From b9e3b93105d4214de43ee596adff7cf661311780 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 14:18:08 +0100 Subject: l: krebs.nginx -> services.nginx --- lass/2configs/websites/domsen.nix | 12 +-- lass/2configs/websites/fritz.nix | 12 --- lass/2configs/websites/lassulus.nix | 92 ++++++++-------- lass/2configs/websites/util.nix | 203 ++++++++++++++---------------------- 4 files changed, 128 insertions(+), 191 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 76e13412b..86800fc05 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -35,10 +35,10 @@ in { (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) (ssl [ "pixelpocket.de" ]) - (servePage [ "pixelpocket.de" "www.pixelpocket.de" ]) + (servePage [ "pixelpocket.de" ]) (ssl [ "o.ubikmedia.de" ]) - (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ]) + (serveOwncloud [ "o.ubikmedia.de" ]) (ssl [ "ubikmedia.de" @@ -92,11 +92,9 @@ in { ]) ]; - krebs.nginx.servers."ubikmedia.de".locations = [ - (lib.nameValuePair "/piwik" '' - try_files $uri $uri/ /index.php?$args; - '') - ]; + services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; lass.mysqlBackup.config.all.databases = [ "ubikmedia_de" diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 52914f444..16b705cdb 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -62,18 +62,6 @@ in { "ttf_kleinaspach_de" ]; - #password protect some dirs - krebs.nginx.servers."biostase.de".locations = [ - (nameValuePair "/old_biostase.de" '' - auth_basic "Administrator Login"; - auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd; - '') - (nameValuePair "/mysqldumper" '' - auth_basic "Administrator Login"; - auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd; - '') - ]; - users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.fritz.pubkey ]; diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 29374e97d..2690d7a0e 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -69,59 +69,53 @@ in { "nginx" ]; - krebs.nginx.servers."lassul.us" = { - server-names = [ "lassul.us" ]; - locations = [ - (nameValuePair "/" '' - root /srv/http/lassul.us; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/lassul.us/; - '') - (nameValuePair "= /retiolum-hosts.tar.bz2" '' - alias ${config.krebs.tinc.retiolum.hostsArchive}; - '') - (nameValuePair "/tinc" '' - alias ${config.krebs.tinc_graphs.workingDir}/external; - '') - (let - script = pkgs.writeBash "test" '' - echo "hello world" - ''; - #script = pkgs.execve "ddate-wrapper" { - # filename = "${pkgs.ddate}/bin/ddate"; - # argv = []; - #}; - in nameValuePair "= /ddate" '' - gzip off; - fastcgi_pass unix:/var/run/lass-stuff.socket; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param DOCUMENT_ROOT /var/empty; - fastcgi_param SCRIPT_FILENAME ${script}; - fastcgi_param SCRIPT_NAME ${script}; - '') - ]; - ssl = { - enable = true; - certificate = "/var/lib/acme/lassul.us/fullchain.pem"; - certificate_key = "/var/lib/acme/lassul.us/key.pem"; - }; + services.nginx.virtualHosts."lassul.us" = { + serverAliases = [ "lassul.us" ]; + locations."/".extraConfig = '' + root /srv/http/lassul.us; + ''; + locations."/.well-known/acme-challenge".extraConfig = '' + root /var/lib/acme/challenges/lassul.us/; + ''; + locations."= /retiolum-hosts.tar.bz2".extraConfig = '' + alias ${config.krebs.tinc.retiolum.hostsArchive}; + ''; + locations."/tinc".extraConfig = '' + alias ${config.krebs.tinc_graphs.workingDir}/external; + ''; + locations."= /ddate".extraConfig = let + script = pkgs.writeBash "test" '' + echo "hello world" + ''; + #script = pkgs.execve "ddate-wrapper" { + # filename = "${pkgs.ddate}/bin/ddate"; + # argv = []; + #}; + in '' + gzip off; + fastcgi_pass unix:/var/run/lass-stuff.socket; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param DOCUMENT_ROOT /var/empty; + fastcgi_param SCRIPT_FILENAME ${script}; + fastcgi_param SCRIPT_NAME ${script}; + ''; + + enableSSL = true; + extraConfig = "listen 80;"; + sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/lassul.us/key.pem"; }; - krebs.nginx.servers.cgit = { - server-names = [ + services.nginx.virtualHosts.cgit = { + serverAliases = [ "cgit.lassul.us" ]; - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/cgit.lassul.us/; - '') - ]; - ssl = { - enable = true; - certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem"; - }; + locations."/.well-known/acme-challenge".extraConfig = '' + root /var/lib/acme/acme-challenges; + ''; + enableSSL = true; + sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; }; users.users.blog = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 0b2a6faac..6e236ab63 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -4,66 +4,24 @@ with lib; rec { - manageCerts = domains: + ssl = domains : let domain = head domains; in { - #security.acme = { - # certs."${domain}" = { - # email = "lassulus@gmail.com"; - # webroot = "/var/lib/acme/challenges/${domain}"; - # plugins = [ - # "account_key.json" - # "key.pem" - # "fullchain.pem" - # ]; - # group = "nginx"; - # allowKeysForGroup = true; - # extraDomains = genAttrs domains (_: null); - # }; - #}; - - krebs.nginx.servers."${domain}" = { - ssl.acmeEnable = true; - server-names = domains; - #locations = [ - # (nameValuePair "/.well-known/acme-challenge" '' - # root /var/lib/acme/challenges/${domain}/; - # '') - #]; - }; - }; - - ssl = domains: - { - imports = [ - ( manageCerts domains ) - #( activateACME (head domains) ) - ]; - }; - - activateACME = domain: - { - krebs.nginx.servers.${domain} = { - ssl = { - enable = true; - certificate = "/var/lib/acme/${domain}/fullchain.pem"; - certificate_key = "/var/lib/acme/${domain}/key.pem"; - }; - }; }; servePage = domains: let domain = head domains; in { - krebs.nginx.servers.${domain} = { - server-names = domains; - locations = [ - (nameValuePair "/" '' - root /srv/http/${domain}; - '') - ]; + services.nginx.virtualHosts.${domain} = { + enableACME = true; + enableSSL = true; + extraConfig = "listen 80;"; + serverAliases = domains; + locations."/".extraConfig = '' + root /srv/http/${domain}; + ''; }; }; @@ -71,9 +29,13 @@ rec { let domain = head domains; in { - krebs.nginx.servers."${domain}" = { - server-names = domains; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + enableSSL = true; + serverAliases = domains; extraConfig = '' + listen 80; + # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -109,56 +71,53 @@ rec { rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; ''; - locations = [ - (nameValuePair "/robots.txt" '' - allow all; - log_not_found off; - access_log off; - '') - (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' - deny all; - '') - - (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' - deny all; - '') - - (nameValuePair "/" '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - '') - - (nameValuePair "~ \.php(?:$|/)" '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - '') - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - (nameValuePair "~* \.(?:css|js)$" '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - # Optional: Don't log access to assets - access_log off; - '') - - # Optional: Don't log access to other assets - (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' - access_log off; - '') - ]; + locations."/robots.txt".extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' + deny all; + ''; + + locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' + deny all; + ''; + + locations."/".extraConfig = '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + ''; + + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + ''; + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + locations."~* \.(?:css|js)$".extraConfig = '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + ''; + # Optional: Don't log access to other assets + locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' + access_log off; + ''; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool @@ -183,9 +142,12 @@ rec { domain = head domains; in { - krebs.nginx.servers."${domain}" = { - server-names = domains; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + enableSSL = true; + serverAliases = domains; extraConfig = '' + listen 80; root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; @@ -194,24 +156,19 @@ rec { error_page 500 502 503 504 /50x.html; client_max_body_size 100m; ''; - locations = [ - (nameValuePair "/" '' - try_files $uri $uri/ /index.php?$args; - '') - (nameValuePair "~ \.php$" '' - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - #(nameValuePair "~ /\\." '' - # deny all; - #'') - #Directives to send expires headers and turn off 404 error logging. - (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' - access_log off; - log_not_found off; - expires max; - '') - ]; + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; + locations."~ \.php$".extraConfig = '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + #Directives to send expires headers and turn off 404 error logging. + locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' + access_log off; + log_not_found off; + expires max; + ''; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool -- cgit v1.2.3 From e2237cca2c5216311d9d327ab8a5f0ec55b39b8e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 14:19:04 +0100 Subject: l 2 websites domsen: stop serving *.ubikmedia.de --- lass/2configs/websites/domsen.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 86800fc05..2bbfe7333 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -88,7 +88,6 @@ in { "www.illucloud.eu" "www.illucloud.de" "www.illucloud.com" - "*.ubikmedia.de" ]) ]; -- cgit v1.2.3 From 83a00b243d7eafc616bb5f754586a158772da9ef Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 14:19:25 +0100 Subject: l 2 websites fritz: remove biostase.de --- lass/2configs/websites/fritz.nix | 3 --- 1 file changed, 3 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 16b705cdb..11b905a62 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -26,8 +26,6 @@ let in { imports = [ ./sqlBackup.nix - (ssl [ "biostase.de" "www.biostase.de" ]) - (serveWordpress [ "biostase.de" "www.biostase.de" ]) (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ]) (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ]) @@ -55,7 +53,6 @@ in { ]; lass.mysqlBackup.config.all.databases = [ - "biostase_de" "eastuttgart_de" "radical_dreamers_de" "spielwaren_kern_de" -- cgit v1.2.3 From cd952fa68f0f7049a34eeee2ffb8f84f842764c0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 14:19:45 +0100 Subject: l 2 websites lassulus: challenge in default dir --- lass/2configs/websites/lassulus.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 2690d7a0e..817fef82d 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -14,7 +14,7 @@ in { security.acme = { certs."lassul.us" = { email = "lass@lassul.us"; - webroot = "/var/lib/acme/challenges/lassul.us"; + webroot = "/var/lib/acme/acme-challenges"; plugins = [ "account_key.json" "key.pem" @@ -26,7 +26,7 @@ in { }; certs."cgit.lassul.us" = { email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/challenges/cgit.lassul.us"; + webroot = "/var/lib/acme/acme-challenges"; plugins = [ "account_key.json" "key.pem" -- cgit v1.2.3 From e02701e89848a4893a1549cf7fa0ee871055f255 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 17:29:53 +0100 Subject: l 2 websites lassulus: listen cgit also on port 80 --- lass/2configs/websites/lassulus.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 817fef82d..cfdda05db 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -114,6 +114,7 @@ in { root /var/lib/acme/acme-challenges; ''; enableSSL = true; + extraConfig = "listen 80;"; sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; }; -- cgit v1.2.3 From b9c9ff81acd4e2aa77e297a908b09c4836f08fb6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 26 Dec 2016 19:02:38 +0100 Subject: l 2 websites fritz: remove obsolete manageCerts --- lass/2configs/websites/fritz.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 11b905a62..f9035dd13 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -7,7 +7,6 @@ let head ; inherit (import {inherit lib pkgs;}) - manageCerts ssl servePage serveWordpress @@ -48,7 +47,7 @@ in { (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) - (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ]) + (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ]) (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ]) ]; -- cgit v1.2.3