56 lines
1.3 KiB
Nix
56 lines
1.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
# 1systems should configure itself:
|
|
# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
|
|
# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
|
|
# 80 is redirected to 443 ssl
|
|
|
|
# secrets used:
|
|
# wildcard.krebsco.de.crt
|
|
# wildcard.krebsco.de.key
|
|
# bepasty-secret.nix <- contains single string
|
|
|
|
with import <stockholm/lib>;
|
|
let
|
|
sec = toString <secrets>;
|
|
# secKey is nothing worth protecting on a local machine
|
|
secKey = "${secrets}/bepasty-secret";
|
|
acmepath = "/var/lib/acme/";
|
|
acmechall = acmepath + "/challenges/";
|
|
ext-dom = "paste.krebsco.de" ;
|
|
in {
|
|
|
|
services.nginx.enable = mkDefault true;
|
|
krebs.bepasty = {
|
|
enable = true;
|
|
serveNginx= true;
|
|
|
|
servers = {
|
|
"paste.r" = {
|
|
nginx = {
|
|
serverAliases = [
|
|
"paste.${config.krebs.build.host.name}"
|
|
"paste.r"
|
|
];
|
|
extraConfig = ''
|
|
if ( $server_addr = "${external-ip}" ) {
|
|
return 403;
|
|
}
|
|
'';
|
|
};
|
|
defaultPermissions = "admin,list,create,read,delete";
|
|
secretKeyFile = secKey;
|
|
};
|
|
|
|
"${ext-dom}" = {
|
|
nginx = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
defaultPermissions = "read";
|
|
secretKeyFile = secKey;
|
|
};
|
|
};
|
|
};
|
|
}
|