update frumar
parent
c7c75c0256
commit
74c6c7acae
|
@ -12,7 +12,7 @@ in
|
|||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
../roles/common.nix
|
||||
../modules/nginx.nix
|
||||
../modules/nginx.nix
|
||||
../modules/gogs.nix # todo: better separation here
|
||||
../modules/tor-hidden-service.nix
|
||||
../roles/quassel.nix
|
||||
|
@ -29,30 +29,9 @@ in
|
|||
system.stateVersion = "15.09";
|
||||
|
||||
gogs.domain = "git.yori.cc";
|
||||
|
||||
# website + lets encrypt challenge hosting
|
||||
nginxssl.enable = true;
|
||||
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.certs."git.yori.cc" =
|
||||
{ email = secrets.email;
|
||||
webroot = config.nginxssl.servers."git.yori.cc".key_webroot;
|
||||
postRun = "systemctl reload nginx.service";
|
||||
};
|
||||
# Generate a dummy self-signed certificate until we get one from
|
||||
# Let's Encrypt.
|
||||
system.activationScripts.letsEncryptKeys =
|
||||
''
|
||||
dir=${acmeKeyDir}
|
||||
mkdir -m 0700 -p $dir
|
||||
if ! [[ -e $dir/key.pem ]]; then
|
||||
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
||||
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
||||
-subj "/C=NL/CN=www.example.com"
|
||||
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
||||
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
||||
fi
|
||||
'';
|
||||
security.acme.preliminarySelfsigned = true;
|
||||
|
||||
# hidden SSH service
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ INSTALL_LOCK = true
|
|||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
imports = [./nginx.nix];
|
||||
#imports = [./nginx.nix];
|
||||
options.gogs = {
|
||||
domain = mkOption {
|
||||
type = types.string;
|
||||
|
@ -72,28 +72,15 @@ in
|
|||
WorkingDirectory = gitHome;
|
||||
};
|
||||
};
|
||||
nginxssl.servers.${domain} = {
|
||||
key_root = "/var/lib/acme/git.yori.cc";
|
||||
key_webroot = "/etc/sslcerts/acmeroot";
|
||||
contents = ''
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_redirect off;
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString gogsPort}";
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
proxy_pass http://gogs;
|
||||
client_max_body_size 30M;
|
||||
break;
|
||||
}
|
||||
'';
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.nginx.httpConfig = ''
|
||||
upstream gogs {
|
||||
server 127.0.0.1:${toString gogsPort};
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,24 +3,16 @@ let
|
|||
cfg = config.nginxssl;
|
||||
sslcfg = dir: ''
|
||||
ssl on;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_certificate_key ${dir}/key.pem;
|
||||
ssl_certificate ${dir}/fullchain.pem;
|
||||
ssl_trusted_certificate ${dir}/fullchain.pem;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
ssl_prefer_server_ciphers on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
'';
|
||||
|
||||
makeChallenges = servername: key_webroot: ''
|
||||
server {
|
||||
listen 80;
|
||||
server_name ${servername};
|
||||
server_tokens off;
|
||||
location /.well-known/acme-challenge {
|
||||
default_type text/plain;
|
||||
alias ${key_webroot}/.well-known/acme-challenge;
|
||||
|
@ -43,7 +35,6 @@ makeServerBlock = servername: {key_root, key_webroot, contents, ...}: ''
|
|||
server {
|
||||
listen 443;
|
||||
server_name ${servername};
|
||||
server_tokens off;
|
||||
${sslcfg key_root}
|
||||
${contents}
|
||||
}
|
||||
|
@ -98,50 +89,26 @@ in
|
|||
config = mkIf cfg.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
httpConfig = ''
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
serverTokens = false;
|
||||
sslDhparam = "/etc/nginx/dhparam.pem";
|
||||
virtualHosts = {
|
||||
"\"\"" = {
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
index = "index.html index.htm";
|
||||
root = "${pkgs.nginx}/html";
|
||||
};
|
||||
sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem";
|
||||
sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
|
||||
access_log logs/access.log main;
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
#keepalive_timeout 0;
|
||||
keepalive_timeout 65;
|
||||
|
||||
server_tokens off;
|
||||
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
|
||||
gzip on;
|
||||
# the default thing, for if no vhost is given
|
||||
# generate default.pem and default.key manually
|
||||
# and self-sign, if you feel like it
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name "";
|
||||
location / {
|
||||
rewrite ^(.*) https://$host$1 permanent;
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 443 default_server spdy deferred;
|
||||
server_name "";
|
||||
|
||||
${sslcfg cfg.no_vhost_keydir}
|
||||
|
||||
location / {
|
||||
root ${pkgs.nginx}/html;
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
location = /50x.html {
|
||||
root ${pkgs.nginx}/html;
|
||||
}
|
||||
}
|
||||
appendHttpConfig = ''
|
||||
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)}
|
||||
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
{ nixpkgs ? import <nixpkgs> {} }: with nixpkgs;
|
||||
stdenv.mkDerivation rec {
|
||||
name = "gogs-${version}";
|
||||
version = "0.9.0";
|
||||
version = "0.9.113";
|
||||
src = fetchzip {
|
||||
url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz";
|
||||
sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9";
|
||||
sha256 = "0gwpshzch1b0s810pd5cpiad1skvnjhsd6kx9gmlbw2whdp2jf2r";
|
||||
};
|
||||
buildPhase = ''
|
||||
patchelf \
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
nix.binaryCachePublicKeys = [
|
||||
"hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g="
|
||||
];
|
||||
nix.buildCores = config.nix.maxJobs;
|
||||
|
||||
nix.extraOptions = ''
|
||||
allow-unsafe-native-code-during-evaluation = true
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let secrets = import <secrets>;
|
||||
acmeWebRoot = "/etc/sslcerts/acmeroot";
|
||||
acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc";
|
||||
in
|
||||
{
|
||||
imports = [../modules/nginx.nix];
|
||||
#imports = [../modules/nginx.nix];
|
||||
config = {
|
||||
users.extraUsers.public = {
|
||||
home = "/home/public";
|
||||
|
@ -12,35 +10,13 @@ in
|
|||
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public];
|
||||
createHome = true;
|
||||
};
|
||||
nginxssl.servers."pub.yori.cc" = {
|
||||
key_root = acmeKeyDir;
|
||||
key_webroot = "/etc/sslcerts/acmeroot";
|
||||
contents = ''
|
||||
location / {
|
||||
root /home/public/public;
|
||||
index index.html;
|
||||
}
|
||||
'';
|
||||
};
|
||||
# Let's Encrypt configuration.
|
||||
security.acme.certs."pub.yori.cc" =
|
||||
{ email = secrets.email;
|
||||
webroot = config.nginxssl.servers."pub.yori.cc".key_webroot;
|
||||
postRun = "systemctl reload nginx.service";
|
||||
services.nginx.virtualHosts."pub.yori.cc" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
root = "/home/public/public";
|
||||
index = "index.html";
|
||||
};
|
||||
# Generate a dummy self-signed certificate until we get one from
|
||||
# Let's Encrypt.
|
||||
system.activationScripts.letsEncryptKeys =
|
||||
''
|
||||
dir=${acmeKeyDir}
|
||||
mkdir -m 0700 -p $dir
|
||||
if ! [[ -e $dir/key.pem ]]; then
|
||||
${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024
|
||||
${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \
|
||||
-subj "/C=NL/CN=www.example.com"
|
||||
${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem
|
||||
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
||||
fi
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,15 +2,24 @@
|
|||
{
|
||||
containers.quassel = {
|
||||
config = { config, pkgs, ... }: {
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql94;
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql94;
|
||||
extraConfig = ''
|
||||
max_connections = 10
|
||||
shared_buffers = 1GB
|
||||
effective_cache_size = 4GB
|
||||
work_mem = 50MB
|
||||
maintenance_work_mem = 100MB
|
||||
'';
|
||||
};
|
||||
services.quassel = {
|
||||
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix
|
||||
enable = true;
|
||||
interfaces = ["0.0.0.0"];
|
||||
};
|
||||
environment.systemPackages = [
|
||||
pkgs.quasselDaemon_qt5
|
||||
pkgs.kde4.quasselDaemon
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [4242];
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue