summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authorlassulus <lass@lassul.us>2016-12-26 14:18:08 +0100
committerlassulus <lass@lassul.us>2016-12-26 14:18:08 +0100
commitb9e3b93105d4214de43ee596adff7cf661311780 (patch)
treeabff4b7c7ca29266c787fc37dc7f6bef2bd2ce26 /lass
parent0f34276090f804b7eed2bf45a0804a69fbe8ae35 (diff)
l: krebs.nginx -> services.nginx
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors.nix14
-rw-r--r--lass/1systems/prism.nix23
-rw-r--r--lass/2configs/binary-cache/server.nix10
-rw-r--r--lass/2configs/go.nix16
-rw-r--r--lass/2configs/radio.nix12
-rw-r--r--lass/2configs/realwallpaper.nix12
-rw-r--r--lass/2configs/websites/domsen.nix12
-rw-r--r--lass/2configs/websites/fritz.nix12
-rw-r--r--lass/2configs/websites/lassulus.nix92
-rw-r--r--lass/2configs/websites/util.nix203
10 files changed, 165 insertions, 241 deletions
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 4553cc15b..dcdb57f3b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -66,20 +66,18 @@ with import <stockholm/lib>;
};
}
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default = {
- server-names = [
+ virtualHosts.default = {
+ serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum"
];
- locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
+ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ '';
};
};
}
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 7646f7163..efe79052f 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -179,11 +179,9 @@ in {
imports = [
../2configs/realwallpaper.nix
];
- krebs.nginx.servers."lassul.us".locations = [
- (lib.nameValuePair "/wallpaper.png" ''
- alias /tmp/wallpaper.png;
- '')
- ];
+ services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+ alias /tmp/wallpaper.png;
+ '';
}
{
environment.systemPackages = with pkgs; [
@@ -203,16 +201,13 @@ in {
};
}
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.public = {
- listen = [ "8088" ];
- server-names = [ "default" ];
- locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
+ virtualHosts.public = {
+ port = 8088;
+ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ '';
};
};
krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 22ec04307..991bbeb54 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -17,13 +17,13 @@
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.nix-serve = {
- server-names = [ "cache.prism.r" ];
- locations = lib.singleton (lib.nameValuePair "/" ''
+ virtualHosts.nix-serve = {
+ serverAliases = [ "cache.prism.r" ];
+ locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
- '');
+ '';
};
};
}
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index f6ddbe96d..8e31f050f 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = {
enable = true;
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.go = {
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host go;
- proxy_pass http://localhost:1337;
- '')
- ];
- server-names = [
+ virtualHosts.go = {
+ locations."/".extraConfig = ''
+ proxy_set_header Host go;
+ proxy_pass http://localhost:1337;
+ '';
+ serverAliases = [
"go"
"go.retiolum"
];
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 88e826683..18574471e 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -156,7 +156,7 @@ in {
})
];
};
- krebs.nginx.servers."lassul.us".locations = let
+ services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" ''
<!DOCTYPE html>
<html lang="en">
@@ -175,10 +175,8 @@ in {
</body>
</html>
'';
- in [
- (nameValuePair "/the_playlist" ''
- default_type "text/html";
- alias ${html};
- '')
- ];
+ in ''
+ default_type "text/html";
+ alias ${html};
+ '';
}
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 2ab52ed92..cf9795071 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -9,15 +9,13 @@ let
in {
krebs.realwallpaper.enable = true;
- krebs.nginx.servers.wallpaper = {
- server-names = [
+ services.nginx.virtualHosts.wallpaper = {
+ serverAliases = [
hostname
];
- locations = [
- (nameValuePair "/wallpaper.png" ''
- root /tmp/;
- '')
- ];
+ locations."/wallpaper.png".extraConfig = ''
+ root /tmp/;
+ '';
};
krebs.iptables = {
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 76e13412b..86800fc05 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
- (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+ (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
- (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+ (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [
"ubikmedia.de"
@@ -92,11 +92,9 @@ in {
])
];
- krebs.nginx.servers."ubikmedia.de".locations = [
- (lib.nameValuePair "/piwik" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- ];
+ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
lass.mysqlBackup.config.all.databases = [
"ubikmedia_de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 52914f444..16b705cdb 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -62,18 +62,6 @@ in {
"ttf_kleinaspach_de"
];
- #password protect some dirs
- krebs.nginx.servers."biostase.de".locations = [
- (nameValuePair "/old_biostase.de" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
- '')
- (nameValuePair "/mysqldumper" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
- '')
- ];
-
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 29374e97d..2690d7a0e 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -69,59 +69,53 @@ in {
"nginx"
];
- krebs.nginx.servers."lassul.us" = {
- server-names = [ "lassul.us" ];
- locations = [
- (nameValuePair "/" ''
- root /srv/http/lassul.us;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/lassul.us/;
- '')
- (nameValuePair "= /retiolum-hosts.tar.bz2" ''
- alias ${config.krebs.tinc.retiolum.hostsArchive};
- '')
- (nameValuePair "/tinc" ''
- alias ${config.krebs.tinc_graphs.workingDir}/external;
- '')
- (let
- script = pkgs.writeBash "test" ''
- echo "hello world"
- '';
- #script = pkgs.execve "ddate-wrapper" {
- # filename = "${pkgs.ddate}/bin/ddate";
- # argv = [];
- #};
- in nameValuePair "= /ddate" ''
- gzip off;
- fastcgi_pass unix:/var/run/lass-stuff.socket;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param DOCUMENT_ROOT /var/empty;
- fastcgi_param SCRIPT_FILENAME ${script};
- fastcgi_param SCRIPT_NAME ${script};
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/lassul.us/key.pem";
- };
+ services.nginx.virtualHosts."lassul.us" = {
+ serverAliases = [ "lassul.us" ];
+ locations."/".extraConfig = ''
+ root /srv/http/lassul.us;
+ '';
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/challenges/lassul.us/;
+ '';
+ locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+ alias ${config.krebs.tinc.retiolum.hostsArchive};
+ '';
+ locations."/tinc".extraConfig = ''
+ alias ${config.krebs.tinc_graphs.workingDir}/external;
+ '';
+ locations."= /ddate".extraConfig = let
+ script = pkgs.writeBash "test" ''
+ echo "hello world"
+ '';
+ #script = pkgs.execve "ddate-wrapper" {
+ # filename = "${pkgs.ddate}/bin/ddate";
+ # argv = [];
+ #};
+ in ''
+ gzip off;
+ fastcgi_pass unix:/var/run/lass-stuff.socket;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param DOCUMENT_ROOT /var/empty;
+ fastcgi_param SCRIPT_FILENAME ${script};
+ fastcgi_param SCRIPT_NAME ${script};
+ '';
+
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
- krebs.nginx.servers.cgit = {
- server-names = [
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
"cgit.lassul.us"
];
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/cgit.lassul.us/;
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
- };
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/acme-challenges;
+ '';
+ enableSSL = true;
+ sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 0b2a6faac..6e236ab63 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -4,66 +4,24 @@ with lib;
rec {
- manageCerts = domains:
+ ssl = domains :
let
domain = head domains;
in {
- #security.acme = {
- # certs."${domain}" = {
- # email = "lassulus@gmail.com";
- # webroot = "/var/lib/acme/challenges/${domain}";
- # plugins = [
- # "account_key.json"
- # "key.pem"
- # "fullchain.pem"
- # ];
- # group = "nginx";
- # allowKeysForGroup = true;
- # extraDomains = genAttrs domains (_: null);
- # };
- #};
-
- krebs.nginx.servers."${domain}" = {
- ssl.acmeEnable = true;
- server-names = domains;
- #locations = [
- # (nameValuePair "/.well-known/acme-challenge" ''
- # root /var/lib/acme/challenges/${domain}/;
- # '')
- #];
- };
- };
-
- ssl = domains:
- {
- imports = [
- ( manageCerts domains )
- #( activateACME (head domains) )
- ];
- };
-
- activateACME = domain:
- {
- krebs.nginx.servers.${domain} = {
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/${domain}/fullchain.pem";
- certificate_key = "/var/lib/acme/${domain}/key.pem";
- };
- };
};
servePage = domains:
let
domain = head domains;
in {
- krebs.nginx.servers.${domain} = {
- server-names = domains;
- locations = [
- (nameValuePair "/" ''
- root /srv/http/${domain};
- '')
- ];
+ services.nginx.virtualHosts.${domain} = {
+ enableACME = true;
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ serverAliases = domains;
+ locations."/".extraConfig = ''
+ root /srv/http/${domain};
+ '';
};
};
@@ -71,9 +29,13 @@ rec {
let
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
+
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
- locations = [
- (nameValuePair "/robots.txt" ''
- allow all;
- log_not_found off;
- access_log off;
- '')
- (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
- deny all;
- '')
-
- (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
- deny all;
- '')
-
- (nameValuePair "/" ''
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- '')
-
- (nameValuePair "~ \.php(?:$|/)" ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- fastcgi_intercept_errors on;
- '')
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- (nameValuePair "~* \.(?:css|js)$" ''
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- # Optional: Don't log access to assets
- access_log off;
- '')
-
- # Optional: Don't log access to other assets
- (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
- access_log off;
- '')
- ];
+ locations."/robots.txt".extraConfig = ''
+ allow all;
+ log_not_found off;
+ access_log off;
+ '';
+ locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+ deny all;
+ '';
+
+ locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
+ deny all;
+ '';
+
+ locations."/".extraConfig = ''
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+ '';
+
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ fastcgi_intercept_errors on;
+ '';
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+ locations."~* \.(?:css|js)$".extraConfig = ''
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ # Optional: Don't log access to assets
+ access_log off;
+ '';
+ # Optional: Don't log access to other assets
+ locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+ access_log off;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
@@ -183,9 +142,12 @@ rec {
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
root /srv/http/${domain}/;
index index.php;
access_log /tmp/nginx_acc.log;
@@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
- locations = [
- (nameValuePair "/" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- (nameValuePair "~ \.php$" ''
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- #(nameValuePair "~ /\\." ''
- # deny all;
- #'')
- #Directives to send expires headers and turn off 404 error logging.
- (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
- access_log off;
- log_not_found off;
- expires max;
- '')
- ];
+ locations."/".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
+ locations."~ \.php$".extraConfig = ''
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '';
+ #Directives to send expires headers and turn off 404 error logging.
+ locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+ access_log off;
+ log_not_found off;
+ expires max;
+ '';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool