summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors.nix150
-rw-r--r--lass/1systems/prism.nix29
-rw-r--r--lass/2configs/binary-cache/server.nix10
-rw-r--r--lass/2configs/downloading.nix5
-rw-r--r--lass/2configs/go.nix16
-rw-r--r--lass/2configs/hfos.nix33
-rw-r--r--lass/2configs/libvirt.nix43
-rw-r--r--lass/2configs/nixpkgs.nix4
-rw-r--r--lass/2configs/radio.nix12
-rw-r--r--lass/2configs/realwallpaper.nix12
-rw-r--r--lass/2configs/tests/dummy-secrets/torrent-auth3
-rw-r--r--lass/2configs/tests/dummy-secrets/torrent-authfile1
-rw-r--r--lass/2configs/websites/domsen.nix13
-rw-r--r--lass/2configs/websites/fritz.nix18
-rw-r--r--lass/2configs/websites/lassulus.nix97
-rw-r--r--lass/2configs/websites/util.nix203
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/owncloud_nginx.nix210
-rw-r--r--lass/3modules/wordpress_nginx.nix265
19 files changed, 367 insertions, 758 deletions
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 4553cc15b..3498f662b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -17,7 +17,6 @@ with import <stockholm/lib>;
../2configs/steam.nix
../2configs/wine.nix
../2configs/git.nix
- ../2configs/skype.nix
../2configs/libvirt.nix
../2configs/fetchWallpaper.nix
#../2configs/c-base.nix
@@ -66,20 +65,18 @@ with import <stockholm/lib>;
};
}
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.default = {
- server-names = [
+ virtualHosts.default = {
+ serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum"
];
- locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
+ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ '';
};
};
}
@@ -89,6 +86,137 @@ with import <stockholm/lib>;
{
virtualisation.libvirtd.enable = true;
}
+ {
+ services.nginx = {
+ enable = mkDefault true;
+ virtualHosts = {
+ "stats.mors" = {
+ locations = {
+ "/" = {
+ proxyPass = "http://localhost:3000/";
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ };
+ };
+ };
+ };
+
+ services.grafana = {
+ enable = true;
+ addr = "127.0.0.1";
+ users.allowSignUp = false;
+ users.allowOrgCreate = false;
+ users.autoAssignOrg = false;
+ auth.anonymous.enable = true;
+ security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ };
+
+ services.graphite = {
+ api = {
+ enable = true;
+ listenAddress = "127.0.0.1";
+ port = 18080;
+ };
+ carbon = {
+ enableCache = true;
+ # save disk usage by restricting to 1 bulk update per second
+ config = ''
+ [cache]
+ MAX_CACHE_SIZE = inf
+ MAX_UPDATES_PER_SECOND = 1
+ MAX_CREATES_PER_MINUTE = 500
+ '';
+ storageSchemas = ''
+ [carbon]
+ pattern = ^carbon\.
+ retentions = 60:90d
+
+ [elchos]
+ patterhn = ^elchos\.
+ retentions = 10s:30d,60s:3y
+
+ [default]
+ pattern = .*
+ retentions = 30s:30d,300s:1y
+ '';
+ };
+ };
+
+ services.collectd = {
+ enable = true;
+ include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
+ LoadPlugin write_graphite
+ <Plugin "write_graphite">
+ <Carbon>
+ Host "localhost"
+ Port "2003"
+ EscapeCharacter "_"
+ StoreRates false
+ AlwaysAppendDS false
+ </Carbon>
+ </Plugin>
+ ''))
+ ];
+ extraConfig = ''
+ LoadPlugin interface
+ LoadPlugin battery
+ LoadPlugin load
+ LoadPlugin cpu
+ LoadPlugin entropy
+ LoadPlugin write_graphite
+ <Plugin "interface">
+ Interface "et0"
+ Interface "wl0"
+ Interface "retiolum"
+ </Plugin>
+ '';
+ };
+ services.graphite.beacon = {
+ enable = true;
+ config = {
+ graphite_url = "http://localhost:18080";
+ cli = {
+ command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
+ };
+ smtp = {
+ from = "beacon@mors.r";
+ to = [
+ "lass@mors.r"
+ ];
+ };
+ normal_handlers = [
+ "smtp"
+ "cli"
+ ];
+ warning_handlers = [
+ "smtp"
+ "cli"
+ ];
+ critical_handlers = [
+ "smtp"
+ "cli"
+ ];
+ alerts = [
+ {
+ name = "testbattery";
+ query = "*.battery-0.capacity";
+ method = "last_value";
+ interval = "1minute";
+ logging = "info";
+ repeat_interval = "5minute";
+ rules = [
+ "warning: < 30.0"
+ "critical: < 10.0"
+ ];
+ }
+ ];
+ };
+ };
+ }
];
krebs.build.host = config.krebs.hosts.mors;
@@ -238,8 +366,4 @@ with import <stockholm/lib>;
krebs.repo-sync.timerConfig = {
OnCalendar = "00:37";
};
-
- services.mongodb = {
- enable = true;
- };
}
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 6c11a2f62..39026d102 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -24,6 +24,8 @@ in {
../2configs/repo-sync.nix
../2configs/binary-cache/server.nix
../2configs/iodined.nix
+ ../2configs/libvirt.nix
+ ../2configs/hfos.nix
{
users.extraGroups = {
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@@ -178,11 +180,9 @@ in {
imports = [
../2configs/realwallpaper.nix
];
- krebs.nginx.servers."lassul.us".locations = [
- (lib.nameValuePair "/wallpaper.png" ''
- alias /tmp/wallpaper.png;
- '')
- ];
+ services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+ alias /tmp/wallpaper.png;
+ '';
}
{
environment.systemPackages = with pkgs; [
@@ -202,16 +202,13 @@ in {
};
}
{
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.public = {
- listen = [ "8088" ];
- server-names = [ "default" ];
- locations = [
- (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '')
- ];
+ virtualHosts.public = {
+ port = 8088;
+ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+ alias /home/$1/public_html$2;
+ '';
};
};
krebs.iptables.tables.filter.INPUT.rules = [
@@ -228,10 +225,6 @@ in {
enable = true;
};
}
- {
- virtualisation.libvirtd.enable = true;
- users.users.mainUser.extraGroups = [ "libvirtd" ];
- }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 22ec04307..991bbeb54 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -17,13 +17,13 @@
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.nix-serve = {
- server-names = [ "cache.prism.r" ];
- locations = lib.singleton (lib.nameValuePair "/" ''
+ virtualHosts.nix-serve = {
+ serverAliases = [ "cache.prism.r" ];
+ locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
- '');
+ '';
};
};
}
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index ca0aded78..27b6d22d5 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -40,9 +40,8 @@ with import <stockholm/lib>;
enable = true;
web = {
enable = true;
- enableAuth = true;
- listenAddress = "9091";
- authfile = <secrets/torrent-authfile>;
+ port = 9091;
+ basicAuth = import <secrets/torrent-auth>;
};
rutorrent.enable = true;
enableXMLRPC = true;
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index f6ddbe96d..8e31f050f 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = {
enable = true;
};
- krebs.nginx = {
+ services.nginx = {
enable = true;
- servers.go = {
- locations = [
- (nameValuePair "/" ''
- proxy_set_header Host go;
- proxy_pass http://localhost:1337;
- '')
- ];
- server-names = [
+ virtualHosts.go = {
+ locations."/".extraConfig = ''
+ proxy_set_header Host go;
+ proxy_pass http://localhost:1337;
+ '';
+ serverAliases = [
"go"
"go.retiolum"
];
diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix
new file mode 100644
index 000000000..f6f09e226
--- /dev/null
+++ b/lass/2configs/hfos.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+ users.users.riot = {
+ uid = genid "riot";
+ isNormalUser = true;
+ extraGroups = [ "libvirtd" ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
+ config.krebs.users.lass.pubkey
+ ];
+ };
+
+ networking.interfaces.et0.ip4 = [
+ {
+ address = "213.239.205.246";
+ prefixLength = 24;
+ }
+ ];
+
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+ ];
+
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index e739d2f79..a71638323 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -1,23 +1,30 @@
{ config, lib, pkgs, ... }:
-let
- mainUser = config.users.extraUsers.mainUser;
- inherit (import <stockholm/lib>) genid;
-
-in {
+{
+ users.users.mainUser.extraGroups = [ "libvirtd" ];
virtualisation.libvirtd.enable = true;
- users.extraUsers = {
- libvirt = {
- uid = genid "libvirt";
- description = "user for running libvirt stuff";
- home = "/home/libvirt";
- useDefaultShell = true;
- extraGroups = [ "libvirtd" "audio" ];
- createHome = true;
- };
- };
- security.sudo.extraConfig = ''
- ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
- '';
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+ ];
+ krebs.iptables.tables.filter.OUTPUT.rules = [
+ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+ ];
}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e2bdd5755..6885ef59d 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -2,7 +2,7 @@
{
krebs.build.source.nixpkgs.git = {
- url = https://github.com/nixos/nixpkgs;
- ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905";
+ url = https://github.com/lassulus/nixpkgs;
+ ref = "819c1ab486a9c81d6a6b76c759aedece2df39037";
};
}
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 88e826683..18574471e 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -156,7 +156,7 @@ in {
})
];
};
- krebs.nginx.servers."lassul.us".locations = let
+ services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" ''
<!DOCTYPE html>
<html lang="en">
@@ -175,10 +175,8 @@ in {
</body>
</html>
'';
- in [
- (nameValuePair "/the_playlist" ''
- default_type "text/html";
- alias ${html};
- '')
- ];
+ in ''
+ default_type "text/html";
+ alias ${html};
+ '';
}
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 2ab52ed92..cf9795071 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -9,15 +9,13 @@ let
in {
krebs.realwallpaper.enable = true;
- krebs.nginx.servers.wallpaper = {
- server-names = [
+ services.nginx.virtualHosts.wallpaper = {
+ serverAliases = [
hostname
];
- locations = [
- (nameValuePair "/wallpaper.png" ''
- root /tmp/;
- '')
- ];
+ locations."/wallpaper.png".extraConfig = ''
+ root /tmp/;
+ '';
};
krebs.iptables = {
diff --git a/lass/2configs/tests/dummy-secrets/torrent-auth b/lass/2configs/tests/dummy-secrets/torrent-auth
new file mode 100644
index 000000000..f167e71f9
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/torrent-auth
@@ -0,0 +1,3 @@
+{
+ x = "xxx";
+}
diff --git a/lass/2configs/tests/dummy-secrets/torrent-authfile b/lass/2configs/tests/dummy-secrets/torrent-authfile
deleted file mode 100644
index 93a8e1fed..000000000
--- a/lass/2configs/tests/dummy-secrets/torrent-authfile
+++ /dev/null
@@ -1 +0,0 @@
-"xxx"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 76e13412b..2bbfe7333 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ])
- (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+ (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ])
- (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+ (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [
"ubikmedia.de"
@@ -88,15 +88,12 @@ in {
"www.illucloud.eu"
"www.illucloud.de"
"www.illucloud.com"
- "*.ubikmedia.de"
])
];
- krebs.nginx.servers."ubikmedia.de".locations = [
- (lib.nameValuePair "/piwik" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- ];
+ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+ try_files $uri $uri/ /index.php?$args;
+ '';
lass.mysqlBackup.config.all.databases = [
"ubikmedia_de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 52914f444..f9035dd13 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -7,7 +7,6 @@ let
head
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
- manageCerts
ssl
servePage
serveWordpress
@@ -26,8 +25,6 @@ let
in {
imports = [
./sqlBackup.nix
- (ssl [ "biostase.de" "www.biostase.de" ])
- (serveWordpress [ "biostase.de" "www.biostase.de" ])
(ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@@ -50,30 +47,17 @@ in {
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
- (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
+ (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
];
lass.mysqlBackup.config.all.databases = [
- "biostase_de"
"eastuttgart_de"
"radical_dreamers_de"
"spielwaren_kern_de"
"ttf_kleinaspach_de"
];
- #password protect some dirs
- krebs.nginx.servers."biostase.de".locations = [
- (nameValuePair "/old_biostase.de" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
- '')
- (nameValuePair "/mysqldumper" ''
- auth_basic "Administrator Login";
- auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
- '')
- ];
-
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 29374e97d..cfdda05db 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -14,7 +14,7 @@ in {
security.acme = {
certs."lassul.us" = {
email = "lass@lassul.us";
- webroot = "/var/lib/acme/challenges/lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -26,7 +26,7 @@ in {
};
certs."cgit.lassul.us" = {
email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+ webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
@@ -69,59 +69,54 @@ in {
"nginx"
];
- krebs.nginx.servers."lassul.us" = {
- server-names = [ "lassul.us" ];
- locations = [
- (nameValuePair "/" ''
- root /srv/http/lassul.us;
- '')
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/lassul.us/;
- '')
- (nameValuePair "= /retiolum-hosts.tar.bz2" ''
- alias ${config.krebs.tinc.retiolum.hostsArchive};
- '')
- (nameValuePair "/tinc" ''
- alias ${config.krebs.tinc_graphs.workingDir}/external;
- '')
- (let
- script = pkgs.writeBash "test" ''
- echo "hello world"
- '';
- #script = pkgs.execve "ddate-wrapper" {
- # filename = "${pkgs.ddate}/bin/ddate";
- # argv = [];
- #};
- in nameValuePair "= /ddate" ''
- gzip off;
- fastcgi_pass unix:/var/run/lass-stuff.socket;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param DOCUMENT_ROOT /var/empty;
- fastcgi_param SCRIPT_FILENAME ${script};
- fastcgi_param SCRIPT_NAME ${script};
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/lassul.us/key.pem";
- };
+ services.nginx.virtualHosts."lassul.us" = {
+ serverAliases = [ "lassul.us" ];
+ locations."/".extraConfig = ''
+ root /srv/http/lassul.us;
+ '';
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/challenges/lassul.us/;
+ '';
+ locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+ alias ${config.krebs.tinc.retiolum.hostsArchive};
+ '';
+ locations."/tinc".extraConfig = ''
+ alias ${config.krebs.tinc_graphs.workingDir}/external;
+ '';
+ locations."= /ddate".extraConfig = let
+ script = pkgs.writeBash "test" ''
+ echo "hello world"
+ '';
+ #script = pkgs.execve "ddate-wrapper" {
+ # filename = "${pkgs.ddate}/bin/ddate";
+ # argv = [];
+ #};
+ in ''
+ gzip off;
+ fastcgi_pass unix:/var/run/lass-stuff.socket;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param DOCUMENT_ROOT /var/empty;
+ fastcgi_param SCRIPT_FILENAME ${script};
+ fastcgi_param SCRIPT_NAME ${script};
+ '';
+
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
- krebs.nginx.servers.cgit = {
- server-names = [
+ services.nginx.virtualHosts.cgit = {
+ serverAliases = [
"cgit.lassul.us"
];
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/cgit.lassul.us/;
- '')
- ];
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
- };
+ locations."/.well-known/acme-challenge".extraConfig = ''
+ root /var/lib/acme/acme-challenges;
+ '';
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+ sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 0b2a6faac..6e236ab63 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -4,66 +4,24 @@ with lib;
rec {
- manageCerts = domains:
+ ssl = domains :
let
domain = head domains;
in {
- #security.acme = {
- # certs."${domain}" = {
- # email = "lassulus@gmail.com";
- # webroot = "/var/lib/acme/challenges/${domain}";
- # plugins = [
- # "account_key.json"
- # "key.pem"
- # "fullchain.pem"
- # ];
- # group = "nginx";
- # allowKeysForGroup = true;
- # extraDomains = genAttrs domains (_: null);
- # };
- #};
-
- krebs.nginx.servers."${domain}" = {
- ssl.acmeEnable = true;
- server-names = domains;
- #locations = [
- # (nameValuePair "/.well-known/acme-challenge" ''
- # root /var/lib/acme/challenges/${domain}/;
- # '')
- #];
- };
- };
-
- ssl = domains:
- {
- imports = [
- ( manageCerts domains )
- #( activateACME (head domains) )
- ];
- };
-
- activateACME = domain:
- {
- krebs.nginx.servers.${domain} = {
- ssl = {
- enable = true;
- certificate = "/var/lib/acme/${domain}/fullchain.pem";
- certificate_key = "/var/lib/acme/${domain}/key.pem";
- };
- };
};
servePage = domains:
let
domain = head domains;
in {
- krebs.nginx.servers.${domain} = {
- server-names = domains;
- locations = [
- (nameValuePair "/" ''
- root /srv/http/${domain};
- '')
- ];
+ services.nginx.virtualHosts.${domain} = {
+ enableACME = true;
+ enableSSL = true;
+ extraConfig = "listen 80;";
+ serverAliases = domains;
+ locations."/".extraConfig = ''
+ root /srv/http/${domain};
+ '';
};
};
@@ -71,9 +29,13 @@ rec {
let
domain = head domains;
in {
- krebs.nginx.servers."${domain}" = {
- server-names = domains;
+ services.nginx.virtualHosts."${domain}" = {
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
extraConfig = ''
+ listen 80;
+
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
@@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
- locations = [
- (nameValuePair "/robots.txt" ''
- allow all;
- log_not_found off;
- access_log off;
- '')
- (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
- deny all;
- '')
-
- (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
- deny all;
- '')
-
- (nameValuePair "/" ''
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- '')
-
- (nameValuePair "~ \.php(?:$|/)" ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
- fastcgi_intercept_errors on;
- '')
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- (nameValuePair "~* \.(?:css|js)$" ''
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- # Optional: Don't log access to assets
- access_log off;
- '')
-
- # Optional: Don't log access to other assets
- (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
- access_log off;
- '')
- ];
+ locations."/robots.txt".extraConfig = ''
+ allow all;
+ log_not_found off;
+ access_log off;
+ '';
+ locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+ deny all;
+ '';
+
+ locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
+ deny all;
+ '';
+
+ locations."/".extraConfig = ''
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+ '';
+
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+ fastcgi_intercept_errors on;
+ '';
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+ locations."~* \.(?:css|js)$".extraConfig = ''
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-