blob: 17af0d00da3f69059718a131b922942dd2e6ab32 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
{ config, pkgs, lib, ... }:
with lib;
let
inherit (import <stockholm/lib>)
genid_uint31
;
in {
imports = [
./default.nix
../git.nix
];
security.acme = {
certs."lassul.us" = {
allowKeysForGroup = true;
group = "lasscert";
};
};
krebs.tinc_graphs.enable = true;
users.users.lass-stuff = {
uid = genid_uint31 "lass-stuff";
description = "lassul.us blog cgi stuff";
home = "/var/empty";
};
services.phpfpm.poolConfigs."lass-stuff" = ''
listen = /var/run/lass-stuff.socket
user = lass-stuff
group = nginx
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
listen.owner = lass-stuff
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
security.limit_extensions =
'';
users.groups.lasscert.members = [
"dovecot2"
"ejabberd"
"exim"
"nginx"
];
services.nginx.virtualHosts."lassul.us" = {
addSSL = true;
enableACME = true;
locations."/".extraConfig = ''
root /srv/http/lassul.us;
'';
locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
alias ${config.krebs.tinc.retiolum.hostsArchive};
'';
locations."= /retiolum.hosts".extraConfig = ''
alias ${pkgs.retiolum-hosts};
'';
locations."/tinc".extraConfig = ''
alias ${config.krebs.tinc_graphs.workingDir}/external;
'';
locations."/krebspage".extraConfig = ''
default_type "text/html";
alias ${pkgs.krebspage}/index.html;
'';
# TODO make this work!
locations."= /ddate".extraConfig = let
script = pkgs.writeBash "test" ''
echo "hello world"
'';
#script = pkgs.exec "ddate-wrapper" {
# filename = "${pkgs.ddate}/bin/ddate";
# argv = [];
#};
in ''
gzip off;
fastcgi_pass unix:/var/run/lass-stuff.socket;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param DOCUMENT_ROOT /var/empty;
fastcgi_param SCRIPT_FILENAME ${script};
fastcgi_param SCRIPT_NAME ${script};
'';
locations."/init".extraConfig = let
initscript = pkgs.init.override {
pubkey = config.krebs.users.lass.pubkey;
};
in ''
alias ${initscript};
'';
locations."/pub".extraConfig = ''
alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey};
'';
};
security.acme.certs."cgit.lassul.us" = {
email = "lassulus@lassul.us";
webroot = "/var/lib/acme/acme-challenge";
plugins = [
"account_key.json"
"fullchain.pem"
"key.pem"
];
group = "nginx";
user = "nginx";
};
services.nginx.virtualHosts.cgit = {
serverName = "cgit.lassul.us";
addSSL = true;
sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
locations."/.well-known/acme-challenge".extraConfig = ''
root /var/lib/acme/acme-challenge;
'';
};
users.users.blog = {
uid = genid_uint31 "blog";
description = "lassul.us blog deployment";
home = "/srv/http/lassul.us";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-mors.pubkey
];
};
}
|
