yorick
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update Frumar to 16.03

auto-flake-update
Yorick van Pelt 2016-04-30 14:03:45 +02:00
parent 496a9b41ee
commit 7284c35ed7
6 changed files with 58 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
frumar/configuration.nix
View File

@ -4,14 +4,17 @@
{ config, pkgs, ... }:
let secrets = import <secrets>;
acmeWebRoot = "/etc/sslcerts/acmeroot";
acmeKeyDir = "${config.security.acme.directory}/git.yori.cc";
in
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
../roles/common.nix
../modules/le_nginx.nix
../modules/nginx.nix
../modules/gogs.nix # todo: better separation here
../modules/tor-hidden-service.nix
../roles/quassel.nix
../roles/pub.nix
];
@ -27,7 +30,36 @@ in
gogs.domain = "git.yori.cc";
le_nginx.email = secrets.email; # you probably know this, but spam
le_nginx.enable = true;
le_nginx.enable_ssl = true;
# website + lets encrypt challenge hosting
nginxssl.enable = true;
# Let's Encrypt configuration.
security.acme.certs."git.yori.cc" =
{ email = secrets.email;
webroot = config.nginxssl.servers."git.yori.cc".key_webroot;
postRun = "systemctl reload nginx.service";
};
# Generate a dummy self-signed certificate until we get one from
# Let's Encrypt.
system.activationScripts.letsEncryptKeys =
''
dir=${acmeKeyDir}
mkdir -m 0700 -p $dir
if ! [[ -e $dir/key.pem ]]; then
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
-subj "/C=NL/CN=www.example.com"
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
fi
'';
# hidden SSH service
services.tor.hiddenServices = [
{ name = "ssh";
port = 22;
hostname = secrets.tor_hostnames."ssh.frumar";
private_key = "/run/keys/torkeys/ssh.frumar.key"; }
];
}

2
frumar/hardware-configuration.nix
View File

@ -22,7 +22,7 @@
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ba95c638-f243-48ee-ae81-0c70884e7e74";
fsType = "ext4";
options = "defaults,relatime,discard";
options = ["defaults" "relatime" "discard"];
};
swapDevices =

34
modules/gogs.nix
View File

@ -47,7 +47,7 @@ INSTALL_LOCK = true
inherit (lib) mkOption types;
in
{
imports = [./le_nginx.nix];
imports = [./nginx.nix];
options.gogs = {
domain = mkOption {
type = types.string;
@ -72,20 +72,24 @@ in
WorkingDirectory = gitHome;
};
};
le_nginx.servers.${domain} = ''
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gogs;
client_max_body_size 30M;
break;
}
'';
nginxssl.servers.${domain} = {
key_root = "/var/lib/acme/git.yori.cc";
key_webroot = "/etc/sslcerts/acmeroot";
contents = ''
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://gogs;
client_max_body_size 30M;
break;
}
'';
};
services.nginx.httpConfig = ''
upstream gogs {
server 127.0.0.1:${toString gogsPort};

123
modules/le_nginx.nix
View File

@ -1,123 +0,0 @@
# DEPRECATED: use security.acme + ./nginx.nix on nixos >=16.03
{ config, lib, pkgs, ... }:
let
cfg = config.le_nginx;
sslcfg = {fullchain ? "fullchain.pem", key ? "key.pem"}: ''
ssl on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_certificate_key /etc/sslcerts/${key};
ssl_certificate /etc/sslcerts/${fullchain};
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
'';
makeServerBlock = servername: locationblock: ''
server {
listen 443;
server_name ${servername};
${sslcfg {}}
${locationblock}
}
'';
vhosts = with lib; unique (concatMap (splitString " ") (attrNames cfg.servers));
inherit (lib) mkEnableOption mkOption types mkIf;
in
{
# todo: the problem here is that nginx will refuse to start initlaiiy
# because the SSL cert will be missing
# so you have to temporarily disable the ssl
options.le_nginx = {
enable = mkEnableOption "enable new nginx module";
enable_ssl = mkEnableOption "enable the SSL blocks";
servers = mkOption {
type = types.attrsOf types.string;
description = "The servers to host";
default = {};
example = {"git.domain.com" = "location / {}";};
};
email = mkOption {
type = types.string;
description = "email address to pass to LE";
};
};
config = mkIf cfg.enable {
systemd.services.letsencrypt = {
path = [ pkgs.simp_le ];
restartIfChanged = true;
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p /etc/sslcerts/acmeroot
cd /etc/sslcerts
simp_le ${lib.concatMapStringsSep " " (x: "-d " + x) vhosts} --default_root $PWD/acmeroot -f fullchain.pem -f key.pem -f account_key.json --email ${cfg.email}
'';
startAt = "04:00";
};
services.nginx = {
enable = true;
httpConfig = ''
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
server_tokens off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
gzip on;
server {
listen 80 default_server;
server_name ${lib.concatStringsSep " " vhosts};
location /.well-known/acme-challenge {
default_type text/plain;
alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
'' + lib.optionalString cfg.enable_ssl ''
# the default thing, for if no vhost is given
# generate default.pem and default.key manually
# and self-sign, if you feel like it
server {
listen 443 default_server;
server_name "";
${sslcfg {fullchain = "default.crt"; key = "default.key";}}
location / {
root ${pkgs.nginx}/usr/share/nginx/html;
index index.html index.htm;
}
location = /50x.html {
root ${pkgs.nginx}/usr/share/nginx/html;
}
}
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeServerBlock cfg.servers)}
'';
};
networking.firewall.allowedTCPPorts = [80 443];
};
}

2
modules/nginx.nix
View File

@ -90,7 +90,7 @@ in
};
challenges = mkOption {
type = types.attrsOf types.string;
default = [];
default = {};
example = {"mail.domain.com" = "/var/lib/acme/mail.domain.com";};
description = "Other domains to host challenges for";
};

2
roles/quassel.nix
View File

@ -7,7 +7,7 @@
services.quassel = {
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
enable = true;
interface = "0.0.0.0";
interfaces = ["0.0.0.0"];
};
environment.systemPackages = [
pkgs.quasselDaemon_qt5