update frumar

2016-12-25 00:14:47 +01:00 · 2016-12-25 00:14:47 +01:00 · 74c6c7acae
parent c7c75c0256
commit 74c6c7acae
7 changed files with 53 additions and 134 deletions
--- a/frumar/configuration.nix
+++ b/frumar/configuration.nix
@ -12,7 +12,7 @@ in
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../roles/common.nix
-      ../modules/nginx.nix
+     ../modules/nginx.nix
      ../modules/gogs.nix # todo: better separation here
      ../modules/tor-hidden-service.nix
      ../roles/quassel.nix
@ -29,30 +29,9 @@ in
  system.stateVersion = "15.09";

  gogs.domain = "git.yori.cc";
-
-  # website + lets encrypt challenge hosting
  nginxssl.enable = true;
-
  # Let's Encrypt configuration.
-  security.acme.certs."git.yori.cc" =
-    { email = secrets.email;
-      webroot = config.nginxssl.servers."git.yori.cc".key_webroot;
-      postRun = "systemctl reload nginx.service";
-    };
-  # Generate a dummy self-signed certificate until we get one from
-  # Let's Encrypt.
-  system.activationScripts.letsEncryptKeys =
-    ''
-      dir=${acmeKeyDir}
-      mkdir -m 0700 -p $dir
-      if ! [[ -e $dir/key.pem ]]; then
-        ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
-        ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
-          -subj "/C=NL/CN=www.example.com"
-        ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
-        ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
-      fi
-    '';
+  security.acme.preliminarySelfsigned = true;

  # hidden SSH service

--- a/modules/gogs.nix
+++ b/modules/gogs.nix
@ -47,7 +47,7 @@ INSTALL_LOCK = true
 inherit (lib) mkOption types;
 in
 {
-    imports = [./nginx.nix];
+    #imports = [./nginx.nix];
    options.gogs = {
      domain = mkOption {
        type = types.string;
@ -72,28 +72,15 @@ in
      WorkingDirectory = gitHome;
    };
  };
-  nginxssl.servers.${domain} = {
-    key_root = "/var/lib/acme/git.yori.cc";
-    key_webroot = "/etc/sslcerts/acmeroot";
-    contents = ''
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString gogsPort}";
+      extraConfig = ''
        proxy_buffering off;
-        proxy_pass http://gogs;
-        client_max_body_size 30M;
-        break;
-      }
-    '';
+      '';
+    };
  };
-  services.nginx.httpConfig = ''
-    upstream gogs {
-      server 127.0.0.1:${toString gogsPort};
-    }
-  '';
 };
 }
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -3,24 +3,16 @@ let
 cfg = config.nginxssl;
 sslcfg = dir: ''
    ssl on;
-  	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_certificate_key ${dir}/key.pem;
    ssl_certificate ${dir}/fullchain.pem;
    ssl_trusted_certificate ${dir}/fullchain.pem;
-    ssl_dhparam /etc/nginx/dhparam.pem;
-    ssl_protocols TLSv1.1 TLSv1.2;
-    # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security max-age=15768000;
-    ssl_stapling on;
-    ssl_stapling_verify on;
 '';

 makeChallenges = servername: key_webroot: ''
 	server {
 		listen 80;
 		server_name ${servername};
-		server_tokens off;
 		location /.well-known/acme-challenge {
 			default_type text/plain;
 			alias ${key_webroot}/.well-known/acme-challenge;
@ -43,7 +35,6 @@ makeServerBlock = servername: {key_root, key_webroot, contents, ...}: ''
 	server {
 		listen       443;
 		server_name  ${servername};
-		server_tokens off;
 		${sslcfg key_root}
 		${contents}
 	}
@ -98,50 +89,26 @@ in
    config = mkIf cfg.enable {
 	  services.nginx = {
 	    enable = true;
-	    httpConfig = ''
-	      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-	                        '$status $body_bytes_sent "$http_referer" '
-	                        '"$http_user_agent" "$http_x_forwarded_for"';
+	    recommendedTlsSettings = true;
+	    recommendedGzipSettings = true;
+	    recommendedProxySettings = true;
+	    recommendedOptimisation = true;
+	    serverTokens = false;
+	    sslDhparam = "/etc/nginx/dhparam.pem";
+	    virtualHosts = {
+	    	"\"\"" = {
+	    		forceSSL = true;
+	    		locations."/" = {
+	    			index = "index.html index.htm";
+	    			root = "${pkgs.nginx}/html";
+	    		};
+	    		sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem";
+	    		sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem";
+	    		default = true;
+	    	};
+	    };

-	      access_log  logs/access.log  main;
-	      sendfile        on;
-	      #tcp_nopush     on;
-
-	      #keepalive_timeout  0;
-	      keepalive_timeout  65;
-
-	      server_tokens off;
-
-	      ssl_session_cache   shared:SSL:10m;
-	      ssl_session_timeout 10m;
-
-
-	      gzip  on;
-	      # the default thing, for if no vhost is given
-	      # generate default.pem and default.key manually
-	      # and self-sign, if you feel like it
-	      server {
-	      	listen 80 default_server;
-	      	server_name "";
-	      	location / {
-	      		rewrite ^(.*) https://$host$1 permanent;
-	      	}
-	      }
-	      server {
-	        listen       443 default_server spdy deferred;
-	        server_name  "";
-
-	        ${sslcfg cfg.no_vhost_keydir}
-
-	        location / {
-	          root   ${pkgs.nginx}/html;
-	          index  index.html index.htm;
-	        }
-
-	        location = /50x.html {
-	          root   ${pkgs.nginx}/html;
-	        }
-	      }
+	    appendHttpConfig = ''

 	      ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)}

--- a/packages/gogs.nix
+++ b/packages/gogs.nix
@ -2,10 +2,10 @@
 { nixpkgs ? import <nixpkgs> {} }: with nixpkgs;
 stdenv.mkDerivation rec {
  name = "gogs-${version}";
-  version = "0.9.0";
+  version = "0.9.113";
  src = fetchzip {
    url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz";
-    sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9";
+    sha256 = "0gwpshzch1b0s810pd5cpiad1skvnjhsd6kx9gmlbw2whdp2jf2r";
  };
  buildPhase = ''
    patchelf \
--- a/roles/common.nix
+++ b/roles/common.nix
@ -23,6 +23,7 @@
  nix.binaryCachePublicKeys = [
    "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g="
  ];
+  nix.buildCores = config.nix.maxJobs;

  nix.extraOptions = ''
    allow-unsafe-native-code-during-evaluation = true
--- a/roles/pub.nix
+++ b/roles/pub.nix
@ -1,10 +1,8 @@
 { config, pkgs, lib, ... }:
 let secrets = import <secrets>;
-  acmeWebRoot = "/etc/sslcerts/acmeroot";
-  acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc";
 in
 {
-  imports = [../modules/nginx.nix];
+  #imports = [../modules/nginx.nix];
  config = {
    users.extraUsers.public = {
      home = "/home/public";
@ -12,35 +10,13 @@ in
      openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
      createHome = true;
    };
-    nginxssl.servers."pub.yori.cc" = {
-      key_root = acmeKeyDir;
-      key_webroot = "/etc/sslcerts/acmeroot";
-      contents = ''
-        location / {
-          root /home/public/public;
-          index index.html;
-        }
-      '';
-    };
-    # Let's Encrypt configuration.
-    security.acme.certs."pub.yori.cc" =
-      { email = secrets.email;
-        webroot = config.nginxssl.servers."pub.yori.cc".key_webroot;
-        postRun = "systemctl reload nginx.service";
+    services.nginx.virtualHosts."pub.yori.cc" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        root = "/home/public/public";
+        index = "index.html";
      };
-    # Generate a dummy self-signed certificate until we get one from
-    # Let's Encrypt.
-    system.activationScripts.letsEncryptKeys =
-      ''
-        dir=${acmeKeyDir}
-        mkdir -m 0700 -p $dir
-        if ! [[ -e $dir/key.pem ]]; then
-          ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
-          ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
-            -subj "/C=NL/CN=www.example.com"
-          ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
-          ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
-        fi
-      '';
+    };
  };
 }
--- a/roles/quassel.nix
+++ b/roles/quassel.nix
@ -2,15 +2,24 @@
 {
  containers.quassel = {
    config = { config, pkgs, ... }: {
-      services.postgresql.enable = true;
-      services.postgresql.package = pkgs.postgresql94;
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql94;
+        extraConfig = ''
+          max_connections = 10
+          shared_buffers = 1GB
+          effective_cache_size = 4GB
+          work_mem = 50MB
+          maintenance_work_mem = 100MB
+        '';
+      };
      services.quassel = {
        # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
        enable = true;
        interfaces = ["0.0.0.0"];
      };
      environment.systemPackages = [
-        pkgs.quasselDaemon_qt5
+        pkgs.kde4.quasselDaemon
      ];
      networking.firewall.allowedTCPPorts = [4242];
    };