l 3 *_nginx: allow configuration of ssl

author: lassulus <lass@aidsballs.de> 2016-02-01 16:03:03 +0100
committer: lassulus <lass@aidsballs.de> 2016-02-01 16:03:03 +0100
commit: 45343b1e14a3fd2f581465d3e78adac372918a0c (patch)
tree: 20af6f70e849bbc36cf35f4f6e55c76467c13a59 /lass
parent: 7d6d0a46643f66b18aa9480df6bb88391924f262 (diff)
3 files changed, 97 insertions, 5 deletions
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
index 0cb11846..79c9de1d 100644
--- a/lass/3modules/owncloud_nginx.nix
+++ b/lass/3modules/owncloud_nginx.nix
@@ -46,8 +46,22 @@ let
           type = str;
         };
         ssl = mkOption {
-          type = bool;
-          default = false;
+          type = with types; submodule ({
+            options = {
+              enable = mkEnableOption "ssl";
+              certificate = mkOption {
+                type = str;
+              };
+              certificate_key = mkOption {
+                type = str;
+              };
+              ciphers = mkOption {
+                type = str;
+                default = "AES128+EECDH:AES128+EDH";
+              };
+            };
+          });
+          default = {};
         };
       };
     }));
@@ -58,7 +72,7 @@ let
   group = config.services.nginx.group;
 
   imp = {
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
       server-names = [
         "${domain}"
         "www.${domain}"
@@ -102,7 +116,16 @@ let
 
         error_page 403 /core/templates/403.php;
         error_page 404 /core/templates/404.php;
+        ${if ssl.enable then ''
+          ssl_certificate ${ssl.certificate};
+          ssl_certificate_key ${ssl.certificate_key};
+        '' else ""}
       '';
+      listen = (if ssl.enable then
+          [ "80" "443 ssl" ]
+        else
+          "80"
+      );
     });
     services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
       listen = ${folder}/phpfpm.pool
diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix
index cc2641af..fd5cfdfd 100644
--- a/lass/3modules/static_nginx.nix
+++ b/lass/3modules/static_nginx.nix
@@ -21,6 +21,35 @@ let
           type = str;
           default = "/srv/http/${config.domain}";
         };
+        #sslEnable = mkEnableOption "ssl";
+        #certificate = mkOption {
+        #  type = str;
+        #};
+        #certificate_key = mkOption {
+        #  type = str;
+        #};
+        #ciphers = mkOption {
+        #  type = str;
+        #  default = "AES128+EECDH:AES128+EDH";
+        #};
+        ssl = mkOption {
+          type = with types; submodule ({
+            options = {
+              enable = mkEnableOption "ssl";
+              certificate = mkOption {
+                type = str;
+              };
+              certificate_key = mkOption {
+                type = str;
+              };
+              ciphers = mkOption {
+                type = str;
+                default = "AES128+EECDH:AES128+EDH";
+              };
+            };
+          });
+          default = {};
+        };
       };
     }));
     default = {};
@@ -29,8 +58,10 @@ let
   user = config.services.nginx.user;
   group = config.services.nginx.group;
 
+  external-ip = head config.krebs.build.host.nets.internet.addrs4;
+
   imp = {
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
       server-names = [
         "${domain}"
         "www.${domain}"
@@ -43,6 +74,17 @@ let
           deny all;
         '')
       ];
+
+      listen = (if ssl.enable then
+          [ "80" "443 ssl" ]
+        else
+          "80"
+      );
+      extraConfig = (if ssl.enable then ''
+        ssl_certificate ${ssl.certificate};
+        ssl_certificate_key ${ssl.certificate_key};
+      '' else "");
+
     });
   };
 
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
index 974aacd8..bfed9e7c 100644
--- a/lass/3modules/wordpress_nginx.nix
+++ b/lass/3modules/wordpress_nginx.nix
@@ -53,6 +53,23 @@ let
             "1" = "test.testsite.de";
           };
         };
+        ssl = mkOption {
+          type = with types; submodule ({
+            options = {
+              enable = mkEnableOption "ssl";
+              certificate = mkOption {
+                type = str;
+              };
+              certificate_key = mkOption {
+                type = str;
+              };
+              ciphers = mkOption {
+                type = str;
+                default = "AES128+EECDH:AES128+EDH";
+              };
+            };
+          });
+        };
       };
     }));
     default = {};
@@ -68,7 +85,7 @@ let
     #  }
     #'';
 
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
+    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
       server-names = [
         "${domain}"
         "www.${domain}"
@@ -114,7 +131,17 @@ let
         error_log /tmp/nginx_err.log;
         error_page 404 /404.html;
         error_page 500 502 503 504 /50x.html;
+        ${if ssl.enable then ''
+          ssl_certificate ${ssl.certificate};
+          ssl_certificate_key ${ssl.certificate_key};
+        '' else ""}
+
       '';
+      listen = (if ssl.enable then
+          [ "80" "443 ssl" ]
+        else
+          "80"
+      );
     });
     services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
       listen = ${folder}/phpfpm.pool
author	lassulus <lass@aidsballs.de>	2016-02-01 16:03:03 +0100
committer	lassulus <lass@aidsballs.de>	2016-02-01 16:03:03 +0100
commit	45343b1e14a3fd2f581465d3e78adac372918a0c (patch)
tree	20af6f70e849bbc36cf35f4f6e55c76467c13a59 /lass
parent	7d6d0a46643f66b18aa9480df6bb88391924f262 (diff)