From 69ead6d8cfb05590079cfe0d6ba4ec66b59fcffb Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 3 Jul 2016 21:14:07 +0200 Subject: cd nginx: enable https --- tv/1systems/cd.nix | 52 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 11 deletions(-) (limited to 'tv/1systems/cd.nix') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index a46edb4d..75c19008 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -44,20 +44,50 @@ with config.krebs.lib; "cgit.cd.viljetic.de" ]; # TODO make public_html also available to cd, cd.retiolum (AKA default) - krebs.nginx.servers.public_html = { - server-names = singleton "cd.viljetic.de"; - locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - ''); + krebs.nginx.servers."https://viljetic.de" = { + server-names = singleton "viljetic.de"; + listen = mkForce []; # disable default + ssl = { + enable = true; + certificate = "/var/lib/acme/viljetic.de/fullchain.pem"; + certificate_key = "/var/lib/acme/viljetic.de/key.pem"; + }; + locations = [ + (nameValuePair "/" '' + root ${pkgs.viljetic-pages}; + '') + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; }; - krebs.nginx.servers.viljetic = { + krebs.nginx.servers."http://viljetic.de" = { server-names = singleton "viljetic.de"; - # TODO directly set root (instead via location) - locations = singleton (nameValuePair "/" '' - root ${pkgs.viljetic-pages}; - ''); + locations = [ + (nameValuePair "/.well-known/acme-challenge/" '' + root /var/lib/acme/challenges/viljetic.de/; + '') + (nameValuePair "/" '' + return 301 https://viljetic.de$request_uri; + '') + ]; + }; + security.acme = { + certs."viljetic.de" = { + email = "tomislav@viljetic.de"; + webroot = "/var/lib/acme/challenges/viljetic.de"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + user = "nginx"; + }; }; - tv.iptables.input-internet-accept-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = [ + "http" + "https" + ]; } ]; -- cgit v1.2.3