fix acme

2024-06-19 16:26:15 +02:00 · 2024-06-19 16:26:15 +02:00 · 5cc8688003
commit 5cc8688003
parent c032e84459
7 changed files with 138 additions and 66 deletions
--- a/hive.nix
+++ b/hive.nix
@ -5,7 +5,10 @@ let
  id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
 in
 {
-  meta.nixpkgs = import sources.nixpkgs { };
+  meta.nixpkgs = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc {
+    src = sources.nixpkgs;
+    version = "unstable";
+  };
  meta.specialArgs = {
    inherit mods users sources;
  };
--- a/machines/kat-r86s/configuration.nix
+++ b/machines/kat-r86s/configuration.nix
@ -111,38 +111,42 @@
    acceptTerms = true;
    defaults.email = "root@katvayor.net";
  };
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
+  services.nginx =
+    let
+      vhosts = {
        "degette.katvayor.net" = {
+          vm = "192.168.122.2";
+          sshport = 22000;
+        };
+        "betamail.katvayor.net" = {
+          vm = "192.168.122.3";
+          sshport = 22002;
+        };
+        "traque.katvayor.net" = {
+          vm = "192.168.122.4";
+          sshport = 22001;
+        };
+      };
+    in
+  {
+    enable = true;
+    virtualHosts =
+      builtins.mapAttrs (_: {vm, ...}: {
        enableACME = true;
        addSSL = true;
+        acmeFallbackHost = vm;
+        acmeFallbackRecommendedProxySettings = true;
        locations."/" = {
          recommendedProxySettings = true;
-          proxyPass = "http://192.168.122.2/";
+          proxyPass = "https://${vm}/";
        };
-      };
-      "traque.katvayor.net".locations."/" = {
-        recommendedProxySettings = true;
-        proxyPass = "http://192.168.122.4/";
-      };
-    };
-    streamConfig = ''
-      upstream kat-virt {
-        server 192.168.122.2:22;
-      }
+      }) vhosts;
+      streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: ''
          server {
-        listen 22000;
-        proxy_pass kat-virt;
+            listen ${toString sshport};
+            proxy_pass ${vm}:22;
          }
-      upstream kat-traque {
-        server 192.168.122.4:22;
-      }
-      server {
-        listen 22001;
-        proxy_pass kat-virt;
-      }
-    '';
+      '') vhosts);
  };

  # Open ports in the firewall.
--- a/machines/kat-virt/configuration.nix
+++ b/machines/kat-virt/configuration.nix
@ -99,13 +99,21 @@
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
  services.nginx = {
    enable = true;
-    virtualHosts."degette.katvayor.net".locations."/" = {
+    virtualHosts."degette.katvayor.net" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/" = {
        recommendedProxySettings = true;
        proxyPass = "http://localhost:8000/";
      };
    };
+  };

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
--- a/machines/kat-watcher/default.nix
+++ b/machines/kat-watcher/default.nix
@ -58,43 +58,35 @@
    acceptTerms = true;
    defaults.email = "root@katvayor.net";
  };
-  services.nginx = {
+  services.nginx =
+    let
+      kat-r86s = "100.102.49.84";
+      vhosts = {
+        "degette.katvayor.net" = 22000;
+        "traque.katvayor.net" = 22001;
+        "betamail.katvayor.net" = 22002;
+      };
+    in
+    {
      enable = true;
-    virtualHosts = {
-      "degette.katvayor.net" = {
+      virtualHosts = builtins.mapAttrs (_: _: {
        enableACME = true;
        forceSSL = true;
-        acmeFallbackHost = "100.102.49.84";
+        acmeFallbackHost = kat-r86s;
+        acmeFallbackRecommendedProxySettings = true;
        locations."/" = {
          recommendedProxySettings = true;
-          proxyPass = "https://100.102.49.84/";
+          proxyPass = "https://${kat-r86s}/";
        };
-      };
-      "traque.katvayor.net" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          recommendedProxySettings = true;
-          proxyPass = "http://100.102.49.84/";
-        };
-      };
-    };
-    streamConfig = ''
-      upstream kat-virt {
-        server 100.102.49.84:22000;
-      }
+      }) vhosts;
+      streamConfig = builtins.concatStringsSep "\n" (
+        lib.mapAttrsToList (vhost: sshport: ''
          server {
-        listen 22000;
-        proxy_pass kat-virt;
+            listen ${toString sshport};
+            proxy_pass ${kat-r86s}:${toString sshport};
          }
-      upstream kat-traque {
-        server 100.102.49.84:22001;
-      }
-      server {
-        listen 22001;
-        proxy_pass kat-virt;
-      }
-    '';
+        '') vhosts
+      );
    };

  services.dbus.packages = with pkgs; [ dconf ];
--- a/npins/sources.json
+++ b/npins/sources.json
@ -39,6 +39,20 @@
      "url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz",
      "hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh"
    },
+    "nix-patches": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.hubrecht.ovh/hubrecht/nix-patches"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v0.5.0",
+      "revision": "e11ba20945f4a867f09d84343c37328288f274b4",
+      "url": null,
+      "hash": "1c6cc44pwlg3ky6cnwhkml8ci77fw3sgjhwvqg0f6igxxf2fqv9v"
+    },
    "nixos-images": {
      "type": "Git",
      "repository": {
--- a/patches/default.nix
+++ b/patches/default.nix
@ -0,0 +1,8 @@
+{
+  unstable = [
+    {
+      _type = "static";
+      path = ./nginx-fallback.patch;
+    }
+  ];
+}
--- a/patches/nginx-fallback.patch
+++ b/patches/nginx-fallback.patch
@ -0,0 +1,43 @@
+From dc29ed2d52b55791b980c4c3ffaedcad687d7549 Mon Sep 17 00:00:00 2001
+From: catvayor <catvayor@katvayor.net>
+Date: Wed, 19 Jun 2024 10:01:16 +0200
+Subject: [PATCH] add recommanded proxy settings to acme fallback
+
+---
+ nixos/modules/services/web-servers/nginx/default.nix       | 1 +
+ nixos/modules/services/web-servers/nginx/vhost-options.nix | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
+index f9720c362..5d68f4a7b 100644
+--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
+@@ -372,6 +372,7 @@ let
+             location @acme-fallback {
+               auth_basic off;
+               auth_request off;
+              ${optionalString (vhost.acmeFallbackRecommendedProxySettings) "include ${recommendedProxyConfig};"}
+               proxy_pass http://${vhost.acmeFallbackHost};
+             }
+           ''}
+diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
+index 24fcb101c..272d2e364 100644
+--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
+@@ -132,6 +132,13 @@ with lib;
+         specify here.
+       '';
+     };
+    acmeFallbackRecommendedProxySettings = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable recommended proxy settings for ACME fallback.
+      '';
+    };
+ 
+     addSSL = mkOption {
+       type = types.bool;
+-- 
+2.45.1
+