add certbot to cuirass
This commit is contained in:
parent
5c9d155388
commit
e0c62036ce
GPG key ID:
9FBC6FFD6D2DBF17
1 changed files with 97 additions and 62 deletions
|
|
@ -7,8 +7,10 @@
|
||||||
(gnu services avahi)
|
(gnu services avahi)
|
||||||
(gnu services mcron)
|
(gnu services mcron)
|
||||||
(gnu services web)
|
(gnu services web)
|
||||||
|
(gnu services certbot)
|
||||||
(gnu services databases)
|
(gnu services databases)
|
||||||
(gnu services networking)
|
(gnu services networking)
|
||||||
|
(guix modules)
|
||||||
(guix gexp)
|
(guix gexp)
|
||||||
(gnu))
|
(gnu))
|
||||||
|
|
||||||
|
|
@ -42,6 +44,13 @@
|
||||||
#~(job "0 2 * * *"
|
#~(job "0 2 * * *"
|
||||||
"herd restart cuirass-remote-worker"))
|
"herd restart cuirass-remote-worker"))
|
||||||
|
|
||||||
|
;; Nginx deploy hook for certbot
|
||||||
|
(define %nginx-deploy-hook
|
||||||
|
(program-file
|
||||||
|
"nginx-deploy-hook"
|
||||||
|
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
|
||||||
|
(kill pid SIGHUP))))
|
||||||
|
|
||||||
;; Curiass module filter
|
;; Curiass module filter
|
||||||
(define default-module-filter
|
(define default-module-filter
|
||||||
(match-lambda
|
(match-lambda
|
||||||
|
|
@ -93,7 +102,22 @@
|
||||||
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
|
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
|
||||||
COMMIT
|
COMMIT
|
||||||
"))))
|
"))))
|
||||||
|
; certbot
|
||||||
|
(service certbot-service-type
|
||||||
|
(certbot-configuration
|
||||||
|
(certificates
|
||||||
|
(list
|
||||||
|
(certificate-configuration
|
||||||
|
(deploy-hook %nginx-deploy-hook)
|
||||||
|
(domains '("cuirass.in.freya.cat"
|
||||||
|
"substitutes.in.freya.cat")))))
|
||||||
|
(server "https://ca.in.freya.cat/acme/acme/directory")
|
||||||
|
(email "freya@freyacat.org")
|
||||||
|
(webroot "/srv/http")))
|
||||||
; nginx
|
; nginx
|
||||||
|
(let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
|
||||||
|
(certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
|
||||||
|
(bootstrapping (not (access? certificate F_OK))))
|
||||||
(service nginx-service-type
|
(service nginx-service-type
|
||||||
(nginx-configuration
|
(nginx-configuration
|
||||||
(upstream-blocks
|
(upstream-blocks
|
||||||
|
|
@ -108,17 +132,28 @@ COMMIT
|
||||||
(list
|
(list
|
||||||
(nginx-server-configuration
|
(nginx-server-configuration
|
||||||
(server-name '("cuirass.in.freya.cat"))
|
(server-name '("cuirass.in.freya.cat"))
|
||||||
(listen '("80"))
|
(listen (if bootstrapping
|
||||||
|
'("9090") ; allow default 80 server to handle .well-known
|
||||||
|
'("443 ssl")))
|
||||||
|
(ssl-certificate (if bootstrapping #f certificate))
|
||||||
|
(ssl-certificate-key (if bootstrapping #f certificate-key))
|
||||||
(locations
|
(locations
|
||||||
(list
|
(list
|
||||||
|
(nginx-location-configuration
|
||||||
|
(uri "~ ^/admin")
|
||||||
|
(body
|
||||||
|
(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
|
||||||
(nginx-location-configuration
|
(nginx-location-configuration
|
||||||
(uri "/")
|
(uri "/")
|
||||||
(body
|
(body
|
||||||
(list "proxy_pass http://cuirass;"
|
(list "proxy_pass http://cuirass;"))))))
|
||||||
"proxy_set_header X-Forwarded-Proto https;"))))))
|
|
||||||
(nginx-server-configuration
|
(nginx-server-configuration
|
||||||
(server-name '("substitutes.in.freya.cat"))
|
(server-name '("substitutes.in.freya.cat"))
|
||||||
(listen '("80"))
|
(listen (if bootstrapping
|
||||||
|
'("9090") ; allow default 80 server to handle .well-known
|
||||||
|
'("443 ssl")))
|
||||||
|
(ssl-certificate (if bootstrapping #f certificate))
|
||||||
|
(ssl-certificate-key (if bootstrapping #f certificate-key))
|
||||||
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
|
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
|
||||||
(index (list "index.html"))
|
(index (list "index.html"))
|
||||||
(locations
|
(locations
|
||||||
|
|
@ -155,7 +190,7 @@ COMMIT
|
||||||
"proxy_read_timeout 2s;"
|
"proxy_read_timeout 2s;"
|
||||||
"proxy_send_timeout 2s;"
|
"proxy_send_timeout 2s;"
|
||||||
"proxy_pass_header Cache-Control;"
|
"proxy_pass_header Cache-Control;"
|
||||||
"proxy_ignore_client_abort on;"))))))))))
|
"proxy_ignore_client_abort on;")))))))))))
|
||||||
%base-freya-services))
|
%base-freya-services))
|
||||||
(swap-devices (list (swap-space
|
(swap-devices (list (swap-space
|
||||||
(target (uuid
|
(target (uuid
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue