diff options
| author | Alyssa Ross <hi@alyssa.is> | 2021-01-12 13:52:51 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2021-01-12 14:07:25 +0000 |
| commit | e24dc3e236719c488fe57f33375947ba9134e175 (patch) | |
| tree | f40aa5b3da36f86febdae1fc114cada6547ea187 | |
| parent | 46ec819d56fc3f39ed4951edb782c755a59ed8e4 (diff) | |
| download | nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.gz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.bz2 nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.lz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.xz nixlib-e24dc3e236719c488fe57f33375947ba9134e175.tar.zst nixlib-e24dc3e236719c488fe57f33375947ba9134e175.zip | |
sys/atuin: update for new ACME module
The new module defaults to using an "acme" group, which can replace the "tls" group I had set up before. But it will instead use the "nginx" group if using enableACME, so I have to stay away from that and only use useACMEHost, setting up the certificates manually. But that's a very good thing, because it turns out that even though I was trying to generate only two certificates (one for qyliss.net and one for spectrum-os.org), the ACME module was actually generating one per subdomain because of enableACME. Finally, now that atuin.nix is starting to be split up, and because there's less shared configuration, don't mapAttrs over Nginx virtual hosts or ACME certificates, which was confusing and forced everything to be defined at once in the same file.
| -rw-r--r-- | modules/server/ftp/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/irc/znc/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/spectrum/acme/default.nix | 7 | ||||
| -rw-r--r-- | modules/server/spectrum/default.nix | 2 | ||||
| -rw-r--r-- | modules/server/spectrum/nginx/default.nix | 4 | ||||
| -rw-r--r-- | modules/server/xmpp/default.nix | 2 | ||||
| -rw-r--r-- | sys/atuin.nix | 349 |
7 files changed, 178 insertions, 194 deletions
diff --git a/modules/server/ftp/default.nix b/modules/server/ftp/default.nix index 78f7c794ce1f..a0e32294aeb7 100644 --- a/modules/server/ftp/default.nix +++ b/modules/server/ftp/default.nix @@ -29,7 +29,7 @@ in config = { services.nginx.virtualHosts."ftp.qyliss.net" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; root = pkgs.runCommandNoCC "ftp.qyliss.net" {} '' mkdir $out @@ -43,5 +43,7 @@ in autoindex on; ''; }; + + security.acme.certs."qyliss.net".extraDomainNames = [ "ftp.qyliss.net" ]; }; } diff --git a/modules/server/irc/znc/default.nix b/modules/server/irc/znc/default.nix index 056419ae492b..559b59e657c2 100644 --- a/modules/server/irc/znc/default.nix +++ b/modules/server/irc/znc/default.nix @@ -7,7 +7,7 @@ services.nginx.virtualHosts."znc.${config.networking.domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = "qyliss.net"; locations = { "/" = { @@ -27,5 +27,7 @@ } ''; + security.acme.certs."qyliss.net".extraDomainNames = [ "znc.qyliss.net" ]; + networking.firewall.allowedTCPPorts = [ 6697 ]; } diff --git a/modules/server/spectrum/acme/default.nix b/modules/server/spectrum/acme/default.nix new file mode 100644 index 000000000000..6a60f52d2456 --- /dev/null +++ b/modules/server/spectrum/acme/default.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + security.acme.certs."spectrum-os.org" = { + webroot = "/var/lib/acme/acme-challenge"; + }; +} diff --git a/modules/server/spectrum/default.nix b/modules/server/spectrum/default.nix index d8f096c2d820..c18355a4946a 100644 --- a/modules/server/spectrum/default.nix +++ b/modules/server/spectrum/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./cgit ./git-http-backend ./nginx ./public-inbox ]; + imports = [ ./acme ./cgit ./git-http-backend ./nginx ./public-inbox ]; } diff --git a/modules/server/spectrum/nginx/default.nix b/modules/server/spectrum/nginx/default.nix index f4fca7ca1676..5067595698c5 100644 --- a/modules/server/spectrum/nginx/default.nix +++ b/modules/server/spectrum/nginx/default.nix @@ -17,7 +17,7 @@ in serverName = head redirectDomains; serverAliases = tail redirectDomains; addSSL = true; - enableACME = true; + useACMEHost = "spectrum-os.org"; globalRedirect = "spectrum-os.org"; }; @@ -26,6 +26,8 @@ in alias = ./robots.txt; }; + security.acme.certs."spectrum-os.org".extraDomainNames = redirectDomains; + # The Spectrum website lives in /home/spectrum/www systemd.services.nginx.serviceConfig.ProtectHome = false; } diff --git a/modules/server/xmpp/default.nix b/modules/server/xmpp/default.nix index f1540e0c569f..3771872741aa 100644 --- a/modules/server/xmpp/default.nix +++ b/modules/server/xmpp/default.nix @@ -23,5 +23,5 @@ ssl.cert = "/var/lib/acme/qyliss.net/fullchain.pem"; }; - users.users.prosody.extraGroups = [ "tls" ]; + users.users.prosody.extraGroups = [ "acme" ]; } diff --git a/sys/atuin.nix b/sys/atuin.nix index 587d70627228..d34b2958616e 100644 --- a/sys/atuin.nix +++ b/sys/atuin.nix @@ -1,5 +1,125 @@ { config, pkgs, lib, ... }: +let + publicInboxCss = pkgs.runCommand "216light.css" {} '' + unpackFile ${pkgs.public-inbox.src} + cp */contrib/css/216light.css $out + ''; + + cgitCss = pkgs.runCommand "cgit-extra.css" { + licenseHeader = '' + /* + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License v2 as published + * by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * See <https://www.gnu.org/licenses/>. + */ + + ''; + + # Adapted from + # <https://git.causal.agency/src/plain/www/git.causal.agency/custom.css>, + # distributed as a Larger Work under a Secondary License, + # as permitted by the terms of the + # Mozilla Public License Version 2.0. + extraCss = '' + * { line-height: 1.25em; } + + article { + font-family: sans-serif; + max-width: 70ch; + margin-left: auto; + margin-right: auto; + } + + div#cgit { + margin: auto; + font-family: monospace; + -moz-tab-size: 4; + tab-size: 4; + display: table; + } + + div#cgit table#header { + margin-left: auto; + margin-right: auto; + } + div#cgit table#header td.logo { + display: none; + } + div#cgit table#header td.main { + font-size: 1em; + font-weight: bold; + } + div#cgit table#header td.sub { + border-top: none; + } + div#cgit table.tabs { + margin-left: auto; + margin-right: auto; + border-bottom: none; + } + div#cgit div.content { + border-bottom: none; + min-width: 108ch; + } + div#cgit div.content div#summary { + display: table; + margin-left: auto; + margin-right: auto; + } + div#cgit div.notes { + border: none; + background: transparent; + padding: 0; + } + div#cgit table.list { + margin-left: auto; + margin-right: auto; + } + div#cgit table.list th a { + color: inherit; + } + div#cgit table.list tr:nth-child(even) { + background: inherit; + } + div#cgit table.list tr:hover { + background: inherit; + } + div#cgit table.list tr.nohover-highlight:hover:nth-child(even) { + background: inherit; + } + div#cgit table.list td:last-child { + width: 0; + } + div#cgit div.footer { + font-size: 1em; + margin-top: 0; + } + + div#cgit table.blob td.linenumbers:nth-last-child(3) { + display: none; + } + + div#cgit table.blob td.linenumbers a:target { + color: goldenrod; + text-decoration: underline; + outline: none; + } + ''; + passAsFile = [ "licenseHeader" "extraCss" ]; + } '' + cat $licenseHeaderPath ${pkgs.cgit}/cgit/cgit.css $extraCssPath > $out + ''; + +in + { imports = [ ../modules/server @@ -91,42 +211,12 @@ }; }; - security.acme.certs = - with lib; - let - coalesce = maybe: default: if maybe == null then default else maybe; - - toAttrs = val: if isList val then genAttrs val (_: null) else val; - - vhostDomains = mapAttrsToList - (name: { serverName, ... }: coalesce serverName name) - config.services.nginx.virtualHosts; - - domains = { - "qyliss.net" = {}; - "spectrum-os.org" = { extraDomains = [ "spectrum-os.com" "spectrumos.org" ]; }; - }; - in - mapAttrs ( - domain: - { postRun ? "systemctl reload nginx.service" - , webroot ? "/var/lib/acme/acme-challenge" - , group ? "tls" - , extraDomains ? {} - , ... - } @ value: - - let - extraDomainsFromVhosts = - toAttrs (filter (hasSuffix ".${domain}") vhostDomains); - in - value // { - inherit postRun webroot group; - extraDomains = extraDomainsFromVhosts // (toAttrs extraDomains); - } - ) domains; - - users.groups.tls.members = [ "nginx" ]; + security.acme.certs."qyliss.net" = { + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = [ "git.qyliss.net" ]; + }; + + users.groups.acme.members = [ "nginx" ]; users.users.qyliss.home = "/home/qyliss"; services.cgit.instances.qyliss = { vhost = "git.qyliss.net"; @@ -158,159 +248,40 @@ projectRoot = "/home/qyliss/git"; }; - services.nginx.virtualHosts = - let - vhosts = { - "spectrum-os.org".locations = { - "/".root = "/home/spectrum/www"; - - "= /git/cgit.css".alias = cgitCss.outPath; - - "= /lists/archives/public-inbox.css".alias = publicInboxCss.outPath; - - "/lists/archives".proxyPass = "http://unix:/run/public-inbox-httpd.sock:/lists/archives"; - "= /lists/archives".return = "301 /lists/archives/"; - }; - - default = { - serverName = null; - default = true; - enableACME = false; - useACMEHost = "qyliss.net"; - - locations."/".return = "https://alyssa.is/"; - locations."/dns-query".proxyPass = "http://[::1]:4448/"; - }; - - "git.qyliss.net" = { - locations = { - "= /cgit.css".alias = cgitCss.outPath; - }; - }; - }; - - publicInboxCss = pkgs.runCommand "216light.css" {} '' - unpackFile ${pkgs.public-inbox.src} - cp */contrib/css/216light.css $out - ''; - - cgitCss = pkgs.runCommand "cgit-extra.css" { - licenseHeader = '' - /* - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License v2 as published - * by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * See <https://www.gnu.org/licenses/>. - */ - - ''; - - # Adapted from - # <https://git.causal.agency/src/plain/www/git.causal.agency/custom.css>, - # distributed as a Larger Work under a Secondary License, - # as permitted by the terms of the - # Mozilla Public License Version 2.0. - extraCss = '' - * { line-height: 1.25em; } - - article { - font-family: sans-serif; - max-width: 70ch; - margin-left: auto; - margin-right: auto; - } - - div#cgit { - margin: auto; - font-family: monospace; - -moz-tab-size: 4; - tab-size: 4; - display: table; - } - - div#cgit table#header { - margin-left: auto; - margin-right: auto; - } - div#cgit table#header td.logo { - display: none; - } - div#cgit table#header td.main { - font-size: 1em; - font-weight: bold; - } - div#cgit table#header td.sub { - border-top: none; - } - div#cgit table.tabs { - margin-left: auto; - margin-right: auto; - border-bottom: none; - } - div#cgit div.content { - border-bottom: none; - min-width: 108ch; - } - div#cgit div.content div#summary { - display: table; - margin-left: auto; - margin-right: auto; - } - div#cgit div.notes { - border: none; - background: transparent; - padding: 0; - } - div#cgit table.list { - margin-left: auto; - margin-right: auto; - } - div#cgit table.list th a { - color: inherit; - } - div#cgit table.list tr:nth-child(even) { - background: inherit; - } - div#cgit table.list tr:hover { - background: inherit; - } - div#cgit table.list tr.nohover-highlight:hover:nth-child(even) { - background: inherit; - } - div#cgit table.list td:last-child { - width: 0; - } - div#cgit div.footer { - font-size: 1em; - margin-top: 0; - } - - div#cgit table.blob td.linenumbers:nth-last-child(3) { - display: none; - } - - div#cgit table.blob td.linenumbers a:target { - color: goldenrod; - text-decoration: underline; - outline: none; - } - ''; - passAsFile = [ "licenseHeader" "extraCss" ]; - } '' - cat $licenseHeaderPath ${pkgs.cgit}/cgit/cgit.css $extraCssPath > $out - ''; - in - lib.mapAttrs ( - _: { forceSSL ? true, enableACME ? true, ... } @ args: - args // { inherit forceSSL enableACME; } - ) - vhosts; + services.nginx.virtualHosts."spectrum-os.org" = { + forceSSL = true; + useACMEHost = "spectrum-os.org"; + + locations = { + "/".root = "/home/spectrum/www"; + + "= /git/cgit.css".alias = cgitCss.outPath; + + "= /lists/archives/public-inbox.css".alias = publicInboxCss.outPath; + + "/lists/archives".proxyPass = "http://unix:/run/public-inbox-httpd.sock:/lists/archives"; + "= /lists/archives".return = "301 /lists/archives/"; + }; + }; + + services.nginx.virtualHosts.default = { + serverName = null; + default = true; + forceSSL = true; + useACMEHost = "qyliss.net"; + + locations."/".return = "https://alyssa.is/"; + locations."/dns-query".proxyPass = "http://[::1]:4448/"; + }; + + services.nginx.virtualHosts."git.qyliss.net" = { + forceSSL = true; + useACMEHost = "qyliss.net"; + + locations = { + "= /cgit.css".alias = cgitCss.outPath; + }; + }; users.groups.spectrum.members = [ "qyliss" ]; system.activationScripts.spectrum-home = lib.stringAfter [ "users" ] '' |