diff --git a/frumar/configuration.nix b/frumar/configuration.nix index f92038c..1c918cd 100644 --- a/frumar/configuration.nix +++ b/frumar/configuration.nix @@ -12,7 +12,7 @@ in [ # Include the results of the hardware scan. ./hardware-configuration.nix ../roles/common.nix - ../modules/nginx.nix + ../modules/nginx.nix ../modules/gogs.nix # todo: better separation here ../modules/tor-hidden-service.nix ../roles/quassel.nix @@ -29,30 +29,9 @@ in system.stateVersion = "15.09"; gogs.domain = "git.yori.cc"; - - # website + lets encrypt challenge hosting nginxssl.enable = true; - # Let's Encrypt configuration. - security.acme.certs."git.yori.cc" = - { email = secrets.email; - webroot = config.nginxssl.servers."git.yori.cc".key_webroot; - postRun = "systemctl reload nginx.service"; - }; - # Generate a dummy self-signed certificate until we get one from - # Let's Encrypt. - system.activationScripts.letsEncryptKeys = - '' - dir=${acmeKeyDir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + security.acme.preliminarySelfsigned = true; # hidden SSH service diff --git a/modules/gogs.nix b/modules/gogs.nix index f9c0ee6..6dd9b5f 100644 --- a/modules/gogs.nix +++ b/modules/gogs.nix @@ -47,7 +47,7 @@ INSTALL_LOCK = true inherit (lib) mkOption types; in { - imports = [./nginx.nix]; + #imports = [./nginx.nix]; options.gogs = { domain = mkOption { type = types.string; @@ -72,28 +72,15 @@ in WorkingDirectory = gitHome; }; }; - nginxssl.servers.${domain} = { - key_root = "/var/lib/acme/git.yori.cc"; - key_webroot = "/etc/sslcerts/acmeroot"; - contents = '' - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_redirect off; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString gogsPort}"; + extraConfig = '' proxy_buffering off; - proxy_pass http://gogs; - client_max_body_size 30M; - break; - } - ''; + ''; + }; }; - services.nginx.httpConfig = '' - upstream gogs { - server 127.0.0.1:${toString gogsPort}; - } - ''; }; } diff --git a/modules/nginx.nix b/modules/nginx.nix index d9e28c1..e415c0b 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -3,24 +3,16 @@ let cfg = config.nginxssl; sslcfg = dir: '' ssl on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_certificate_key ${dir}/key.pem; ssl_certificate ${dir}/fullchain.pem; ssl_trusted_certificate ${dir}/fullchain.pem; - ssl_dhparam /etc/nginx/dhparam.pem; - ssl_protocols TLSv1.1 TLSv1.2; - # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; - ssl_stapling on; - ssl_stapling_verify on; ''; makeChallenges = servername: key_webroot: '' server { listen 80; server_name ${servername}; - server_tokens off; location /.well-known/acme-challenge { default_type text/plain; alias ${key_webroot}/.well-known/acme-challenge; @@ -43,7 +35,6 @@ makeServerBlock = servername: {key_root, key_webroot, contents, ...}: '' server { listen 443; server_name ${servername}; - server_tokens off; ${sslcfg key_root} ${contents} } @@ -98,50 +89,26 @@ in config = mkIf cfg.enable { services.nginx = { enable = true; - httpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + serverTokens = false; + sslDhparam = "/etc/nginx/dhparam.pem"; + virtualHosts = { + "\"\"" = { + forceSSL = true; + locations."/" = { + index = "index.html index.htm"; + root = "${pkgs.nginx}/html"; + }; + sslCertificate = "${cfg.no_vhost_keydir}/fullchain.pem"; + sslCertificateKey = "${cfg.no_vhost_keydir}/key.pem"; + default = true; + }; + }; - access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - - #keepalive_timeout 0; - keepalive_timeout 65; - - server_tokens off; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - - gzip on; - # the default thing, for if no vhost is given - # generate default.pem and default.key manually - # and self-sign, if you feel like it - server { - listen 80 default_server; - server_name ""; - location / { - rewrite ^(.*) https://$host$1 permanent; - } - } - server { - listen 443 default_server spdy deferred; - server_name ""; - - ${sslcfg cfg.no_vhost_keydir} - - location / { - root ${pkgs.nginx}/html; - index index.html index.htm; - } - - location = /50x.html { - root ${pkgs.nginx}/html; - } - } + appendHttpConfig = '' ${lib.concatStringsSep "\n" (lib.mapAttrsToList makeChallenges cfg.challenges)} diff --git a/packages/gogs.nix b/packages/gogs.nix index 535f202..f055612 100644 --- a/packages/gogs.nix +++ b/packages/gogs.nix @@ -2,10 +2,10 @@ { nixpkgs ? import {} }: with nixpkgs; stdenv.mkDerivation rec { name = "gogs-${version}"; - version = "0.9.0"; + version = "0.9.113"; src = fetchzip { url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz"; - sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9"; + sha256 = "0gwpshzch1b0s810pd5cpiad1skvnjhsd6kx9gmlbw2whdp2jf2r"; }; buildPhase = '' patchelf \ diff --git a/roles/common.nix b/roles/common.nix index ba5edf6..c081cb4 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -23,6 +23,7 @@ nix.binaryCachePublicKeys = [ "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g=" ]; + nix.buildCores = config.nix.maxJobs; nix.extraOptions = '' allow-unsafe-native-code-during-evaluation = true diff --git a/roles/pub.nix b/roles/pub.nix index 9b8fe30..34240de 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,10 +1,8 @@ { config, pkgs, lib, ... }: let secrets = import ; - acmeWebRoot = "/etc/sslcerts/acmeroot"; - acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc"; in { - imports = [../modules/nginx.nix]; + #imports = [../modules/nginx.nix]; config = { users.extraUsers.public = { home = "/home/public"; @@ -12,35 +10,13 @@ in openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - nginxssl.servers."pub.yori.cc" = { - key_root = acmeKeyDir; - key_webroot = "/etc/sslcerts/acmeroot"; - contents = '' - location / { - root /home/public/public; - index index.html; - } - ''; - }; - # Let's Encrypt configuration. - security.acme.certs."pub.yori.cc" = - { email = secrets.email; - webroot = config.nginxssl.servers."pub.yori.cc".key_webroot; - postRun = "systemctl reload nginx.service"; + services.nginx.virtualHosts."pub.yori.cc" = { + forceSSL = true; + enableACME = true; + locations."/" = { + root = "/home/public/public"; + index = "index.html"; }; - # Generate a dummy self-signed certificate until we get one from - # Let's Encrypt. - system.activationScripts.letsEncryptKeys = - '' - dir=${acmeKeyDir} - mkdir -m 0700 -p $dir - if ! [[ -e $dir/key.pem ]]; then - ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 - ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ - -subj "/C=NL/CN=www.example.com" - ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem - ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem - fi - ''; + }; }; } diff --git a/roles/quassel.nix b/roles/quassel.nix index 6f30922..75bf8a6 100644 --- a/roles/quassel.nix +++ b/roles/quassel.nix @@ -2,15 +2,24 @@ { containers.quassel = { config = { config, pkgs, ... }: { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql94; + services.postgresql = { + enable = true; + package = pkgs.postgresql94; + extraConfig = '' + max_connections = 10 + shared_buffers = 1GB + effective_cache_size = 4GB + work_mem = 50MB + maintenance_work_mem = 100MB + ''; + }; services.quassel = { # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/quassel.nix enable = true; interfaces = ["0.0.0.0"]; }; environment.systemPackages = [ - pkgs.quasselDaemon_qt5 + pkgs.kde4.quasselDaemon ]; networking.firewall.allowedTCPPorts = [4242]; };