Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

l: krebs.nginx -> services.nginx

Browse Source
This commit is contained in:
lassulus 2016-12-26 14:18:08 +01:00
parent 0f34276090
commit b9e3b93105
10 changed files with 161 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lass/1systems/mors.nix
View File

@ -66,20 +66,18 @@ with import <stockholm/lib>;
}; };
} }
{ {
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.default = { virtualHosts.default = {
server-names = [ serverAliases = [
"localhost" "localhost"
"${config.krebs.build.host.name}" "${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum" "${config.krebs.build.host.name}.retiolum"
]; ];
locations = [ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2;
alias /home/$1/public_html$2; '';
'')
];
}; };
}; };
} }

23
lass/1systems/prism.nix
View File

@ -179,11 +179,9 @@ in {
imports = [ imports = [
../2configs/realwallpaper.nix ../2configs/realwallpaper.nix
]; ];
krebs.nginx.servers."lassul.us".locations = [ services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
(lib.nameValuePair "/wallpaper.png" '' alias /tmp/wallpaper.png;
alias /tmp/wallpaper.png; '';
'')
];
} }
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -203,16 +201,13 @@ in {
}; };
} }
{ {
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.public = { virtualHosts.public = {
listen = [ "8088" ]; port = 8088;
server-names = [ "default" ]; locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
locations = [ alias /home/$1/public_html$2;
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' '';
alias /home/$1/public_html$2;
'')
];
}; };
}; };
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [

10
lass/2configs/binary-cache/server.nix
View File

@ -17,13 +17,13 @@
owner.name = "nix-serve"; owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key"; source-path = toString <secrets> + "/nix-serve.key";
}; };
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.nix-serve = { virtualHosts.nix-serve = {
server-names = [ "cache.prism.r" ]; serverAliases = [ "cache.prism.r" ];
locations = lib.singleton (lib.nameValuePair "/" '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};
''); '';
}; };
}; };
} }

16
lass/2configs/go.nix
View File

@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = { krebs.go = {
enable = true; enable = true;
}; };
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.go = { virtualHosts.go = {
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' proxy_set_header Host go;
proxy_set_header Host go; proxy_pass http://localhost:1337;
proxy_pass http://localhost:1337; '';
'') serverAliases = [
];
server-names = [
"go" "go"
"go.retiolum" "go.retiolum"
]; ];

12
lass/2configs/radio.nix
View File

@ -156,7 +156,7 @@ in {
}) })
]; ];
}; };
krebs.nginx.servers."lassul.us".locations = let services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" '' html = pkgs.writeText "index.html" ''
<!DOCTYPE html> <!DOCTYPE html>
<html lang="en"> <html lang="en">
@ -175,10 +175,8 @@ in {
</body> </body>
</html> </html>
''; '';
in [ in ''
(nameValuePair "/the_playlist" '' default_type "text/html";
default_type "text/html"; alias ${html};
alias ${html}; '';
'')
];
} }

12
lass/2configs/realwallpaper.nix
View File

@ -9,15 +9,13 @@ let
in { in {
krebs.realwallpaper.enable = true; krebs.realwallpaper.enable = true;
krebs.nginx.servers.wallpaper = { services.nginx.virtualHosts.wallpaper = {
server-names = [ serverAliases = [
hostname hostname
]; ];
locations = [ locations."/wallpaper.png".extraConfig = ''
(nameValuePair "/wallpaper.png" '' root /tmp/;
root /tmp/; '';
'')
];
}; };
krebs.iptables = { krebs.iptables = {

12
lass/2configs/websites/domsen.nix
View File

@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ]) (ssl [ "pixelpocket.de" ])
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ]) (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ]) (ssl [ "o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ]) (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [ (ssl [
"ubikmedia.de" "ubikmedia.de"
@ -92,11 +92,9 @@ in {
]) ])
]; ];
krebs.nginx.servers."ubikmedia.de".locations = [ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
(lib.nameValuePair "/piwik" '' try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ /index.php?$args; '';
'')
];
lass.mysqlBackup.config.all.databases = [ lass.mysqlBackup.config.all.databases = [
"ubikmedia_de" "ubikmedia_de"

12
lass/2configs/websites/fritz.nix
View File

@ -62,18 +62,6 @@ in {
"ttf_kleinaspach_de" "ttf_kleinaspach_de"
]; ];
#password protect some dirs
krebs.nginx.servers."biostase.de".locations = [
(nameValuePair "/old_biostase.de" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
'')
(nameValuePair "/mysqldumper" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
'')
];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey config.krebs.users.fritz.pubkey
]; ];

92
lass/2configs/websites/lassulus.nix
View File

@ -69,59 +69,53 @@ in {
"nginx" "nginx"
]; ];
krebs.nginx.servers."lassul.us" = { services.nginx.virtualHosts."lassul.us" = {
server-names = [ "lassul.us" ]; serverAliases = [ "lassul.us" ];
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' root /srv/http/lassul.us;
root /srv/http/lassul.us; '';
'') locations."/.well-known/acme-challenge".extraConfig = ''
(nameValuePair "/.well-known/acme-challenge" '' root /var/lib/acme/challenges/lassul.us/;
root /var/lib/acme/challenges/lassul.us/; '';
'') locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
(nameValuePair "= /retiolum-hosts.tar.bz2" '' alias ${config.krebs.tinc.retiolum.hostsArchive};
alias ${config.krebs.tinc.retiolum.hostsArchive}; '';
'') locations."/tinc".extraConfig = ''
(nameValuePair "/tinc" '' alias ${config.krebs.tinc_graphs.workingDir}/external;
alias ${config.krebs.tinc_graphs.workingDir}/external; '';
'') locations."= /ddate".extraConfig = let
(let script = pkgs.writeBash "test" ''
script = pkgs.writeBash "test" '' echo "hello world"
echo "hello world" '';
''; #script = pkgs.execve "ddate-wrapper" {
#script = pkgs.execve "ddate-wrapper" { # filename = "${pkgs.ddate}/bin/ddate";
# filename = "${pkgs.ddate}/bin/ddate"; # argv = [];
# argv = []; #};
#}; in ''
in nameValuePair "= /ddate" '' gzip off;
gzip off; fastcgi_pass unix:/var/run/lass-stuff.socket;
fastcgi_pass unix:/var/run/lass-stuff.socket; include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param DOCUMENT_ROOT /var/empty;
fastcgi_param DOCUMENT_ROOT /var/empty; fastcgi_param SCRIPT_FILENAME ${script};
fastcgi_param SCRIPT_FILENAME ${script}; fastcgi_param SCRIPT_NAME ${script};
fastcgi_param SCRIPT_NAME ${script}; '';
'')
]; enableSSL = true;
ssl = { extraConfig = "listen 80;";
enable = true; sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
certificate = "/var/lib/acme/lassul.us/fullchain.pem"; sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
certificate_key = "/var/lib/acme/lassul.us/key.pem";
};
}; };
krebs.nginx.servers.cgit = { services.nginx.virtualHosts.cgit = {
server-names = [ serverAliases = [
"cgit.lassul.us" "cgit.lassul.us"
]; ];
locations = [ locations."/.well-known/acme-challenge".extraConfig = ''
(nameValuePair "/.well-known/acme-challenge" '' root /var/lib/acme/acme-challenges;
root /var/lib/acme/challenges/cgit.lassul.us/; '';
'') enableSSL = true;
]; sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
ssl = { sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
enable = true;
certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
};
}; };
users.users.blog = { users.users.blog = {

195
lass/2configs/websites/util.nix
View File

@ -4,66 +4,24 @@ with lib;
rec { rec {
manageCerts = domains: ssl = domains :
let let
domain = head domains; domain = head domains;
in { in {
#security.acme = {
# certs."${domain}" = {
# email = "lassulus@gmail.com";
# webroot = "/var/lib/acme/challenges/${domain}";
# plugins = [
# "account_key.json"
# "key.pem"
# "fullchain.pem"
# ];
# group = "nginx";
# allowKeysForGroup = true;
# extraDomains = genAttrs domains (_: null);
# };
#};
krebs.nginx.servers."${domain}" = {
ssl.acmeEnable = true;
server-names = domains;
#locations = [
# (nameValuePair "/.well-known/acme-challenge" ''
# root /var/lib/acme/challenges/${domain}/;
# '')
#];
};
};
ssl = domains:
{
imports = [
( manageCerts domains )
#( activateACME (head domains) )
];
};
activateACME = domain:
{
krebs.nginx.servers.${domain} = {
ssl = {
enable = true;
certificate = "/var/lib/acme/${domain}/fullchain.pem";
certificate_key = "/var/lib/acme/${domain}/key.pem";
};
};
}; };
servePage = domains: servePage = domains:
let let
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers.${domain} = { services.nginx.virtualHosts.${domain} = {
server-names = domains; enableACME = true;
locations = [ enableSSL = true;
(nameValuePair "/" '' extraConfig = "listen 80;";
root /srv/http/${domain}; serverAliases = domains;
'') locations."/".extraConfig = ''
]; root /srv/http/${domain};
'';
}; };
}; };
@ -71,9 +29,13 @@ rec {
let let
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers."${domain}" = { services.nginx.virtualHosts."${domain}" = {
server-names = domains; enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80;
# Add headers to serve security related headers # Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''; '';
locations = [ locations."/robots.txt".extraConfig = ''
(nameValuePair "/robots.txt" '' allow all;
allow all; log_not_found off;
log_not_found off; access_log off;
access_log off; '';
'') locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
(nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' deny all;
deny all; '';
'')
(nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
deny all; deny all;
'') '';
(nameValuePair "/" '' locations."/".extraConfig = ''
rewrite ^/remote/(.*) /remote.php last; rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
'') '';
(nameValuePair "~ \.php(?:$|/)" '' locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on; fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
'') '';
# Adding the cache control header for js and css files # Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block # Make sure it is BELOW the location ~ \.php(?:$|/) { block
(nameValuePair "~* \.(?:css|js)$" '' locations."~* \.(?:css|js)$".extraConfig = ''
add_header Cache-Control "public, max-age=7200"; add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers # Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
# Optional: Don't log access to assets # Optional: Don't log access to assets
access_log off; access_log off;
'') '';
# Optional: Don't log access to other assets
# Optional: Don't log access to other assets locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
(nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' access_log off;
access_log off; '';
'')
];
}; };
services.phpfpm.poolConfigs."${domain}" = '' services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool listen = /srv/http/${domain}/phpfpm.pool
@ -183,9 +142,12 @@ rec {
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers."${domain}" = { services.nginx.virtualHosts."${domain}" = {
server-names = domains; enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80;
root /srv/http/${domain}/; root /srv/http/${domain}/;
index index.php; index index.php;
access_log /tmp/nginx_acc.log; access_log /tmp/nginx_acc.log;
@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
client_max_body_size 100m; client_max_body_size 100m;
''; '';
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ /index.php?$args; '';
'') locations."~ \.php$".extraConfig = ''
(nameValuePair "~ \.php$" '' fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf;
include ${pkgs.nginx}/conf/fastcgi.conf; '';
'') #Directives to send expires headers and turn off 404 error logging.
#(nameValuePair "~ /\\." '' locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
# deny all; access_log off;
#'') log_not_found off;
#Directives to send expires headers and turn off 404 error logging. expires max;
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' '';
access_log off;
log_not_found off;
expires max;
'')
];
}; };
services.phpfpm.poolConfigs."${domain}" = '' services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool listen = /srv/http/${domain}/phpfpm.pool