nixos/middleman: Working HTTPS

2022-06-06 00:57:11 +01:00 · 2022-06-06 00:57:11 +01:00 · 60b2b6ec80
commit 60b2b6ec80
parent 7da7458a34
3 changed files with 45 additions and 3 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -143,6 +143,16 @@
                nat = {
                  enable = true;
                  externalInterface = "wan";
+                  forwardPorts = [
+                    {
+                      port = "http";
+                      dst = allAssignments.middleman.internal.ipv4.address + ":http";
+                    }
+                    {
+                      port = "https";
+                      dst = allAssignments.middleman.internal.ipv4.address + ":https";
+                    }
+                  ];
                };
                extraRules =
                let
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@ -234,6 +234,8 @@ in
            ns IN ALIAS ${config.networking.fqdn}.

            @ IN ALIAS ${config.networking.fqdn}.
+            http IN A ${assignments.internal.ipv4.address}
+            http IN AAAA ${allAssignments.middleman.internal.ipv6.address}

            $TTL 3
            _acme-challenge IN LUA TXT ${fileRecVal}
--- a/nixos/boxes/colony/vms/shill/containers/middleman.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix
@ -6,7 +6,6 @@
    assignments = {
      internal = {
        name = "middleman-ctr";
-        altNames = [ "http" ];
        domain = lib.my.colony.domain;
        ipv4.address = "${lib.my.colony.start.ctrs.v4}2";
        ipv6 = {
@ -18,7 +17,8 @@

    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
    let
-      inherit (lib) mkMerge mkIf;
+      inherit (builtins) mapAttrs;
+      inherit (lib) mkMerge mkIf mkDefault;
      inherit (lib.my) networkdAssignment;
    in
    {
@ -30,7 +30,11 @@
            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
              files = {
-                "dhparams.pem" = {};
+                "dhparams.pem" = {
+                  owner = "acme";
+                  group = "acme";
+                  mode = "440";
+                };
                "pdns-file-records.key" = {
                  owner = "acme";
                  group = "acme";
@ -46,6 +50,12 @@
            ];
          };

+          users = {
+            users = {
+              nginx.extraGroups = [ "acme" ];
+            };
+          };
+
          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
          };
@ -156,6 +166,26 @@
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Scheme $scheme;
              '';
+
+              virtualHosts =
+              let
+                hosts = {
+                  "_" = {
+                    default = true;
+                    forceSSL = true;
+                    onlySSL = false;
+                  };
+                };
+              in
+              mkMerge [
+                hosts
+                (mapAttrs (n: _: {
+                  onlySSL = mkDefault true;
+                  useACMEHost = mkDefault "${config.networking.domain}";
+                  kTLS = mkDefault true;
+                  http2 = mkDefault true;
+                }) hosts)
+              ];
            };
          };
        }