2 files changed, 59 insertions, 8 deletions

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 4bf10ac56..148460735 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -19,6 +19,7 @@ with config.krebs.lib;
           addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"];
           aliases = [
             "dishfire.retiolum"
+            "dishfire.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -50,8 +51,10 @@ with config.krebs.lib;
           addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f763"];
           aliases = [
             "echelon.retiolum"
+            "echelon.r"
             "cgit.echelon.retiolum"
             "go.retiolum"
+            "go.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -83,6 +86,7 @@ with config.krebs.lib;
           addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"];
           aliases = [
             "prism.retiolum"
+            "prism.r"
             "cgit.prism.retiolum"
           ];
           tinc.pubkey = ''
@@ -114,6 +118,7 @@ with config.krebs.lib;
           addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"];
           aliases = [
             "fastpoke.retiolum"
+            "fastpoke.r"
             "cgit.fastpoke.retiolum"
           ];
           tinc.pubkey = ''
@@ -144,6 +149,7 @@ with config.krebs.lib;
           addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"];
           aliases = [
             "cloudkrebs.retiolum"
+            "cloudkrebs.r"
             "cgit.cloudkrebs.retiolum"
           ];
           tinc.pubkey = ''
@@ -173,6 +179,7 @@ with config.krebs.lib;
           addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"];
           aliases = [
             "uriel.retiolum"
+            "uriel.r"
             "cgit.uriel.retiolum"
           ];
           tinc.pubkey = ''
@@ -203,6 +210,7 @@ with config.krebs.lib;
           addrs6 = ["42:0:0:0:0:0:0:dea7"];
           aliases = [
             "mors.retiolum"
+            "mors.r"
             "cgit.mors.retiolum"
           ];
           tinc.pubkey = ''
@@ -229,6 +237,7 @@ with config.krebs.lib;
           addrs6 = ["42:0:0:0:0:0:0:7105"];
           aliases = [
             "helios.retiolum"
+            "helios.r"
             "cgit.helios.retiolum"
           ];
           tinc.pubkey = ''
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 2aa023443..196a6eae7 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -39,6 +39,34 @@ let
             type = with types; string;
             default = "";
           };
+          ssl = mkOption {
+            type = with types; submodule ({
+              options = {
+                enable = mkEnableOption "ssl";
+                certificate = mkOption {
+                  type = str;
+                };
+                certificate_key = mkOption {
+                  type = str;
+                };
+                #TODO: check for valid cipher
+                ciphers = mkOption {
+                  type = str;
+                  default = "AES128+EECDH:AES128+EDH";
+                };
+                prefer_server_ciphers = mkOption {
+                  type = bool;
+                  default = true;
+                };
+                protocols = mkOption {
+                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
+                  default = [ "TLSv1.1" "TLSv1.2" ];
+
+                };
+              };
+            });
+            default = {};
+          };
         };
       });
       default = {};
@@ -72,14 +100,28 @@ let
     }
   '';
 
-  to-server = { server-names, listen, locations, extraConfig, ... }: ''
-    server {
-      ${concatMapStringsSep "\n" (x: "listen ${x};") listen}
-      server_name ${toString server-names};
-      ${indent extraConfig}
-      ${indent (concatMapStrings to-location locations)}
-    }
-  '';
+  to-server = { server-names, listen, locations, extraConfig, ssl, ... }:
+    let
+      _extraConfig = if ssl.enable then
+        extraConfig + ''
+          ssl_certificate ${ssl.certificate};
+          ssl_certificate_key ${ssl.certificate_key};
+          ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"}
+          ssl_ciphers ${ssl.ciphers};
+          ssl_protocols ${toString ssl.protocols};
+        ''
+      else
+        extraConfig
+      ;
+
+    in ''
+      server {
+        ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")}
+        server_name ${toString server-names};
+        ${indent _extraConfig}
+        ${indent (concatMapStrings to-location locations)}
+      }
+    '';
 
 in
 out