From d68bb46bc6d04b450bb0bd995b4286f3d46b2557 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sun, 7 Apr 2019 12:58:10 +0200
Subject: Add ipv6 to websites

This adds ipv6 to websites, and moves the ip address handling to
environment.

Fixes https://git.immae.eu/mantisbt/view.php?id=103
---
 nixops/modules/websites/default.nix | 43 ++++++++++++++-----------------------
 1 file changed, 16 insertions(+), 27 deletions(-)

(limited to 'nixops/modules/websites')

diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 14f2116..228966f 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -10,16 +10,14 @@ let
       sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
       sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
       logFormat = "combinedVhost";
-      listen = [
-        { ip = cfg.ip;  port = 443; }
-      ];
+      listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
       hostName = builtins.head vhostConf.hosts;
       serverAliases = builtins.tail vhostConf.hosts or [];
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
     nosslVhost = {
-      listen = [ { ip = cfg.ip; port = 80; } ];
+      listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
       hostName = "nossl.immae.eu";
       enableSSL = false;
       logFormat = "combinedVhost";
@@ -36,7 +34,7 @@ let
         '';
     };
     redirectVhost = { # Should go last, catchall http -> https redirect
-      listen = [ { ip = cfg.ip; port = 80; } ];
+      listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
       hostName = "redirectSSL";
       serverAliases = [ "*" ];
       enableSSL = false;
@@ -59,9 +57,7 @@ let
     };
   in rec {
     enable = true;
-    listen = [
-      { ip = cfg.ip;  port = 443; }
-    ];
+    listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
     stateDir = "/run/httpd_${name}";
     logPerVirtualHost = true;
     multiProcessingModule = "worker";
@@ -74,12 +70,15 @@ let
       ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
       ++ [ redirectVhost ];
   };
-  makeServiceOptions = name: ip: {
+  makeServiceOptions = name: {
     enable = lib.mkEnableOption "enable websites in ${name}";
-    ip = lib.mkOption {
-      type = lib.types.string;
-      default = ip;
-      description = "${name} ip to listen to";
+    ips = lib.mkOption {
+      type = lib.types.listOf lib.types.string;
+      default = let
+        ips = myconfig.env.servers.eldiron.ips.${name};
+      in
+        [ips.ip4] ++ (ips.ip6 or []);
+      description = "${name} ips to listen to";
     };
     modules = lib.mkOption {
       type = lib.types.listOf (lib.types.str);
@@ -143,9 +142,9 @@ in
   ];
 
   options.services.myWebsites = {
-    production = makeServiceOptions "production" myconfig.ips.production;
-    integration = makeServiceOptions "integration" myconfig.ips.integration;
-    tools = makeServiceOptions "tools" myconfig.ips.main;
+    production = makeServiceOptions "production";
+    integration = makeServiceOptions "integration";
+    tools = makeServiceOptions "main";
 
     apacheConfig = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule {
@@ -167,17 +166,7 @@ in
   };
 
   config = {
-    networking = {
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ 80 443 ];
-      };
-      interfaces."eth0".ipv4.addresses = [
-        # 176.9.151.89 declared in nixops -> infra / tools
-        { address = myconfig.ips.production; prefixLength = 32; }
-        { address = myconfig.ips.integration; prefixLength = 32; }
-      ];
-    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     nixpkgs.overlays = [ (self: super: rec {
       php = php72;
-- 
cgit v1.2.3