makefu/2configs/bepasty-dual.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

{ config, lib, pkgs, ... }:

# 1systems should configure itself:
#   krebs.bepasty.servers.internal.nginx.listen  = [ "80" ]
#   krebs.bepasty.servers.external.nginx.listen  = [ "80" "443 ssl" ]
#     80 is redirected to 443 ssl

# secrets used:
#   wildcard.krebsco.de.crt
#   wildcard.krebsco.de.key
#   bepasty-secret.nix     <- contains single string

with import <stockholm/lib>;
let
  sec = toString <secrets>;
  # secKey is nothing worth protecting on a local machine
  secKey = "${secrets}/bepasty-secret";
  acmepath = "/var/lib/acme/";
  acmechall = acmepath + "/challenges/";
  ext-dom = "paste.krebsco.de" ;
in {

  services.nginx.enable = mkDefault true;
  krebs.bepasty = {
    enable = true;
    serveNginx= true;

    servers = {
      "paste.r" = {
        nginx = {
          serverAliases = [
            "paste.${config.krebs.build.host.name}"
            "paste.r"
          ];
          extraConfig = ''
            if ( $server_addr = "${external-ip}" ) {
              return 403;
            }
          '';
        };
        defaultPermissions = "admin,list,create,read,delete";
        secretKeyFile = secKey;
      };

      "${ext-dom}" = {
        nginx = {
          forceSSL = true;
          enableACME = true;
        };
        defaultPermissions = "read";
        secretKeyFile = secKey;
      };
    };
  };
}