4 files changed, 83 insertions, 23 deletions

diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
new file mode 100644
index 000000000..056aa7ae4
--- /dev/null
+++ b/krebs/2configs/acme.nix
@@ -0,0 +1,67 @@
+# generate intermediate certificate with generate-krebs-intermediate-ca
+{ config, lib, pkgs, ... }: let
+  domain = "ca.r";
+in {
+  security.acme = {
+    acceptTerms = true; # kinda pointless since we never use upstream
+    email = "spam@krebsco.de";
+    certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts.${domain} = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "https://localhost:1443";
+      };
+      locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt;
+    };
+  };
+  krebs.secret.files.krebsAcme = {
+    path = "/var/lib/step-ca/intermediate_ca.key";
+    owner.name = "root";
+    mode = "1444";
+    source-path = builtins.toString <secrets> + "/acme_ca.key";
+  };
+  services.step-ca = {
+    enable = true;
+    intermediatePasswordFile = "/dev/null";
+    address = "0.0.0.0";
+    port = 1443;
+    settings = {
+      root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA;
+      crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA;
+      key = "/var/lib/step-ca/intermediate_ca.key";
+      dnsNames = [ domain ];
+      logger.format = "text";
+      db = {
+        type = "badger";
+        dataSource = "/var/lib/step-ca/db";
+      };
+      authority = {
+        provisioners = [{
+          type = "ACME";
+          name = "acme";
+          forceCN = true;
+        }];
+        claims = {
+          maxTLSCertDuration = "2160h";
+          defaultTLSCertDuration = "2160h";
+        };
+        backdate = "1m0s";
+      };
+      tls = {
+        cipherSuites = [
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ];
+        minVersion = 1.2;
+        maxVersion = 1.3;
+        renegotiation = false;
+      };
+    };
+  };
+}
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix
index 43a38a9f8..9fc6a79e5 100644
--- a/krebs/2configs/buildbot-stockholm.nix
+++ b/krebs/2configs/buildbot-stockholm.nix
@@ -6,11 +6,13 @@
     enable = true;
     virtualHosts.build = {
       serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ];
-      locations."/".extraConfig = ''
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
-      '';
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.buildbot-master.port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_read_timeout 3600s;
+        '';
+      };
     };
   };
   krebs.ci = {
@@ -18,25 +20,20 @@
     repos = {
       disko.urls = [
         "http://cgit.gum.r/disko"
-        "http://cgit.hotdog.r/disko"
         "http://cgit.ni.r/disko"
         "http://cgit.prism.r/disko"
       ];
       krops.urls = [
-        "http://cgit.hotdog.r/krops"
         "http://cgit.ni.r/krops"
         "http://cgit.prism.r/krops"
         "https://github.com/krebs/krops.git"
       ];
       nix_writers.urls = [
-        "http://cgit.hotdog.r/nix-writers"
         "http://cgit.ni.r/nix-writers"
         "http://cgit.prism.r/nix-writers"
       ];
       stockholm.urls = [
-        "http://cgit.enklave.r/stockholm"
         "http://cgit.gum.r/stockholm"
-        "http://cgit.hotdog.r/stockholm"
         "http://cgit.ni.r/stockholm"
         "http://cgit.prism.r/stockholm"
       ];
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 369b750b7..9200d41fe 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -4,18 +4,14 @@ with import <stockholm/lib>;
 {
   imports = [
     ./backup.nix
-    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
-      environment.variables = {
-        CURL_CA_BUNDLE = ca-bundle;
-        GIT_SSL_CAINFO = ca-bundle;
-        SSL_CERT_FILE = ca-bundle;
-      };
-    })
   ];
   krebs.announce-activation.enable = true;
   krebs.enable = true;
   krebs.tinc.retiolum.enable = mkDefault true;
 
+  # trust krebs ACME CA
+  krebs.ssl.trustIntermediate = true;
+
   krebs.build.user = mkDefault config.krebs.users.krebs;
 
   networking.hostName = config.krebs.build.host.name;
@@ -61,9 +57,6 @@ with import <stockholm/lib>;
     config.krebs.users.tv.pubkey
   ];
 
-  # enable documentation for our modules
-  documentation.nixos.includeAllModules = true;
-
   # The NixOS release to be compatible with for stateful data such as databases.
   system.stateVersion = "17.03";
 }
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index 9a18b8dff..e7faca1f4 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -38,14 +38,17 @@ in
 
   systemd.services.gollum.environment.LC_ALL = "en_US.UTF-8";
 
-  networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  security.acme.certs."wiki.r".server = config.krebs.ssl.acmeURL;
   services.nginx = {
     enable = true;
-    virtualHosts.wiki = {
-      serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ];
+    virtualHosts."wiki.r" = {
+      enableACME = true;
+      addSSL = true;
       locations."/".extraConfig = ''
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
         proxy_pass http://127.0.0.1:${toString config.services.gollum.port};
       '';
     };