Browse Source

Now with more TLS!

Sven Slootweg 1 year ago
parent
commit
16be86c472
2 changed files with 60 additions and 20 deletions
  1. 56 20
      configuration/default.nix
  2. 4 0
      configuration/presets/nginx/lets-encrypt.nix

+ 56 - 20
configuration/default.nix

@ -22,6 +22,7 @@ let
22 22
		php = (import ./presets/nginx/php.nix);
23 23
		cphpApplication = (import ./presets/nginx/cphp-application.nix);
24 24
		reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
25
		letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
25 26
	};
26 27
in {
27 28
	network = {
@ -38,17 +39,38 @@ in {
38 39
			./hardware-configurations/machine-haless-03.nix
39 40
		];
40 41
41
		deployment.healthChecks.http = [
42
			{ scheme = "http"; port = 80; path = "/"; host = "todo.cryto.net"; description = "todo.cryto.net is up"; }
43
			{ scheme = "http"; port = 80; path = "/"; host = "books.cryto.net"; description = "books.cryto.net is up"; }
44
			{ scheme = "http"; port = 80; path = "/"; host = "learn.cryto.net"; description = "learn.cryto.net is up"; }
45
			{ scheme = "http"; port = 80; path = "/"; host = "vps-list.cryto.net"; description = "vps-list.cryto.net is up"; }
46
			{ scheme = "http"; port = 80; path = "/"; host = "iomfats.cryto.net"; description = "iomfats.cryto.net is up"; }
47
			{ scheme = "http"; port = 80; path = "/"; host = "castleroland.cryto.net"; description = "castleroland.cryto.net is up"; }
48
			{ scheme = "http"; port = 80; path = "/"; host = "awesomedude.cryto.net"; description = "awesomedude.cryto.net is up"; }
42
		deployment.healthChecks.http = let
43
			makeHostChecker = { protocol, port }: host: {
44
				scheme = protocol;
45
				port = port;
46
				path = "/";
47
				host = host;
48
				description = "${host} (${protocol} :${toString port}) is up";
49
			};
50
			httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
51
			httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
52
		in lib.mkMerge [
53
			(httpHosts [
54
				# "haless.cryto.net"
55
				"todo.cryto.net"
56
				"books.cryto.net"
57
				"learn.cryto.net"
58
				"vps-list.cryto.net"
59
				"iomfats.cryto.net"
60
				"castleroland.cryto.net"
61
				"awesomedude.cryto.net"
62
			])
63
			(httpsHosts [
64
				# "haless.cryto.net"
65
				"books.cryto.net"
66
				"vps-list.cryto.net"
67
				"iomfats.cryto.net"
68
				"castleroland.cryto.net"
69
				"awesomedude.cryto.net"
70
			])
49 71
		];
50 72
51
		networking.firewall.allowedTCPPorts = [ 80 ];
73
		networking.firewall.allowedTCPPorts = [ 80 443 ];
52 74
53 75
		services.nginx = {
54 76
			enable = true;
@ -59,15 +81,19 @@ in {
59 81
						return 404;
60 82
					'';
61 83
				};
62
				"haless.cryto.net" = {
63
					locations."/shadow" = {
64
						alias = ./sources/shadow-generator;
65
					};
66
					locations."/knex-mirror" = {
67
						alias = ./sources/knex-mirror;
68
					};
69
				};
84
				"haless.cryto.net" = lib.mkMerge [
85
					(nginxPresets.letsEncrypt)
86
					{
87
						locations."/shadow" = {
88
							alias = ./sources/shadow-generator;
89
						};
90
						locations."/knex-mirror" = {
91
							alias = ./sources/knex-mirror;
92
						};
93
					}
94
				];
70 95
				"books.cryto.net" = lib.mkMerge [
96
					(nginxPresets.letsEncrypt)
71 97
					(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
72 98
					{
73 99
						root = pkgs.stdenv.mkDerivation {
@ -109,6 +135,7 @@ in {
109 135
					}))
110 136
				];
111 137
				"vps-list.cryto.net" = lib.mkMerge [
138
					(nginxPresets.letsEncrypt)
112 139
					(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
113 140
					(nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
114 141
						name = "vps-list";
@ -123,9 +150,18 @@ in {
123 150
						'';
124 151
					}))
125 152
				];
126
				"iomfats.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
127
				"castleroland.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
128
				"awesomedude.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
153
				"iomfats.cryto.net" = lib.mkMerge [
154
					(nginxPresets.letsEncrypt)
155
					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
156
				];
157
				"castleroland.cryto.net" = lib.mkMerge [
158
					(nginxPresets.letsEncrypt)
159
					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
160
				];
161
				"awesomedude.cryto.net" = lib.mkMerge [
162
					(nginxPresets.letsEncrypt)
163
					(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
164
				];
129 165
			};
130 166
		};
131 167

+ 4 - 0
configuration/presets/nginx/lets-encrypt.nix

@ -0,0 +1,4 @@
1
{
2
	enableACME = true;
3
	forceSSL = true;
4
}