Browse Source

Now with more TLS!

master
Sven Slootweg 2 years ago
parent
commit
16be86c472
  1. 76
      configuration/default.nix
  2. 4
      configuration/presets/nginx/lets-encrypt.nix

76
configuration/default.nix

@ -22,6 +22,7 @@ let
php = (import ./presets/nginx/php.nix);
cphpApplication = (import ./presets/nginx/cphp-application.nix);
reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
};
in {
network = {
@ -38,17 +39,38 @@ in {
./hardware-configurations/machine-haless-03.nix
];
deployment.healthChecks.http = [
{ scheme = "http"; port = 80; path = "/"; host = "todo.cryto.net"; description = "todo.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "books.cryto.net"; description = "books.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "learn.cryto.net"; description = "learn.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "vps-list.cryto.net"; description = "vps-list.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "iomfats.cryto.net"; description = "iomfats.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "castleroland.cryto.net"; description = "castleroland.cryto.net is up"; }
{ scheme = "http"; port = 80; path = "/"; host = "awesomedude.cryto.net"; description = "awesomedude.cryto.net is up"; }
deployment.healthChecks.http = let
makeHostChecker = { protocol, port }: host: {
scheme = protocol;
port = port;
path = "/";
host = host;
description = "${host} (${protocol} :${toString port}) is up";
};
httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
in lib.mkMerge [
(httpHosts [
# "haless.cryto.net"
"todo.cryto.net"
"books.cryto.net"
"learn.cryto.net"
"vps-list.cryto.net"
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
])
(httpsHosts [
# "haless.cryto.net"
"books.cryto.net"
"vps-list.cryto.net"
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
])
];
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
@ -59,15 +81,19 @@ in {
return 404;
'';
};
"haless.cryto.net" = {
locations."/shadow" = {
alias = ./sources/shadow-generator;
};
locations."/knex-mirror" = {
alias = ./sources/knex-mirror;
};
};
"haless.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{
locations."/shadow" = {
alias = ./sources/shadow-generator;
};
locations."/knex-mirror" = {
alias = ./sources/knex-mirror;
};
}
];
"books.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
{
root = pkgs.stdenv.mkDerivation {
@ -109,6 +135,7 @@ in {
}))
];
"vps-list.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
(nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
name = "vps-list";
@ -123,9 +150,18 @@ in {
'';
}))
];
"iomfats.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
"castleroland.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
"awesomedude.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/";
"iomfats.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"castleroland.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"awesomedude.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
};
};

4
configuration/presets/nginx/lets-encrypt.nix

@ -0,0 +1,4 @@
{
enableACME = true;
forceSSL = true;
}
Loading…
Cancel
Save