diff options
| author | tv <tv@shackspace.de> | 2015-10-22 20:14:01 +0200 |
|---|---|---|
| committer | tv <tv@shackspace.de> | 2015-10-22 20:14:01 +0200 |
| commit | 128e5feae9829ec1c60d16f3d44382435ff1ef86 (patch) | |
| tree | f98601e8408a8f949022d86610828afef6836e0f /krebs/3modules/retiolum-bootstrap.nix | |
| parent | 9ba8fc142cb14aa3768cb99bf9170f7875beafd1 (diff) | |
| parent | f092e6acb4500569eccee7aed65b521adb3b07b6 (diff) | |
Merge remote-tracking branch 'pnp/master'
Diffstat (limited to 'krebs/3modules/retiolum-bootstrap.nix')
| -rw-r--r-- | krebs/3modules/retiolum-bootstrap.nix | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix new file mode 100644 index 000000000..65bb51193 --- /dev/null +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.krebs.retiolum-bootstrap; + + out = { + options.krebs.retiolum-bootstrap = api; + config = mkIf cfg.enable imp ; + }; + + api = { + enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; + hostname = mkOption { + type = types.str; + description = "hostname which serves tinc boot"; + default = "tinc.krebsco.de" ; + }; + listen = mkOption { + type = with types; listOf str; + description = ''Addresses to listen on (nginx-syntax). + ssl will be configured, http will be redirected to ssl. + Make sure to have at least 1 ssl port configured. + ''; + default = [ "80" "443 ssl" ] ; + }; + ssl_certificate_key = mkOption { + type = types.str; + description = "Certificate key to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.key"; + }; + ssl_certificate = mkOption { + type = types.str; + description = "Certificate file to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.crt" ; + }; + # in use: + # <secrets/tinc.krebsco.de.crt> + # <secrets/tinc.krebsco.de.key> + }; + + imp = { + krebs.nginx.servers = assert config.krebs.nginx.enable; { + retiolum-boot-ssl = { + server-names = singleton cfg.hostname; + listen = cfg.listen; + extraConfig = '' + ssl_certificate ${cfg.ssl_certificate}; + ssl_certificate_key ${cfg.ssl_certificate_key}; + + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + + root ${pkgs.retiolum-bootstrap}; + try_files $uri $uri/retiolum.sh; + ''; + locations = []; + }; + }; + }; + +in +out |