myconfig = {
inherit privateFiles;
env = import "${privateFiles}/environment.nix";
- ips = {
- main = "176.9.151.89";
- production = "176.9.151.154";
- integration = "176.9.151.155";
- };
};
};
+ networking = {
+ firewall.enable = true;
+ # 176.9.151.89 declared in nixops -> infra / tools
+ interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips);
+ interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+ myconfig.env.servers.eldiron.ips);
+ };
+
imports = [
./modules/ssh
./modules/certificates.nix
MaxLevelStore="warning"
MaxRetentionSec="1year"
'';
- networking.firewall.enable = true;
deployment = {
targetEnv = "hetzner";
hetzner = {
robotUser = myconfig.env.hetzner.user;
robotPass = myconfig.env.hetzner.pass;
- mainIPv4 = myconfig.ips.main;
+ mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4;
partitions = ''
clearpart --all --initlabel --drives=sda,sdb
sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
logFormat = "combinedVhost";
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
hostName = builtins.head vhostConf.hosts;
serverAliases = builtins.tail vhostConf.hosts or [];
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
nosslVhost = {
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "nossl.immae.eu";
enableSSL = false;
logFormat = "combinedVhost";
'';
};
redirectVhost = { # Should go last, catchall http -> https redirect
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "redirectSSL";
serverAliases = [ "*" ];
enableSSL = false;
};
in rec {
enable = true;
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
++ [ redirectVhost ];
};
- makeServiceOptions = name: ip: {
+ makeServiceOptions = name: {
enable = lib.mkEnableOption "enable websites in ${name}";
- ip = lib.mkOption {
- type = lib.types.string;
- default = ip;
- description = "${name} ip to listen to";
+ ips = lib.mkOption {
+ type = lib.types.listOf lib.types.string;
+ default = let
+ ips = myconfig.env.servers.eldiron.ips.${name};
+ in
+ [ips.ip4] ++ (ips.ip6 or []);
+ description = "${name} ips to listen to";
};
modules = lib.mkOption {
type = lib.types.listOf (lib.types.str);
];
options.services.myWebsites = {
- production = makeServiceOptions "production" myconfig.ips.production;
- integration = makeServiceOptions "integration" myconfig.ips.integration;
- tools = makeServiceOptions "tools" myconfig.ips.main;
+ production = makeServiceOptions "production";
+ integration = makeServiceOptions "integration";
+ tools = makeServiceOptions "main";
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
};
config = {
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 80 443 ];
- };
- interfaces."eth0".ipv4.addresses = [
- # 176.9.151.89 declared in nixops -> infra / tools
- { address = myconfig.ips.production; prefixLength = 32; }
- { address = myconfig.ips.integration; prefixLength = 32; }
- ];
- };
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
nixpkgs.overlays = [ (self: super: rec {
php = php72;
projects / perso / Immae / Config / Nix.git / commitdiff
