dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/middleman: Working HTTPS

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-06-06 00:57:11 +01:00
parent 7da7458a34
commit 60b2b6ec80
3 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -143,6 +143,16 @@
nat = { nat = {
enable = true; enable = true;
externalInterface = "wan"; externalInterface = "wan";
forwardPorts = [
{
port = "http";
dst = allAssignments.middleman.internal.ipv4.address + ":http";
}
{
port = "https";
dst = allAssignments.middleman.internal.ipv4.address + ":https";
}
];
}; };
extraRules = extraRules =
let let

2
nixos/boxes/colony/vms/estuary/dns.nix
View File

@ -234,6 +234,8 @@ in
ns IN ALIAS ${config.networking.fqdn}. ns IN ALIAS ${config.networking.fqdn}.
@ IN ALIAS ${config.networking.fqdn}. @ IN ALIAS ${config.networking.fqdn}.
http IN A ${assignments.internal.ipv4.address}
http IN AAAA ${allAssignments.middleman.internal.ipv6.address}
$TTL 3 $TTL 3
_acme-challenge IN LUA TXT ${fileRecVal} _acme-challenge IN LUA TXT ${fileRecVal}

36
nixos/boxes/colony/vms/shill/containers/middleman.nix
View File

@ -6,7 +6,6 @@
assignments = { assignments = {
internal = { internal = {
name = "middleman-ctr"; name = "middleman-ctr";
altNames = [ "http" ];
domain = lib.my.colony.domain; domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}2"; ipv4.address = "${lib.my.colony.start.ctrs.v4}2";
ipv6 = { ipv6 = {
@ -18,7 +17,8 @@
configuration = { lib, pkgs, config, assignments, allAssignments, ... }: configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (lib) mkMerge mkIf; inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my) networkdAssignment; inherit (lib.my) networkdAssignment;
in in
{ {
@ -30,7 +30,11 @@
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
files = { files = {
"dhparams.pem" = {}; "dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"pdns-file-records.key" = { "pdns-file-records.key" = {
owner = "acme"; owner = "acme";
group = "acme"; group = "acme";
@ -46,6 +50,12 @@
]; ];
}; };
users = {
users = {
nginx.extraGroups = [ "acme" ];
};
};
systemd = { systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
}; };
@ -156,6 +166,26 @@
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Scheme $scheme; proxy_set_header X-Scheme $scheme;
''; '';
virtualHosts =
let
hosts = {
"_" = {
default = true;
forceSSL = true;
onlySSL = false;
};
};
in
mkMerge [
hosts
(mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault "${config.networking.domain}";
kTLS = mkDefault true;
http2 = mkDefault true;
}) hosts)
];
}; };
}; };
} }