diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-07 12:58:10 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-07 12:58:10 +0200 |
| commit | d68bb46bc6d04b450bb0bd995b4286f3d46b2557 (patch) | |
| tree | 6d30e64504c98e580ccad7becd138e6a15a8906c /nixops/modules/websites | |
| parent | 384ec543ef58e2cd8cafb9dad1c284fbc195144a (diff) | |
| download | Nix-d68bb46bc6d04b450bb0bd995b4286f3d46b2557.tar.gz Nix-d68bb46bc6d04b450bb0bd995b4286f3d46b2557.tar.zst Nix-d68bb46bc6d04b450bb0bd995b4286f3d46b2557.zip | |
Add ipv6 to websites
This adds ipv6 to websites, and moves the ip address handling to
environment.
Fixes https://git.immae.eu/mantisbt/view.php?id=103
Diffstat (limited to 'nixops/modules/websites')
| -rw-r--r-- | nixops/modules/websites/default.nix | 43 |
1 files changed, 16 insertions, 27 deletions
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 14f2116..228966f 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix | |||
| @@ -10,16 +10,14 @@ let | |||
| 10 | sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem"; | 10 | sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem"; |
| 11 | sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem"; | 11 | sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem"; |
| 12 | logFormat = "combinedVhost"; | 12 | logFormat = "combinedVhost"; |
| 13 | listen = [ | 13 | listen = map (ip: { inherit ip; port = 443; }) cfg.ips; |
| 14 | { ip = cfg.ip; port = 443; } | ||
| 15 | ]; | ||
| 16 | hostName = builtins.head vhostConf.hosts; | 14 | hostName = builtins.head vhostConf.hosts; |
| 17 | serverAliases = builtins.tail vhostConf.hosts or []; | 15 | serverAliases = builtins.tail vhostConf.hosts or []; |
| 18 | documentRoot = vhostConf.root; | 16 | documentRoot = vhostConf.root; |
| 19 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; | 17 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; |
| 20 | }; | 18 | }; |
| 21 | nosslVhost = { | 19 | nosslVhost = { |
| 22 | listen = [ { ip = cfg.ip; port = 80; } ]; | 20 | listen = map (ip: { inherit ip; port = 80; }) cfg.ips; |
| 23 | hostName = "nossl.immae.eu"; | 21 | hostName = "nossl.immae.eu"; |
| 24 | enableSSL = false; | 22 | enableSSL = false; |
| 25 | logFormat = "combinedVhost"; | 23 | logFormat = "combinedVhost"; |
| @@ -36,7 +34,7 @@ let | |||
| 36 | ''; | 34 | ''; |
| 37 | }; | 35 | }; |
| 38 | redirectVhost = { # Should go last, catchall http -> https redirect | 36 | redirectVhost = { # Should go last, catchall http -> https redirect |
| 39 | listen = [ { ip = cfg.ip; port = 80; } ]; | 37 | listen = map (ip: { inherit ip; port = 80; }) cfg.ips; |
| 40 | hostName = "redirectSSL"; | 38 | hostName = "redirectSSL"; |
| 41 | serverAliases = [ "*" ]; | 39 | serverAliases = [ "*" ]; |
| 42 | enableSSL = false; | 40 | enableSSL = false; |
| @@ -59,9 +57,7 @@ let | |||
| 59 | }; | 57 | }; |
| 60 | in rec { | 58 | in rec { |
| 61 | enable = true; | 59 | enable = true; |
| 62 | listen = [ | 60 | listen = map (ip: { inherit ip; port = 443; }) cfg.ips; |
| 63 | { ip = cfg.ip; port = 443; } | ||
| 64 | ]; | ||
| 65 | stateDir = "/run/httpd_${name}"; | 61 | stateDir = "/run/httpd_${name}"; |
| 66 | logPerVirtualHost = true; | 62 | logPerVirtualHost = true; |
| 67 | multiProcessingModule = "worker"; | 63 | multiProcessingModule = "worker"; |
| @@ -74,12 +70,15 @@ let | |||
| 74 | ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs) | 70 | ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs) |
| 75 | ++ [ redirectVhost ]; | 71 | ++ [ redirectVhost ]; |
| 76 | }; | 72 | }; |
| 77 | makeServiceOptions = name: ip: { | 73 | makeServiceOptions = name: { |
| 78 | enable = lib.mkEnableOption "enable websites in ${name}"; | 74 | enable = lib.mkEnableOption "enable websites in ${name}"; |
| 79 | ip = lib.mkOption { | 75 | ips = lib.mkOption { |
| 80 | type = lib.types.string; | 76 | type = lib.types.listOf lib.types.string; |
| 81 | default = ip; | 77 | default = let |
| 82 | description = "${name} ip to listen to"; | 78 | ips = myconfig.env.servers.eldiron.ips.${name}; |
| 79 | in | ||
| 80 | [ips.ip4] ++ (ips.ip6 or []); | ||
| 81 | description = "${name} ips to listen to"; | ||
| 83 | }; | 82 | }; |
| 84 | modules = lib.mkOption { | 83 | modules = lib.mkOption { |
| 85 | type = lib.types.listOf (lib.types.str); | 84 | type = lib.types.listOf (lib.types.str); |
| @@ -143,9 +142,9 @@ in | |||
| 143 | ]; | 142 | ]; |
| 144 | 143 | ||
| 145 | options.services.myWebsites = { | 144 | options.services.myWebsites = { |
| 146 | production = makeServiceOptions "production" myconfig.ips.production; | 145 | production = makeServiceOptions "production"; |
| 147 | integration = makeServiceOptions "integration" myconfig.ips.integration; | 146 | integration = makeServiceOptions "integration"; |
| 148 | tools = makeServiceOptions "tools" myconfig.ips.main; | 147 | tools = makeServiceOptions "main"; |
| 149 | 148 | ||
| 150 | apacheConfig = lib.mkOption { | 149 | apacheConfig = lib.mkOption { |
| 151 | type = lib.types.attrsOf (lib.types.submodule { | 150 | type = lib.types.attrsOf (lib.types.submodule { |
| @@ -167,17 +166,7 @@ in | |||
| 167 | }; | 166 | }; |
| 168 | 167 | ||
| 169 | config = { | 168 | config = { |
| 170 | networking = { | 169 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
| 171 | firewall = { | ||
| 172 | enable = true; | ||
| 173 | allowedTCPPorts = [ 80 443 ]; | ||
| 174 | }; | ||
| 175 | interfaces."eth0".ipv4.addresses = [ | ||
| 176 | # 176.9.151.89 declared in nixops -> infra / tools | ||
| 177 | { address = myconfig.ips.production; prefixLength = 32; } | ||
| 178 | { address = myconfig.ips.integration; prefixLength = 32; } | ||
| 179 | ]; | ||
| 180 | }; | ||
| 181 | 170 | ||
| 182 | nixpkgs.overlays = [ (self: super: rec { | 171 | nixpkgs.overlays = [ (self: super: rec { |
| 183 | php = php72; | 172 | php = php72; |