l 3 *_nginx: allow configuration of ssl
This commit is contained in:
parent
7d6d0a4664
commit
45343b1e14
@ -46,8 +46,22 @@ let
|
||||
type = str;
|
||||
};
|
||||
ssl = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
type = with types; submodule ({
|
||||
options = {
|
||||
enable = mkEnableOption "ssl";
|
||||
certificate = mkOption {
|
||||
type = str;
|
||||
};
|
||||
certificate_key = mkOption {
|
||||
type = str;
|
||||
};
|
||||
ciphers = mkOption {
|
||||
type = str;
|
||||
default = "AES128+EECDH:AES128+EDH";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
}));
|
||||
@ -58,7 +72,7 @@ let
|
||||
group = config.services.nginx.group;
|
||||
|
||||
imp = {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
|
||||
server-names = [
|
||||
"${domain}"
|
||||
"www.${domain}"
|
||||
@ -102,7 +116,16 @@ let
|
||||
|
||||
error_page 403 /core/templates/403.php;
|
||||
error_page 404 /core/templates/404.php;
|
||||
${if ssl.enable then ''
|
||||
ssl_certificate ${ssl.certificate};
|
||||
ssl_certificate_key ${ssl.certificate_key};
|
||||
'' else ""}
|
||||
'';
|
||||
listen = (if ssl.enable then
|
||||
[ "80" "443 ssl" ]
|
||||
else
|
||||
"80"
|
||||
);
|
||||
});
|
||||
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
|
||||
listen = ${folder}/phpfpm.pool
|
||||
|
@ -21,6 +21,35 @@ let
|
||||
type = str;
|
||||
default = "/srv/http/${config.domain}";
|
||||
};
|
||||
#sslEnable = mkEnableOption "ssl";
|
||||
#certificate = mkOption {
|
||||
# type = str;
|
||||
#};
|
||||
#certificate_key = mkOption {
|
||||
# type = str;
|
||||
#};
|
||||
#ciphers = mkOption {
|
||||
# type = str;
|
||||
# default = "AES128+EECDH:AES128+EDH";
|
||||
#};
|
||||
ssl = mkOption {
|
||||
type = with types; submodule ({
|
||||
options = {
|
||||
enable = mkEnableOption "ssl";
|
||||
certificate = mkOption {
|
||||
type = str;
|
||||
};
|
||||
certificate_key = mkOption {
|
||||
type = str;
|
||||
};
|
||||
ciphers = mkOption {
|
||||
type = str;
|
||||
default = "AES128+EECDH:AES128+EDH";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
@ -29,8 +58,10 @@ let
|
||||
user = config.services.nginx.user;
|
||||
group = config.services.nginx.group;
|
||||
|
||||
external-ip = head config.krebs.build.host.nets.internet.addrs4;
|
||||
|
||||
imp = {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {
|
||||
server-names = [
|
||||
"${domain}"
|
||||
"www.${domain}"
|
||||
@ -43,6 +74,17 @@ let
|
||||
deny all;
|
||||
'')
|
||||
];
|
||||
|
||||
listen = (if ssl.enable then
|
||||
[ "80" "443 ssl" ]
|
||||
else
|
||||
"80"
|
||||
);
|
||||
extraConfig = (if ssl.enable then ''
|
||||
ssl_certificate ${ssl.certificate};
|
||||
ssl_certificate_key ${ssl.certificate_key};
|
||||
'' else "");
|
||||
|
||||
});
|
||||
};
|
||||
|
||||
|
@ -53,6 +53,23 @@ let
|
||||
"1" = "test.testsite.de";
|
||||
};
|
||||
};
|
||||
ssl = mkOption {
|
||||
type = with types; submodule ({
|
||||
options = {
|
||||
enable = mkEnableOption "ssl";
|
||||
certificate = mkOption {
|
||||
type = str;
|
||||
};
|
||||
certificate_key = mkOption {
|
||||
type = str;
|
||||
};
|
||||
ciphers = mkOption {
|
||||
type = str;
|
||||
default = "AES128+EECDH:AES128+EDH";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
@ -68,7 +85,7 @@ let
|
||||
# }
|
||||
#'';
|
||||
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
|
||||
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
|
||||
server-names = [
|
||||
"${domain}"
|
||||
"www.${domain}"
|
||||
@ -114,7 +131,17 @@ let
|
||||
error_log /tmp/nginx_err.log;
|
||||
error_page 404 /404.html;
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
${if ssl.enable then ''
|
||||
ssl_certificate ${ssl.certificate};
|
||||
ssl_certificate_key ${ssl.certificate_key};
|
||||
'' else ""}
|
||||
|
||||
'';
|
||||
listen = (if ssl.enable then
|
||||
[ "80" "443 ssl" ]
|
||||
else
|
||||
"80"
|
||||
);
|
||||
});
|
||||
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
|
||||
listen = ${folder}/phpfpm.pool
|
||||
|
Loading…
Reference in New Issue
Block a user