From 5cc8688003eca4b104097f0f07285c616971e49d Mon Sep 17 00:00:00 2001 From: catvayor Date: Wed, 19 Jun 2024 16:26:15 +0200 Subject: [PATCH] fix acme --- hive.nix | 5 ++- machines/kat-r86s/configuration.nix | 64 +++++++++++++++-------------- machines/kat-virt/configuration.nix | 14 +++++-- machines/kat-watcher/default.nix | 56 +++++++++++-------------- npins/sources.json | 14 +++++++ patches/default.nix | 8 ++++ patches/nginx-fallback.patch | 43 +++++++++++++++++++ 7 files changed, 138 insertions(+), 66 deletions(-) create mode 100644 patches/default.nix create mode 100644 patches/nginx-fallback.patch diff --git a/hive.nix b/hive.nix index 149316a..8628512 100644 --- a/hive.nix +++ b/hive.nix @@ -5,7 +5,10 @@ let id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix"; in { - meta.nixpkgs = import sources.nixpkgs { }; + meta.nixpkgs = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc { + src = sources.nixpkgs; + version = "unstable"; + }; meta.specialArgs = { inherit mods users sources; }; diff --git a/machines/kat-r86s/configuration.nix b/machines/kat-r86s/configuration.nix index 08fb841..01443f8 100644 --- a/machines/kat-r86s/configuration.nix +++ b/machines/kat-r86s/configuration.nix @@ -111,38 +111,42 @@ acceptTerms = true; defaults.email = "root@katvayor.net"; }; - services.nginx = { - enable = true; - virtualHosts = { - "degette.katvayor.net" = { - enableACME = true; - addSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://192.168.122.2/"; + services.nginx = + let + vhosts = { + "degette.katvayor.net" = { + vm = "192.168.122.2"; + sshport = 22000; + }; + "betamail.katvayor.net" = { + vm = "192.168.122.3"; + sshport = 22002; + }; + "traque.katvayor.net" = { + vm = "192.168.122.4"; + sshport = 22001; }; }; - "traque.katvayor.net".locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://192.168.122.4/"; - }; - }; - streamConfig = '' - upstream kat-virt { - server 192.168.122.2:22; - } - server { - listen 22000; - proxy_pass kat-virt; - } - upstream kat-traque { - server 192.168.122.4:22; - } - server { - listen 22001; - proxy_pass kat-virt; - } - ''; + in + { + enable = true; + virtualHosts = + builtins.mapAttrs (_: {vm, ...}: { + enableACME = true; + addSSL = true; + acmeFallbackHost = vm; + acmeFallbackRecommendedProxySettings = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "https://${vm}/"; + }; + }) vhosts; + streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: '' + server { + listen ${toString sshport}; + proxy_pass ${vm}:22; + } + '') vhosts); }; # Open ports in the firewall. diff --git a/machines/kat-virt/configuration.nix b/machines/kat-virt/configuration.nix index ba45a68..c1301ea 100644 --- a/machines/kat-virt/configuration.nix +++ b/machines/kat-virt/configuration.nix @@ -99,11 +99,19 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; services.nginx = { enable = true; - virtualHosts."degette.katvayor.net".locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://localhost:8000/"; + virtualHosts."degette.katvayor.net" = { + enableACME = true; + addSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://localhost:8000/"; + }; }; }; diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix index 383561c..91afca6 100644 --- a/machines/kat-watcher/default.nix +++ b/machines/kat-watcher/default.nix @@ -58,44 +58,36 @@ acceptTerms = true; defaults.email = "root@katvayor.net"; }; - services.nginx = { - enable = true; - virtualHosts = { - "degette.katvayor.net" = { + services.nginx = + let + kat-r86s = "100.102.49.84"; + vhosts = { + "degette.katvayor.net" = 22000; + "traque.katvayor.net" = 22001; + "betamail.katvayor.net" = 22002; + }; + in + { + enable = true; + virtualHosts = builtins.mapAttrs (_: _: { enableACME = true; forceSSL = true; - acmeFallbackHost = "100.102.49.84"; + acmeFallbackHost = kat-r86s; + acmeFallbackRecommendedProxySettings = true; locations."/" = { recommendedProxySettings = true; - proxyPass = "https://100.102.49.84/"; + proxyPass = "https://${kat-r86s}/"; }; - }; - "traque.katvayor.net" = { - enableACME = true; - forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://100.102.49.84/"; - }; - }; + }) vhosts; + streamConfig = builtins.concatStringsSep "\n" ( + lib.mapAttrsToList (vhost: sshport: '' + server { + listen ${toString sshport}; + proxy_pass ${kat-r86s}:${toString sshport}; + } + '') vhosts + ); }; - streamConfig = '' - upstream kat-virt { - server 100.102.49.84:22000; - } - server { - listen 22000; - proxy_pass kat-virt; - } - upstream kat-traque { - server 100.102.49.84:22001; - } - server { - listen 22001; - proxy_pass kat-virt; - } - ''; - }; services.dbus.packages = with pkgs; [ dconf ]; diff --git a/npins/sources.json b/npins/sources.json index 40508a1..a2033ec 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -39,6 +39,20 @@ "url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz", "hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh" }, + "nix-patches": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-patches" + }, + "pre_releases": false, + "version_upper_bound": null, + "release_prefix": null, + "version": "v0.5.0", + "revision": "e11ba20945f4a867f09d84343c37328288f274b4", + "url": null, + "hash": "1c6cc44pwlg3ky6cnwhkml8ci77fw3sgjhwvqg0f6igxxf2fqv9v" + }, "nixos-images": { "type": "Git", "repository": { diff --git a/patches/default.nix b/patches/default.nix new file mode 100644 index 0000000..bf48857 --- /dev/null +++ b/patches/default.nix @@ -0,0 +1,8 @@ +{ + unstable = [ + { + _type = "static"; + path = ./nginx-fallback.patch; + } + ]; +} diff --git a/patches/nginx-fallback.patch b/patches/nginx-fallback.patch new file mode 100644 index 0000000..a341a74 --- /dev/null +++ b/patches/nginx-fallback.patch @@ -0,0 +1,43 @@ +From dc29ed2d52b55791b980c4c3ffaedcad687d7549 Mon Sep 17 00:00:00 2001 +From: catvayor +Date: Wed, 19 Jun 2024 10:01:16 +0200 +Subject: [PATCH] add recommanded proxy settings to acme fallback + +--- + nixos/modules/services/web-servers/nginx/default.nix | 1 + + nixos/modules/services/web-servers/nginx/vhost-options.nix | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix +index f9720c362..5d68f4a7b 100644 +--- a/nixos/modules/services/web-servers/nginx/default.nix ++++ b/nixos/modules/services/web-servers/nginx/default.nix +@@ -372,6 +372,7 @@ let + location @acme-fallback { + auth_basic off; + auth_request off; ++ ${optionalString (vhost.acmeFallbackRecommendedProxySettings) "include ${recommendedProxyConfig};"} + proxy_pass http://${vhost.acmeFallbackHost}; + } + ''} +diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix +index 24fcb101c..272d2e364 100644 +--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix ++++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix +@@ -132,6 +132,13 @@ with lib; + specify here. + ''; + }; ++ acmeFallbackRecommendedProxySettings = mkOption { ++ type = types.bool; ++ default = false; ++ description = '' ++ Enable recommended proxy settings for ACME fallback. ++ ''; ++ }; + + addSSL = mkOption { + type = types.bool; +-- +2.45.1 +