From 3013caf18db83d43a1703b1a74cb484f70bab3a8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 10 Jan 2019 00:40:53 +0100 Subject: [PATCH] Start moving websites to their own modules: certificates --- virtual/eldiron.nix | 110 ++++---------------- virtual/modules/certificates.nix | 30 ++++++ virtual/modules/websites/aten.nix | 28 +++++ virtual/modules/websites/chloe.nix | 27 +++++ virtual/modules/websites/connexionswing.nix | 31 ++++++ virtual/modules/websites/ludivine.nix | 27 +++++ virtual/modules/websites/piedsjaloux.nix | 28 +++++ 7 files changed, 192 insertions(+), 89 deletions(-) create mode 100644 virtual/modules/certificates.nix create mode 100644 virtual/modules/websites/aten.nix create mode 100644 virtual/modules/websites/chloe.nix create mode 100644 virtual/modules/websites/connexionswing.nix create mode 100644 virtual/modules/websites/ludivine.nix create mode 100644 virtual/modules/websites/piedsjaloux.nix diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index acd2cbd..5dafe6e 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -17,13 +17,29 @@ }; imports = [ + ./modules/certificates.nix ./modules/gitolite.nix ./modules/gitweb.nix ./modules/databases.nix + ./modules/websites/chloe.nix + ./modules/websites/ludivine.nix + ./modules/websites/aten.nix + ./modules/websites/piedsjaloux.nix + ./modules/websites/connexionswing.nix ]; services.myGitolite.enable = true; services.myGitweb.enable = true; services.myDatabases.enable = true; + services.myWebsites.Chloe.production.enable = true; + services.myWebsites.Chloe.integration.enable = true; + services.myWebsites.Ludivine.production.enable = true; + services.myWebsites.Ludivine.integration.enable = true; + services.myWebsites.Aten.production.enable = true; + services.myWebsites.Aten.integration.enable = true; + services.myWebsites.PiedsJaloux.production.enable = true; + services.myWebsites.PiedsJaloux.integration.enable = true; + services.myWebsites.Connexionswing.production.enable = true; + services.myWebsites.Connexionswing.integration.enable = true; nixpkgs.config.packageOverrides = oldpkgs: rec { goaccess = oldpkgs.goaccess.overrideAttrs(old: rec { @@ -84,95 +100,11 @@ occ ]; - # FIXME: doesn't work with httpd? - security.acme.preliminarySelfsigned = true; - security.acme.certs = { - # FIXME: /!\ To create a new certificate, create it before using - # it in httpd - "eldiron" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "eldiron.immae.eu"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - allowKeysForGroup = true; - extraDomains = { - "db-1.immae.eu" = null; - "tools.immae.eu" = null; - "connexionswing.immae.eu" = null; - "sandetludo.immae.eu" = null; - "cloud.immae.eu" = null; - "ludivine.immae.eu" = null; - "dev.aten.pro" = null; - "piedsjaloux.immae.eu" = null; - "chloe.immae.eu" = null; - "dav.immae.eu" = null; - }; - }; - "ludivinecassal" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "ludivinecassal.com"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.ludivinecassal.com" = null; - }; - }; - "aten" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "aten.pro"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.aten.pro" = null; - }; - }; - "piedsjaloux" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "piedsjaloux.fr"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.piedsjaloux.fr" = null; - }; - }; - "chloe" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "osteopathe-cc.fr"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.osteopathe-cc.fr" = null; - }; - }; - "connexionswing" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "connexionswing.com"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.connexionswing.com" = null; - "sandetludo.com" = null; - "www.sandetludo.com" = null; - }; - }; + security.acme.certs."eldiron".extraDomains = { + "db-1.immae.eu" = null; + "tools.immae.eu" = null; + "cloud.immae.eu" = null; + "dav.immae.eu" = null; }; services.openssh.extraConfig = '' diff --git a/virtual/modules/certificates.nix b/virtual/modules/certificates.nix new file mode 100644 index 0000000..a9d6d99 --- /dev/null +++ b/virtual/modules/certificates.nix @@ -0,0 +1,30 @@ +{ lib, pkgs, config, mylibs, ... }: +{ + options.services.myCertificates = { + certConfig = lib.mkOption { + default = { + webroot = "/var/lib/acme/acme-challenge"; + email = "ismael@bouya.org"; + postRun = '' + systemctl reload httpd.service + ''; + plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; + }; + description = "Default configuration for certificates"; + }; + }; + + config = { + # FIXME: doesn't work with httpd? + security.acme.preliminarySelfsigned = true; + + security.acme.certs = { + # FIXME: /!\ To create a new certificate, create it before using + # it in httpd + "eldiron" = config.services.myCertificates.certConfig // { + domain = "eldiron.immae.eu"; + allowKeysForGroup = true; + }; + }; + }; +} diff --git a/virtual/modules/websites/aten.nix b/virtual/modules/websites/aten.nix new file mode 100644 index 0000000..7567289 --- /dev/null +++ b/virtual/modules/websites/aten.nix @@ -0,0 +1,28 @@ +{ lib, pkgs, config, mylibs, ... }: +let + cfg = config.services.myWebsites.Aten; +in { + options.services.myWebsites.Aten = { + production = { + enable = lib.mkEnableOption "enable Aten's website in production"; + }; + integration = { + enable = lib.mkEnableOption "enable Aten's website in integration"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.production.enable { + security.acme.certs."aten" = config.services.myCertificates.certConfig // { + domain = "aten.pro"; + extraDomains = { + "www.aten.pro" = null; + }; + }; + }) + (lib.mkIf cfg.integration.enable { + security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; + }) + ]; +} + diff --git a/virtual/modules/websites/chloe.nix b/virtual/modules/websites/chloe.nix new file mode 100644 index 0000000..2c0c65d --- /dev/null +++ b/virtual/modules/websites/chloe.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, config, mylibs, ... }: +let + cfg = config.services.myWebsites.Chloe; +in { + options.services.myWebsites.Chloe = { + production = { + enable = lib.mkEnableOption "enable Chloe's website in production"; + }; + integration = { + enable = lib.mkEnableOption "enable Chloe's website in integration"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.production.enable { + security.acme.certs."chloe" = config.services.myCertificates.certConfig // { + domain = "osteopathe-cc.fr"; + extraDomains = { + "www.osteopathe-cc.fr" = null; + }; + }; + }) + (lib.mkIf cfg.integration.enable { + security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; + }) + ]; +} diff --git a/virtual/modules/websites/connexionswing.nix b/virtual/modules/websites/connexionswing.nix new file mode 100644 index 0000000..ed6799f --- /dev/null +++ b/virtual/modules/websites/connexionswing.nix @@ -0,0 +1,31 @@ +{ lib, pkgs, config, mylibs, ... }: +let + cfg = config.services.myWebsites.Connexionswing; +in { + options.services.myWebsites.Connexionswing = { + production = { + enable = lib.mkEnableOption "enable Connexionswing's website in production"; + }; + integration = { + enable = lib.mkEnableOption "enable Connexionswing's website in integration"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.production.enable { + security.acme.certs."connexionswing" = config.services.myCertificates.certConfig // { + domain = "connexionswing.com"; + extraDomains = { + "www.connexionswing.com" = null; + "sandetludo.com" = null; + "www.sandetludo.com" = null; + }; + }; + }) + (lib.mkIf cfg.integration.enable { + security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; + security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; + }) + ]; +} + diff --git a/virtual/modules/websites/ludivine.nix b/virtual/modules/websites/ludivine.nix new file mode 100644 index 0000000..5729c09 --- /dev/null +++ b/virtual/modules/websites/ludivine.nix @@ -0,0 +1,27 @@ +{ lib, pkgs, config, mylibs, ... }: +let + cfg = config.services.myWebsites.Ludivine; +in { + options.services.myWebsites.Ludivine = { + production = { + enable = lib.mkEnableOption "enable Ludivine's website in production"; + }; + integration = { + enable = lib.mkEnableOption "enable Ludivine's website in integration"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.production.enable { + security.acme.certs."ludivinecassal" = config.services.myCertificates.certConfig // { + domain = "ludivinecassal.com"; + extraDomains = { + "www.ludivinecassal.com" = null; + }; + }; + }) + (lib.mkIf cfg.integration.enable { + security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; + }) + ]; +} diff --git a/virtual/modules/websites/piedsjaloux.nix b/virtual/modules/websites/piedsjaloux.nix new file mode 100644 index 0000000..849df63 --- /dev/null +++ b/virtual/modules/websites/piedsjaloux.nix @@ -0,0 +1,28 @@ +{ lib, pkgs, config, mylibs, ... }: +let + cfg = config.services.myWebsites.PiedsJaloux; +in { + options.services.myWebsites.PiedsJaloux = { + production = { + enable = lib.mkEnableOption "enable PiedsJaloux's website in production"; + }; + integration = { + enable = lib.mkEnableOption "enable PiedsJaloux's website in integration"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.production.enable { + security.acme.certs."piedsjaloux" = config.services.myCertificates.certConfig // { + domain = "piedsjaloux.fr"; + extraDomains = { + "www.piedsjaloux.fr" = null; + }; + }; + }) + (lib.mkIf cfg.integration.enable { + security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; + }) + ]; +} + -- 2.41.0