add certbot to cuirass
This commit is contained in:
parent
5c9d155388
commit
e0c62036ce
GPG key ID:
9FBC6FFD6D2DBF17
1 changed files with 97 additions and 62 deletions
|
|
@ -7,8 +7,10 @@
|
|||
(gnu services avahi)
|
||||
(gnu services mcron)
|
||||
(gnu services web)
|
||||
(gnu services certbot)
|
||||
(gnu services databases)
|
||||
(gnu services networking)
|
||||
(guix modules)
|
||||
(guix gexp)
|
||||
(gnu))
|
||||
|
||||
|
|
@ -42,6 +44,13 @@
|
|||
#~(job "0 2 * * *"
|
||||
"herd restart cuirass-remote-worker"))
|
||||
|
||||
;; Nginx deploy hook for certbot
|
||||
(define %nginx-deploy-hook
|
||||
(program-file
|
||||
"nginx-deploy-hook"
|
||||
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
|
||||
(kill pid SIGHUP))))
|
||||
|
||||
;; Curiass module filter
|
||||
(define default-module-filter
|
||||
(match-lambda
|
||||
|
|
@ -93,7 +102,22 @@
|
|||
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
|
||||
COMMIT
|
||||
"))))
|
||||
; certbot
|
||||
(service certbot-service-type
|
||||
(certbot-configuration
|
||||
(certificates
|
||||
(list
|
||||
(certificate-configuration
|
||||
(deploy-hook %nginx-deploy-hook)
|
||||
(domains '("cuirass.in.freya.cat"
|
||||
"substitutes.in.freya.cat")))))
|
||||
(server "https://ca.in.freya.cat/acme/acme/directory")
|
||||
(email "freya@freyacat.org")
|
||||
(webroot "/srv/http")))
|
||||
; nginx
|
||||
(let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
|
||||
(certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
|
||||
(bootstrapping (not (access? certificate F_OK))))
|
||||
(service nginx-service-type
|
||||
(nginx-configuration
|
||||
(upstream-blocks
|
||||
|
|
@ -108,17 +132,28 @@ COMMIT
|
|||
(list
|
||||
(nginx-server-configuration
|
||||
(server-name '("cuirass.in.freya.cat"))
|
||||
(listen '("80"))
|
||||
(listen (if bootstrapping
|
||||
'("9090") ; allow default 80 server to handle .well-known
|
||||
'("443 ssl")))
|
||||
(ssl-certificate (if bootstrapping #f certificate))
|
||||
(ssl-certificate-key (if bootstrapping #f certificate-key))
|
||||
(locations
|
||||
(list
|
||||
(nginx-location-configuration
|
||||
(uri "~ ^/admin")
|
||||
(body
|
||||
(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
|
||||
(nginx-location-configuration
|
||||
(uri "/")
|
||||
(body
|
||||
(list "proxy_pass http://cuirass;"
|
||||
"proxy_set_header X-Forwarded-Proto https;"))))))
|
||||
(list "proxy_pass http://cuirass;"))))))
|
||||
(nginx-server-configuration
|
||||
(server-name '("substitutes.in.freya.cat"))
|
||||
(listen '("80"))
|
||||
(listen (if bootstrapping
|
||||
'("9090") ; allow default 80 server to handle .well-known
|
||||
'("443 ssl")))
|
||||
(ssl-certificate (if bootstrapping #f certificate))
|
||||
(ssl-certificate-key (if bootstrapping #f certificate-key))
|
||||
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
|
||||
(index (list "index.html"))
|
||||
(locations
|
||||
|
|
@ -155,7 +190,7 @@ COMMIT
|
|||
"proxy_read_timeout 2s;"
|
||||
"proxy_send_timeout 2s;"
|
||||
"proxy_pass_header Cache-Control;"
|
||||
"proxy_ignore_client_abort on;"))))))))))
|
||||
"proxy_ignore_client_abort on;")))))))))))
|
||||
%base-freya-services))
|
||||
(swap-devices (list (swap-space
|
||||
(target (uuid
|
||||
|
|
|
|||
Loading…
Reference in a new issue