ciphers ''
-          ssl_prefer_server_ciphers On;
-        ''}
-        ssl_ciphers ${ssl.ciphers};
-        ssl_protocols ${toString ssl.protocols};
-      '')}
-      ${indent extraConfig}
-      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
-      ${indent (concatMapStrings to-location locations)}
-    }
-  '';
-
-in
-out