From 16be86c472cfdeae1cfd2db314122472aeb5e183 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Wed, 7 Aug 2019 22:47:38 +0200 Subject: [PATCH] Now with more TLS! --- configuration/default.nix | 76 ++++++++++++++------ configuration/presets/nginx/lets-encrypt.nix | 4 ++ 2 files changed, 60 insertions(+), 20 deletions(-) create mode 100644 configuration/presets/nginx/lets-encrypt.nix diff --git a/configuration/default.nix b/configuration/default.nix index eb96f6a..d84997c 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -22,6 +22,7 @@ let php = (import ./presets/nginx/php.nix); cphpApplication = (import ./presets/nginx/cphp-application.nix); reverseProxy = (import ./presets/nginx/reverse-proxy.nix); + letsEncrypt = (import ./presets/nginx/lets-encrypt.nix); }; in { network = { @@ -38,17 +39,38 @@ in { ./hardware-configurations/machine-haless-03.nix ]; - deployment.healthChecks.http = [ - { scheme = "http"; port = 80; path = "/"; host = "todo.cryto.net"; description = "todo.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "books.cryto.net"; description = "books.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "learn.cryto.net"; description = "learn.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "vps-list.cryto.net"; description = "vps-list.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "iomfats.cryto.net"; description = "iomfats.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "castleroland.cryto.net"; description = "castleroland.cryto.net is up"; } - { scheme = "http"; port = 80; path = "/"; host = "awesomedude.cryto.net"; description = "awesomedude.cryto.net is up"; } + deployment.healthChecks.http = let + makeHostChecker = { protocol, port }: host: { + scheme = protocol; + port = port; + path = "/"; + host = host; + description = "${host} (${protocol} :${toString port}) is up"; + }; + httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts; + httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts; + in lib.mkMerge [ + (httpHosts [ + # "haless.cryto.net" + "todo.cryto.net" + "books.cryto.net" + "learn.cryto.net" + "vps-list.cryto.net" + "iomfats.cryto.net" + "castleroland.cryto.net" + "awesomedude.cryto.net" + ]) + (httpsHosts [ + # "haless.cryto.net" + "books.cryto.net" + "vps-list.cryto.net" + "iomfats.cryto.net" + "castleroland.cryto.net" + "awesomedude.cryto.net" + ]) ]; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; @@ -59,15 +81,19 @@ in { return 404; ''; }; - "haless.cryto.net" = { - locations."/shadow" = { - alias = ./sources/shadow-generator; - }; - locations."/knex-mirror" = { - alias = ./sources/knex-mirror; - }; - }; + "haless.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + { + locations."/shadow" = { + alias = ./sources/shadow-generator; + }; + locations."/knex-mirror" = { + alias = ./sources/knex-mirror; + }; + } + ]; "books.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ { root = pkgs.stdenv.mkDerivation { @@ -109,6 +135,7 @@ in { })) ]; "vps-list.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation { name = "vps-list"; @@ -123,9 +150,18 @@ in { ''; })) ]; - "iomfats.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; - "castleroland.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; - "awesomedude.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; + "iomfats.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://127.0.0.1:3000/") + ]; + "castleroland.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://127.0.0.1:3000/") + ]; + "awesomedude.cryto.net" = lib.mkMerge [ + (nginxPresets.letsEncrypt) + (nginxPresets.reverseProxy "http://127.0.0.1:3000/") + ]; }; }; diff --git a/configuration/presets/nginx/lets-encrypt.nix b/configuration/presets/nginx/lets-encrypt.nix new file mode 100644 index 0000000..6b0a197 --- /dev/null +++ b/configuration/presets/nginx/lets-encrypt.nix @@ -0,0 +1,4 @@ +{ + enableACME = true; + forceSSL = true; +}