Now with more TLS!

master
Sven Slootweg 5 years ago
parent 2212c6446b
commit 16be86c472

@ -22,6 +22,7 @@ let
php = (import ./presets/nginx/php.nix); php = (import ./presets/nginx/php.nix);
cphpApplication = (import ./presets/nginx/cphp-application.nix); cphpApplication = (import ./presets/nginx/cphp-application.nix);
reverseProxy = (import ./presets/nginx/reverse-proxy.nix); reverseProxy = (import ./presets/nginx/reverse-proxy.nix);
letsEncrypt = (import ./presets/nginx/lets-encrypt.nix);
}; };
in { in {
network = { network = {
@ -38,17 +39,38 @@ in {
./hardware-configurations/machine-haless-03.nix ./hardware-configurations/machine-haless-03.nix
]; ];
deployment.healthChecks.http = [ deployment.healthChecks.http = let
{ scheme = "http"; port = 80; path = "/"; host = "todo.cryto.net"; description = "todo.cryto.net is up"; } makeHostChecker = { protocol, port }: host: {
{ scheme = "http"; port = 80; path = "/"; host = "books.cryto.net"; description = "books.cryto.net is up"; } scheme = protocol;
{ scheme = "http"; port = 80; path = "/"; host = "learn.cryto.net"; description = "learn.cryto.net is up"; } port = port;
{ scheme = "http"; port = 80; path = "/"; host = "vps-list.cryto.net"; description = "vps-list.cryto.net is up"; } path = "/";
{ scheme = "http"; port = 80; path = "/"; host = "iomfats.cryto.net"; description = "iomfats.cryto.net is up"; } host = host;
{ scheme = "http"; port = 80; path = "/"; host = "castleroland.cryto.net"; description = "castleroland.cryto.net is up"; } description = "${host} (${protocol} :${toString port}) is up";
{ scheme = "http"; port = 80; path = "/"; host = "awesomedude.cryto.net"; description = "awesomedude.cryto.net is up"; } };
httpHosts = hosts: map (makeHostChecker { protocol = "http"; port = 80; }) hosts;
httpsHosts = hosts: map (makeHostChecker { protocol = "https"; port = 443; }) hosts;
in lib.mkMerge [
(httpHosts [
# "haless.cryto.net"
"todo.cryto.net"
"books.cryto.net"
"learn.cryto.net"
"vps-list.cryto.net"
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
])
(httpsHosts [
# "haless.cryto.net"
"books.cryto.net"
"vps-list.cryto.net"
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
])
]; ];
networking.firewall.allowedTCPPorts = [ 80 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -59,15 +81,19 @@ in {
return 404; return 404;
''; '';
}; };
"haless.cryto.net" = { "haless.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
{
locations."/shadow" = { locations."/shadow" = {
alias = ./sources/shadow-generator; alias = ./sources/shadow-generator;
}; };
locations."/knex-mirror" = { locations."/knex-mirror" = {
alias = ./sources/knex-mirror; alias = ./sources/knex-mirror;
}; };
}; }
];
"books.cryto.net" = lib.mkMerge [ "books.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
{ {
root = pkgs.stdenv.mkDerivation { root = pkgs.stdenv.mkDerivation {
@ -109,6 +135,7 @@ in {
})) }))
]; ];
"vps-list.cryto.net" = lib.mkMerge [ "vps-list.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */ (nginxPresets.php args) /* Temporary hack until I can figure out the mkMerge evaluation order issue */
(nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation { (nginxPresets.cphpApplication (pkgs.stdenv.mkDerivation {
name = "vps-list"; name = "vps-list";
@ -123,9 +150,18 @@ in {
''; '';
})) }))
]; ];
"iomfats.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; "iomfats.cryto.net" = lib.mkMerge [
"castleroland.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; (nginxPresets.letsEncrypt)
"awesomedude.cryto.net" = nginxPresets.reverseProxy "http://127.0.0.1:3000/"; (nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"castleroland.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"awesomedude.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
}; };
}; };

@ -0,0 +1,4 @@
{
enableACME = true;
forceSSL = true;
}
Loading…
Cancel
Save