l 3 *_nginx: allow configuration of ssl

This commit is contained in:
lassulus 2016-02-01 16:03:03 +01:00
parent 7d6d0a4664
commit 45343b1e14
3 changed files with 97 additions and 5 deletions

View File

@ -46,8 +46,22 @@ let
type = str;
};
ssl = mkOption {
type = bool;
default = false;
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
default = {};
};
};
}));
@ -58,7 +72,7 @@ let
group = config.services.nginx.group;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -102,7 +116,16 @@ let
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
${if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else ""}
'';
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool

View File

@ -21,6 +21,35 @@ let
type = str;
default = "/srv/http/${config.domain}";
};
#sslEnable = mkEnableOption "ssl";
#certificate = mkOption {
# type = str;
#};
#certificate_key = mkOption {
# type = str;
#};
#ciphers = mkOption {
# type = str;
# default = "AES128+EECDH:AES128+EDH";
#};
ssl = mkOption {
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
default = {};
};
};
}));
default = {};
@ -29,8 +58,10 @@ let
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -43,6 +74,17 @@ let
deny all;
'')
];
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
extraConfig = (if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else "");
});
};

View File

@ -53,6 +53,23 @@ let
"1" = "test.testsite.de";
};
};
ssl = mkOption {
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
};
};
}));
default = {};
@ -68,7 +85,7 @@ let
# }
#'';
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
@ -114,7 +131,17 @@ let
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
${if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else ""}
'';
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool