fix acme
This commit is contained in:
parent
c032e84459
commit
5cc8688003
7 changed files with 138 additions and 66 deletions
5
hive.nix
5
hive.nix
|
@ -5,7 +5,10 @@ let
|
||||||
id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
|
id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
meta.nixpkgs = import sources.nixpkgs { };
|
meta.nixpkgs = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc {
|
||||||
|
src = sources.nixpkgs;
|
||||||
|
version = "unstable";
|
||||||
|
};
|
||||||
meta.specialArgs = {
|
meta.specialArgs = {
|
||||||
inherit mods users sources;
|
inherit mods users sources;
|
||||||
};
|
};
|
||||||
|
|
|
@ -111,38 +111,42 @@
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults.email = "root@katvayor.net";
|
defaults.email = "root@katvayor.net";
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx =
|
||||||
enable = true;
|
let
|
||||||
virtualHosts = {
|
vhosts = {
|
||||||
"degette.katvayor.net" = {
|
"degette.katvayor.net" = {
|
||||||
|
vm = "192.168.122.2";
|
||||||
|
sshport = 22000;
|
||||||
|
};
|
||||||
|
"betamail.katvayor.net" = {
|
||||||
|
vm = "192.168.122.3";
|
||||||
|
sshport = 22002;
|
||||||
|
};
|
||||||
|
"traque.katvayor.net" = {
|
||||||
|
vm = "192.168.122.4";
|
||||||
|
sshport = 22001;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
enable = true;
|
||||||
|
virtualHosts =
|
||||||
|
builtins.mapAttrs (_: {vm, ...}: {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
|
acmeFallbackHost = vm;
|
||||||
|
acmeFallbackRecommendedProxySettings = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
proxyPass = "http://192.168.122.2/";
|
proxyPass = "https://${vm}/";
|
||||||
};
|
};
|
||||||
};
|
}) vhosts;
|
||||||
"traque.katvayor.net".locations."/" = {
|
streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: ''
|
||||||
recommendedProxySettings = true;
|
|
||||||
proxyPass = "http://192.168.122.4/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
streamConfig = ''
|
|
||||||
upstream kat-virt {
|
|
||||||
server 192.168.122.2:22;
|
|
||||||
}
|
|
||||||
server {
|
server {
|
||||||
listen 22000;
|
listen ${toString sshport};
|
||||||
proxy_pass kat-virt;
|
proxy_pass ${vm}:22;
|
||||||
}
|
}
|
||||||
upstream kat-traque {
|
'') vhosts);
|
||||||
server 192.168.122.4:22;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 22001;
|
|
||||||
proxy_pass kat-virt;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Open ports in the firewall.
|
# Open ports in the firewall.
|
||||||
|
|
|
@ -99,13 +99,21 @@
|
||||||
# Enable the OpenSSH daemon.
|
# Enable the OpenSSH daemon.
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "root@katvayor.net";
|
||||||
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."degette.katvayor.net".locations."/" = {
|
virtualHosts."degette.katvayor.net" = {
|
||||||
|
enableACME = true;
|
||||||
|
addSSL = true;
|
||||||
|
locations."/" = {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
proxyPass = "http://localhost:8000/";
|
proxyPass = "http://localhost:8000/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Open ports in the firewall.
|
# Open ports in the firewall.
|
||||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||||
|
|
|
@ -58,43 +58,35 @@
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
defaults.email = "root@katvayor.net";
|
defaults.email = "root@katvayor.net";
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx =
|
||||||
|
let
|
||||||
|
kat-r86s = "100.102.49.84";
|
||||||
|
vhosts = {
|
||||||
|
"degette.katvayor.net" = 22000;
|
||||||
|
"traque.katvayor.net" = 22001;
|
||||||
|
"betamail.katvayor.net" = 22002;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = {
|
virtualHosts = builtins.mapAttrs (_: _: {
|
||||||
"degette.katvayor.net" = {
|
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
acmeFallbackHost = "100.102.49.84";
|
acmeFallbackHost = kat-r86s;
|
||||||
|
acmeFallbackRecommendedProxySettings = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
proxyPass = "https://100.102.49.84/";
|
proxyPass = "https://${kat-r86s}/";
|
||||||
};
|
};
|
||||||
};
|
}) vhosts;
|
||||||
"traque.katvayor.net" = {
|
streamConfig = builtins.concatStringsSep "\n" (
|
||||||
enableACME = true;
|
lib.mapAttrsToList (vhost: sshport: ''
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
proxyPass = "http://100.102.49.84/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
streamConfig = ''
|
|
||||||
upstream kat-virt {
|
|
||||||
server 100.102.49.84:22000;
|
|
||||||
}
|
|
||||||
server {
|
server {
|
||||||
listen 22000;
|
listen ${toString sshport};
|
||||||
proxy_pass kat-virt;
|
proxy_pass ${kat-r86s}:${toString sshport};
|
||||||
}
|
}
|
||||||
upstream kat-traque {
|
'') vhosts
|
||||||
server 100.102.49.84:22001;
|
);
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 22001;
|
|
||||||
proxy_pass kat-virt;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dbus.packages = with pkgs; [ dconf ];
|
services.dbus.packages = with pkgs; [ dconf ];
|
||||||
|
|
|
@ -39,6 +39,20 @@
|
||||||
"url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz",
|
"url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz",
|
||||||
"hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh"
|
"hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh"
|
||||||
},
|
},
|
||||||
|
"nix-patches": {
|
||||||
|
"type": "GitRelease",
|
||||||
|
"repository": {
|
||||||
|
"type": "Git",
|
||||||
|
"url": "https://git.hubrecht.ovh/hubrecht/nix-patches"
|
||||||
|
},
|
||||||
|
"pre_releases": false,
|
||||||
|
"version_upper_bound": null,
|
||||||
|
"release_prefix": null,
|
||||||
|
"version": "v0.5.0",
|
||||||
|
"revision": "e11ba20945f4a867f09d84343c37328288f274b4",
|
||||||
|
"url": null,
|
||||||
|
"hash": "1c6cc44pwlg3ky6cnwhkml8ci77fw3sgjhwvqg0f6igxxf2fqv9v"
|
||||||
|
},
|
||||||
"nixos-images": {
|
"nixos-images": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
|
8
patches/default.nix
Normal file
8
patches/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
unstable = [
|
||||||
|
{
|
||||||
|
_type = "static";
|
||||||
|
path = ./nginx-fallback.patch;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
43
patches/nginx-fallback.patch
Normal file
43
patches/nginx-fallback.patch
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
From dc29ed2d52b55791b980c4c3ffaedcad687d7549 Mon Sep 17 00:00:00 2001
|
||||||
|
From: catvayor <catvayor@katvayor.net>
|
||||||
|
Date: Wed, 19 Jun 2024 10:01:16 +0200
|
||||||
|
Subject: [PATCH] add recommanded proxy settings to acme fallback
|
||||||
|
|
||||||
|
---
|
||||||
|
nixos/modules/services/web-servers/nginx/default.nix | 1 +
|
||||||
|
nixos/modules/services/web-servers/nginx/vhost-options.nix | 7 +++++++
|
||||||
|
2 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
|
||||||
|
index f9720c362..5d68f4a7b 100644
|
||||||
|
--- a/nixos/modules/services/web-servers/nginx/default.nix
|
||||||
|
+++ b/nixos/modules/services/web-servers/nginx/default.nix
|
||||||
|
@@ -372,6 +372,7 @@ let
|
||||||
|
location @acme-fallback {
|
||||||
|
auth_basic off;
|
||||||
|
auth_request off;
|
||||||
|
+ ${optionalString (vhost.acmeFallbackRecommendedProxySettings) "include ${recommendedProxyConfig};"}
|
||||||
|
proxy_pass http://${vhost.acmeFallbackHost};
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
|
||||||
|
index 24fcb101c..272d2e364 100644
|
||||||
|
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
|
||||||
|
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
|
||||||
|
@@ -132,6 +132,13 @@ with lib;
|
||||||
|
specify here.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
+ acmeFallbackRecommendedProxySettings = mkOption {
|
||||||
|
+ type = types.bool;
|
||||||
|
+ default = false;
|
||||||
|
+ description = ''
|
||||||
|
+ Enable recommended proxy settings for ACME fallback.
|
||||||
|
+ '';
|
||||||
|
+ };
|
||||||
|
|
||||||
|
addSSL = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
--
|
||||||
|
2.45.1
|
||||||
|
|
Loading…
Reference in a new issue