diff options
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/bepasty-server.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 22 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix | 58 | ||||
| -rw-r--r-- | krebs/5pkgs/test/infest-cac-centos7/default.nix | 5 |
5 files changed, 79 insertions, 22 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 9e777a5ef..cbf87b2a7 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -96,9 +96,13 @@ let wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; restartIfChanged = true; - environment = { + environment = let + penv = python.buildEnv.override { + extraLibs = [ bepasty gevent ]; + }; + in { BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; - PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages"; + PYTHONPATH= "${penv}/${python.sitePackages}/"; }; serviceConfig = { diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4bf10ac56..6220a2d6f 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -19,6 +19,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; aliases = [ "dishfire.retiolum" + "dishfire.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -52,6 +53,7 @@ with config.krebs.lib; "echelon.retiolum" "cgit.echelon.retiolum" "go.retiolum" + "go.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -83,6 +85,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; aliases = [ "prism.retiolum" + "prism.r" "cgit.prism.retiolum" ]; tinc.pubkey = '' @@ -114,6 +117,7 @@ with config.krebs.lib; addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; aliases = [ "fastpoke.retiolum" + "fastpoke.r" "cgit.fastpoke.retiolum" ]; tinc.pubkey = '' @@ -144,6 +148,7 @@ with config.krebs.lib; addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; aliases = [ "cloudkrebs.retiolum" + "cloudkrebs.r" "cgit.cloudkrebs.retiolum" ]; tinc.pubkey = '' @@ -173,6 +178,7 @@ with config.krebs.lib; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; aliases = [ "uriel.retiolum" + "uriel.r" "cgit.uriel.retiolum" ]; tinc.pubkey = '' @@ -203,6 +209,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:dea7"]; aliases = [ "mors.retiolum" + "mors.r" "cgit.mors.retiolum" ]; tinc.pubkey = '' @@ -229,6 +236,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:7105"]; aliases = [ "helios.retiolum" + "helios.r" "cgit.helios.retiolum" ]; tinc.pubkey = '' diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ccf21c868..24f0cdd84 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -221,17 +221,17 @@ with config.krebs.lib; ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + MIICCgKCAgEAs9bq++H4HF8EpZMfWGfoIsh/C+YNO2pg74UPBsP/tFFe71yzWwUn + U9LW0n3bBqCMQ/oDthbSMwCkS9JzcUi22QJEdjbQs/aay9gZR115b+UxWPocw0Ms + ZoREKo3Oe0hETk7Ing8NdBDI0kCBh9QnvqQ3iKd0rBae3DYvcWlDsY93GLGMddgA + 7E9oa3EHVYH/MPZaeJtTknaJduanBSbiEb/xQOqxTadHoQASKU6DQD1czMH3hLG2 + 8Wn4MBj9fgKBAoIy092tIzPtE2QwAHO73yz4mSW/3r190hREgVbjuEPiw4w5mEyQ + j+NeN3f3heFKx+GCgdWH9xPw6m6qPdqUiGUPq91KXMOhNa8lLcTp95mHdCMesZCF + TFj7hf6y+SVt17Vo+YUL7UqnMtAm3eZZmwyDu0DfKFrdgz6MtDD+5dQp9g8VHpqw + RfbaB1Srlr24EUYYoOBEF9CcIacFbsr+MKh+hQk5R0uEMSeAWARzxvvr69iMgdEC + zDiu0rrRLN+CrfgkDir7pkRKxeA1lz8KpySyIZRziNg6mSHjKjih4++Bbu4N2ack + 86h84qBrA8lq2xsub4+HgKZGH2l5Y8tvlr+rx0mQKEJkT6XDKCXZFPfl2N0QrWGT + Dv7l2vn0QMj9E6+BdRhYaO/m3+cIZ9faM851nRj/gq2OOtzW3ekrne0CAwEAAQ== -----END RSA PUBLIC KEY----- ''; }; diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 2aa023443..196a6eae7 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -39,6 +39,34 @@ let type = with types; string; default = ""; }; + ssl = mkOption { + type = with types; submodule ({ + options = { + enable = mkEnableOption "ssl"; + certificate = mkOption { + type = str; + }; + certificate_key = mkOption { + type = str; + }; + #TODO: check for valid cipher + ciphers = mkOption { + type = str; + default = "AES128+EECDH:AES128+EDH"; + }; + prefer_server_ciphers = mkOption { + type = bool; + default = true; + }; + protocols = mkOption { + type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); + default = [ "TLSv1.1" "TLSv1.2" ]; + + }; + }; + }); + default = {}; + }; }; }); default = {}; @@ -72,14 +100,28 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ... }: '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") listen} - server_name ${toString server-names}; - ${indent extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: + let + _extraConfig = if ssl.enable then + extraConfig + '' + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '' + else + extraConfig + ; + + in '' + server { + ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} + server_name ${toString server-names}; + ${indent _extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix index 3be4b1c41..f5fe84823 100644 --- a/krebs/5pkgs/test/infest-cac-centos7/default.nix +++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix @@ -1,4 +1,6 @@ -{ stdenv, coreutils,makeWrapper, cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, ... }: +{ stdenv, coreutils, makeWrapper, + cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, sshpass, + ... }: stdenv.mkDerivation rec { name = "${shortname}-${version}"; @@ -21,6 +23,7 @@ stdenv.mkDerivation rec { gnused jq openssh + sshpass ]; installPhase = '' |