stockholm/makefu/2configs/bepasty-dual.nix
2016-02-14 16:43:44 +01:00

57 lines
1.6 KiB
Nix

{ config, lib, pkgs, ... }:
# 1systems should configure itself:
# krebs.bepasty.servers.internal.nginx.listen = [ "80" ]
# krebs.bepasty.servers.external.nginx.listen = [ "80" "443 ssl" ]
# 80 is redirected to 443 ssl
# secrets used:
# wildcard.krebsco.de.crt
# wildcard.krebsco.de.key
# bepasty-secret.nix <- contains single string
with config.krebs.lib;
let
sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>;
in {
krebs.nginx.enable = mkDefault true;
krebs.bepasty = {
enable = true;
serveNginx= true;
servers = {
internal = {
nginx = {
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
};
defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey;
};
external = {
nginx = {
server-names = [ "paste.krebsco.de" ];
extraConfig = ''
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
ssl_verify_client off;
proxy_ssl_session_reuse off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($scheme = http){
return 301 https://$server_name$request_uri;
}'';
};
defaultPermissions = "read";
secretKey = secKey;
};
};
};
}