freya/dotfiles-guix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add certbot to cuirass

Browse source
This commit is contained in:
Murphy 2024-12-09 11:21:09 -05:00
parent 5c9d155388
commit e0c62036ce
Signed by: freya
GPG key ID: 9FBC6FFD6D2DBF17
1 changed files with 97 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

159
systems/cuirass.scm
View file

@ -7,8 +7,10 @@
(gnu services avahi) (gnu services avahi)
(gnu services mcron) (gnu services mcron)
(gnu services web) (gnu services web)
(gnu services certbot)
(gnu services databases) (gnu services databases)
(gnu services networking) (gnu services networking)
(guix modules)
(guix gexp) (guix gexp)
(gnu)) (gnu))
@ -42,6 +44,13 @@
#~(job "0 2 * * *" #~(job "0 2 * * *"
"herd restart cuirass-remote-worker")) "herd restart cuirass-remote-worker"))
;; Nginx deploy hook for certbot
(define %nginx-deploy-hook
(program-file
"nginx-deploy-hook"
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
(kill pid SIGHUP))))
;; Curiass module filter ;; Curiass module filter
(define default-module-filter (define default-module-filter
(match-lambda (match-lambda
@ -93,69 +102,95 @@
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT -A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
COMMIT COMMIT
")))) "))))
; certbot
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(deploy-hook %nginx-deploy-hook)
(domains '("cuirass.in.freya.cat"
"substitutes.in.freya.cat")))))
(server "https://ca.in.freya.cat/acme/acme/directory")
(email "freya@freyacat.org")
(webroot "/srv/http")))
; nginx ; nginx
(service nginx-service-type (let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
(nginx-configuration (certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
(upstream-blocks (bootstrapping (not (access? certificate F_OK))))
(list (service nginx-service-type
(nginx-upstream-configuration (nginx-configuration
(name "cuirass") (upstream-blocks
(servers (list "localhost:8081"))) (list
(nginx-upstream-configuration (nginx-upstream-configuration
(name "publish") (name "cuirass")
(servers (list "localhost:8080"))))) (servers (list "localhost:8081")))
(server-blocks (nginx-upstream-configuration
(list (name "publish")
(nginx-server-configuration (servers (list "localhost:8080")))))
(server-name '("cuirass.in.freya.cat")) (server-blocks
(listen '("80")) (list
(locations (nginx-server-configuration
(list (server-name '("cuirass.in.freya.cat"))
(nginx-location-configuration (listen (if bootstrapping
(uri "/") '("9090") ; allow default 80 server to handle .well-known
(body '("443 ssl")))
(list "proxy_pass http://cuirass;" (ssl-certificate (if bootstrapping #f certificate))
"proxy_set_header X-Forwarded-Proto https;")))))) (ssl-certificate-key (if bootstrapping #f certificate-key))
(nginx-server-configuration (locations
(server-name '("substitutes.in.freya.cat")) (list
(listen '("80")) (nginx-location-configuration
(raw-content '("rewrite ^//(.*)$ /$1 redirect;")) (uri "~ ^/admin")
(index (list "index.html")) (body
(locations (list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
(list (nginx-location-configuration
(nginx-location-configuration (uri "/")
(uri "/signing-key.pub") (body
(body '("proxy_pass http://publish;"))) (list "proxy_pass http://cuirass;"))))))
(nginx-location-configuration (nginx-server-configuration
(uri "/file/") (server-name '("substitutes.in.freya.cat"))
(body '("proxy_pass http://publish;"))) (listen (if bootstrapping
(nginx-location-configuration '("9090") ; allow default 80 server to handle .well-known
(uri "/log/") '("443 ssl")))
(body '("proxy_pass http://publish;"))) (ssl-certificate (if bootstrapping #f certificate))
(nginx-location-configuration (ssl-certificate-key (if bootstrapping #f certificate-key))
(uri "/nix-cache-info") (raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
(body (list (index (list "index.html"))
"proxy_pass http://publish;" (locations
"proxy_hide_header Set-Cookie;"))) (list
(nginx-location-configuration (nginx-location-configuration
(uri "/nar/") (uri "/signing-key.pub")
(body (list (body '("proxy_pass http://publish;")))
"proxy_pass http://publish;" (nginx-location-configuration
"client_body_buffer_size 256k;" (uri "/file/")
;; Nars are already compressed. -> no perf change (body '("proxy_pass http://publish;")))
"gzip off;" (nginx-location-configuration
"proxy_pass_header Cache-Control;"))) (uri "/log/")
(nginx-location-configuration (body '("proxy_pass http://publish;")))
(uri "~ \\.narinfo$") (nginx-location-configuration
(body (uri "/nix-cache-info")
(list (body (list
"proxy_pass http://publish;" "proxy_pass http://publish;"
"client_body_buffer_size 128k;" "proxy_hide_header Set-Cookie;")))
"proxy_connect_timeout 2s;" (nginx-location-configuration
"proxy_read_timeout 2s;" (uri "/nar/")
"proxy_send_timeout 2s;" (body (list
"proxy_pass_header Cache-Control;" "proxy_pass http://publish;"
"proxy_ignore_client_abort on;")))))))))) "client_body_buffer_size 256k;"
;; Nars are already compressed. -> no perf change
"gzip off;"
"proxy_pass_header Cache-Control;")))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
"proxy_pass http://publish;"
"client_body_buffer_size 128k;"
"proxy_connect_timeout 2s;"
"proxy_read_timeout 2s;"
"proxy_send_timeout 2s;"
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;")))))))))))
%base-freya-services)) %base-freya-services))
(swap-devices (list (swap-space (swap-devices (list (swap-space
(target (uuid (target (uuid