stockholm/makefu/2configs/bepasty-dual.nix

{ config, lib, pkgs, ... }:

# 1systems should configure itself:
#   krebs.bepasty.servers.internal.nginx.listen  = [ "80" ]
#   krebs.bepasty.servers.external.nginx.listen  = [ "80" "443 ssl" ]
#     80 is redirected to 443 ssl

# secrets used:
#   wildcard.krebsco.de.crt
#   wildcard.krebsco.de.key
#   bepasty-secret.nix     <- contains single string

with config.krebs.lib;
let
  sec = toString <secrets>;
  # secKey is nothing worth protecting on a local machine
  secKey = import <secrets/bepasty-secret.nix>;
in {

  krebs.nginx.enable = mkDefault true;
  krebs.bepasty = {
    enable = true;
    serveNginx= true;

    servers = {
      internal = {
        nginx = {
          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
        };
        defaultPermissions = "admin,list,create,read,delete";
        secretKey = secKey;
      };

      external = {
        nginx = {
          server-names = [ "paste.krebsco.de" ];
          extraConfig = ''
          ssl_session_cache    shared:SSL:1m;
          ssl_session_timeout  10m;
          ssl_certificate     ${sec}/wildcard.krebsco.de.crt;
          ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
          ssl_verify_client off;
          proxy_ssl_session_reuse off;
          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
          ssl_prefer_server_ciphers on;
          if ($scheme = http){
            return 301 https://$server_name$request_uri;
          }'';
        };
        defaultPermissions = "read";
        secretKey = secKey;
      };
    };
  };
}
wry: is the new provider for paste.krebsco.de 2015-10-21 16:49:20 +00:00			`{ config, lib, pkgs, ... }:`

			`# 1systems should configure itself:`
			`# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]`
			`# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]`
			`# 80 is redirected to 443 ssl`

			`# secrets used:`
			`# wildcard.krebsco.de.crt`
			`# wildcard.krebsco.de.key`
			`# bepasty-secret.nix <- contains single string`

RIP specialArgs.lib 2016-02-14 15:43:44 +00:00			`with config.krebs.lib;`
m 2 *: s,/root/secrets,<secrets>, 2015-10-29 09:55:54 +00:00			`let`
			`sec = toString <secrets>;`
			`# secKey is nothing worth protecting on a local machine`
			`secKey = import <secrets/bepasty-secret.nix>;`
			`in {`
wry: is the new provider for paste.krebsco.de 2015-10-21 16:49:20 +00:00
			`krebs.nginx.enable = mkDefault true;`
			`krebs.bepasty = {`
			`enable = true;`
			`serveNginx= true;`

			`servers = {`
			`internal = {`
			`nginx = {`
			`server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];`
			`};`
			`defaultPermissions = "admin,list,create,read,delete";`
m 2 *: s,/root/secrets,<secrets>, 2015-10-29 09:55:54 +00:00			`secretKey = secKey;`
wry: is the new provider for paste.krebsco.de 2015-10-21 16:49:20 +00:00			`};`

			`external = {`
			`nginx = {`
			`server-names = [ "paste.krebsco.de" ];`
			`extraConfig = ''`
			`ssl_session_cache shared:SSL:1m;`
			`ssl_session_timeout 10m;`
m 2 *: s,/root/secrets,<secrets>, 2015-10-29 09:55:54 +00:00			`ssl_certificate ${sec}/wildcard.krebsco.de.crt;`
			`ssl_certificate_key ${sec}/wildcard.krebsco.de.key;`
wry: is the new provider for paste.krebsco.de 2015-10-21 16:49:20 +00:00			`ssl_verify_client off;`
			`proxy_ssl_session_reuse off;`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_ciphers RC4:HIGH:!aNULL:!MD5;`
			`ssl_prefer_server_ciphers on;`
			`if ($scheme = http){`
			`return 301 https://$server_name$request_uri;`
			`}'';`
			`};`
			`defaultPermissions = "read";`
m 2 *: s,/root/secrets,<secrets>, 2015-10-29 09:55:54 +00:00			`secretKey = secKey;`
wry: is the new provider for paste.krebsco.de 2015-10-21 16:49:20 +00:00			`};`
			`};`
			`};`
			`}`