diff options
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/eldiron.nix | 19 | ||||
| -rw-r--r-- | nixops/modules/websites/default.nix | 43 |
2 files changed, 28 insertions, 34 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 3e346d4..f254a05 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix | |||
| @@ -15,14 +15,20 @@ | |||
| 15 | myconfig = { | 15 | myconfig = { |
| 16 | inherit privateFiles; | 16 | inherit privateFiles; |
| 17 | env = import "${privateFiles}/environment.nix"; | 17 | env = import "${privateFiles}/environment.nix"; |
| 18 | ips = { | ||
| 19 | main = "176.9.151.89"; | ||
| 20 | production = "176.9.151.154"; | ||
| 21 | integration = "176.9.151.155"; | ||
| 22 | }; | ||
| 23 | }; | 18 | }; |
| 24 | }; | 19 | }; |
| 25 | 20 | ||
| 21 | networking = { | ||
| 22 | firewall.enable = true; | ||
| 23 | # 176.9.151.89 declared in nixops -> infra / tools | ||
| 24 | interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList | ||
| 25 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | ||
| 26 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips); | ||
| 27 | interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | ||
| 28 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | ||
| 29 | myconfig.env.servers.eldiron.ips); | ||
| 30 | }; | ||
| 31 | |||
| 26 | imports = [ | 32 | imports = [ |
| 27 | ./modules/ssh | 33 | ./modules/ssh |
| 28 | ./modules/certificates.nix | 34 | ./modules/certificates.nix |
| @@ -53,14 +59,13 @@ | |||
| 53 | MaxLevelStore="warning" | 59 | MaxLevelStore="warning" |
| 54 | MaxRetentionSec="1year" | 60 | MaxRetentionSec="1year" |
| 55 | ''; | 61 | ''; |
| 56 | networking.firewall.enable = true; | ||
| 57 | 62 | ||
| 58 | deployment = { | 63 | deployment = { |
| 59 | targetEnv = "hetzner"; | 64 | targetEnv = "hetzner"; |
| 60 | hetzner = { | 65 | hetzner = { |
| 61 | robotUser = myconfig.env.hetzner.user; | 66 | robotUser = myconfig.env.hetzner.user; |
| 62 | robotPass = myconfig.env.hetzner.pass; | 67 | robotPass = myconfig.env.hetzner.pass; |
| 63 | mainIPv4 = myconfig.ips.main; | 68 | mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4; |
| 64 | partitions = '' | 69 | partitions = '' |
| 65 | clearpart --all --initlabel --drives=sda,sdb | 70 | clearpart --all --initlabel --drives=sda,sdb |
| 66 | 71 | ||
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 14f2116..228966f 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix | |||
| @@ -10,16 +10,14 @@ let | |||
| 10 | sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem"; | 10 | sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem"; |
| 11 | sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem"; | 11 | sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem"; |
| 12 | logFormat = "combinedVhost"; | 12 | logFormat = "combinedVhost"; |
| 13 | listen = [ | 13 | listen = map (ip: { inherit ip; port = 443; }) cfg.ips; |
| 14 | { ip = cfg.ip; port = 443; } | ||
| 15 | ]; | ||
| 16 | hostName = builtins.head vhostConf.hosts; | 14 | hostName = builtins.head vhostConf.hosts; |
| 17 | serverAliases = builtins.tail vhostConf.hosts or []; | 15 | serverAliases = builtins.tail vhostConf.hosts or []; |
| 18 | documentRoot = vhostConf.root; | 16 | documentRoot = vhostConf.root; |
| 19 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; | 17 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; |
| 20 | }; | 18 | }; |
| 21 | nosslVhost = { | 19 | nosslVhost = { |
| 22 | listen = [ { ip = cfg.ip; port = 80; } ]; | 20 | listen = map (ip: { inherit ip; port = 80; }) cfg.ips; |
| 23 | hostName = "nossl.immae.eu"; | 21 | hostName = "nossl.immae.eu"; |
| 24 | enableSSL = false; | 22 | enableSSL = false; |
| 25 | logFormat = "combinedVhost"; | 23 | logFormat = "combinedVhost"; |
| @@ -36,7 +34,7 @@ let | |||
| 36 | ''; | 34 | ''; |
| 37 | }; | 35 | }; |
| 38 | redirectVhost = { # Should go last, catchall http -> https redirect | 36 | redirectVhost = { # Should go last, catchall http -> https redirect |
| 39 | listen = [ { ip = cfg.ip; port = 80; } ]; | 37 | listen = map (ip: { inherit ip; port = 80; }) cfg.ips; |
| 40 | hostName = "redirectSSL"; | 38 | hostName = "redirectSSL"; |
| 41 | serverAliases = [ "*" ]; | 39 | serverAliases = [ "*" ]; |
| 42 | enableSSL = false; | 40 | enableSSL = false; |
| @@ -59,9 +57,7 @@ let | |||
| 59 | }; | 57 | }; |
| 60 | in rec { | 58 | in rec { |
| 61 | enable = true; | 59 | enable = true; |
| 62 | listen = [ | 60 | listen = map (ip: { inherit ip; port = 443; }) cfg.ips; |
| 63 | { ip = cfg.ip; port = 443; } | ||
| 64 | ]; | ||
| 65 | stateDir = "/run/httpd_${name}"; | 61 | stateDir = "/run/httpd_${name}"; |
| 66 | logPerVirtualHost = true; | 62 | logPerVirtualHost = true; |
| 67 | multiProcessingModule = "worker"; | 63 | multiProcessingModule = "worker"; |
| @@ -74,12 +70,15 @@ let | |||
| 74 | ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs) | 70 | ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs) |
| 75 | ++ [ redirectVhost ]; | 71 | ++ [ redirectVhost ]; |
| 76 | }; | 72 | }; |
| 77 | makeServiceOptions = name: ip: { | 73 | makeServiceOptions = name: { |
| 78 | enable = lib.mkEnableOption "enable websites in ${name}"; | 74 | enable = lib.mkEnableOption "enable websites in ${name}"; |
| 79 | ip = lib.mkOption { | 75 | ips = lib.mkOption { |
| 80 | type = lib.types.string; | 76 | type = lib.types.listOf lib.types.string; |
| 81 | default = ip; | 77 | default = let |
| 82 | description = "${name} ip to listen to"; | 78 | ips = myconfig.env.servers.eldiron.ips.${name}; |
| 79 | in | ||
| 80 | [ips.ip4] ++ (ips.ip6 or []); | ||
| 81 | description = "${name} ips to listen to"; | ||
| 83 | }; | 82 | }; |
| 84 | modules = lib.mkOption { | 83 | modules = lib.mkOption { |
| 85 | type = lib.types.listOf (lib.types.str); | 84 | type = lib.types.listOf (lib.types.str); |
| @@ -143,9 +142,9 @@ in | |||
| 143 | ]; | 142 | ]; |
| 144 | 143 | ||
| 145 | options.services.myWebsites = { | 144 | options.services.myWebsites = { |
| 146 | production = makeServiceOptions "production" myconfig.ips.production; | 145 | production = makeServiceOptions "production"; |
| 147 | integration = makeServiceOptions "integration" myconfig.ips.integration; | 146 | integration = makeServiceOptions "integration"; |
| 148 | tools = makeServiceOptions "tools" myconfig.ips.main; | 147 | tools = makeServiceOptions "main"; |
| 149 | 148 | ||
| 150 | apacheConfig = lib.mkOption { | 149 | apacheConfig = lib.mkOption { |
| 151 | type = lib.types.attrsOf (lib.types.submodule { | 150 | type = lib.types.attrsOf (lib.types.submodule { |
| @@ -167,17 +166,7 @@ in | |||
| 167 | }; | 166 | }; |
| 168 | 167 | ||
| 169 | config = { | 168 | config = { |
| 170 | networking = { | 169 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
| 171 | firewall = { | ||
| 172 | enable = true; | ||
| 173 | allowedTCPPorts = [ 80 443 ]; | ||
| 174 | }; | ||
| 175 | interfaces."eth0".ipv4.addresses = [ | ||
| 176 | # 176.9.151.89 declared in nixops -> infra / tools | ||
| 177 | { address = myconfig.ips.production; prefixLength = 32; } | ||
| 178 | { address = myconfig.ips.integration; prefixLength = 32; } | ||
| 179 | ]; | ||
| 180 | }; | ||
| 181 | 170 | ||
| 182 | nixpkgs.overlays = [ (self: super: rec { | 171 | nixpkgs.overlays = [ (self: super: rec { |
| 183 | php = php72; | 172 | php = php72; |