freya/dotfiles-guix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add certbot to cuirass

Browse source
This commit is contained in:
Murphy 2024-12-09 11:21:09 -05:00
parent 5c9d155388
commit e0c62036ce
Signed by: freya
GPG key ID: 9FBC6FFD6D2DBF17
1 changed files with 97 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

159
systems/cuirass.scm
View file

@ -7,8 +7,10 @@
(gnu services avahi)
(gnu services mcron)
(gnu services web)
(gnu services certbot)
(gnu services databases)
(gnu services networking)
(guix modules)
(guix gexp)
(gnu))
@ -42,6 +44,13 @@
#~(job "0 2 * * *"
"herd restart cuirass-remote-worker"))
;; Nginx deploy hook for certbot
(define %nginx-deploy-hook
(program-file
"nginx-deploy-hook"
#~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
(kill pid SIGHUP))))
;; Curiass module filter
(define default-module-filter
(match-lambda
@ -93,69 +102,95 @@
-A INPUT -p tcp --dport 8080:8081 ! -s 127.0.0.1 -j REJECT
COMMIT
"))))
; certbot
(service certbot-service-type
(certbot-configuration
(certificates
(list
(certificate-configuration
(deploy-hook %nginx-deploy-hook)
(domains '("cuirass.in.freya.cat"
"substitutes.in.freya.cat")))))
(server "https://ca.in.freya.cat/acme/acme/directory")
(email "freya@freyacat.org")
(webroot "/srv/http")))
; nginx
(service nginx-service-type
(nginx-configuration
(upstream-blocks
(list
(nginx-upstream-configuration
(name "cuirass")
(servers (list "localhost:8081")))
(nginx-upstream-configuration
(name "publish")
(servers (list "localhost:8080")))))
(server-blocks
(list
(nginx-server-configuration
(server-name '("cuirass.in.freya.cat"))
(listen '("80"))
(locations
(list
(nginx-location-configuration
(uri "/")
(body
(list "proxy_pass http://cuirass;"
"proxy_set_header X-Forwarded-Proto https;"))))))
(nginx-server-configuration
(server-name '("substitutes.in.freya.cat"))
(listen '("80"))
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
(index (list "index.html"))
(locations
(list
(nginx-location-configuration
(uri "/signing-key.pub")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/file/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/log/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/nix-cache-info")
(body (list
"proxy_pass http://publish;"
"proxy_hide_header Set-Cookie;")))
(nginx-location-configuration
(uri "/nar/")
(body (list
"proxy_pass http://publish;"
"client_body_buffer_size 256k;"
;; Nars are already compressed. -> no perf change
"gzip off;"
"proxy_pass_header Cache-Control;")))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
"proxy_pass http://publish;"
"client_body_buffer_size 128k;"
"proxy_connect_timeout 2s;"
"proxy_read_timeout 2s;"
"proxy_send_timeout 2s;"
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;"))))))))))
(let* ((certificate "/etc/letsencrypt/live/cuirass.in.freya.cat/fullchain.pem")
(certificate-key "/etc/letsencrypt/live/cuirass.in.freya.cat/privkey.pem")
(bootstrapping (not (access? certificate F_OK))))
(service nginx-service-type
(nginx-configuration
(upstream-blocks
(list
(nginx-upstream-configuration
(name "cuirass")
(servers (list "localhost:8081")))
(nginx-upstream-configuration
(name "publish")
(servers (list "localhost:8080")))))
(server-blocks
(list
(nginx-server-configuration
(server-name '("cuirass.in.freya.cat"))
(listen (if bootstrapping
'("9090") ; allow default 80 server to handle .well-known
'("443 ssl")))
(ssl-certificate (if bootstrapping #f certificate))
(ssl-certificate-key (if bootstrapping #f certificate-key))
(locations
(list
(nginx-location-configuration
(uri "~ ^/admin")
(body
(list "if ($ssl_client_verify != SUCCESS) { return 403; } proxy_pass http://cuirass;")))
(nginx-location-configuration
(uri "/")
(body
(list "proxy_pass http://cuirass;"))))))
(nginx-server-configuration
(server-name '("substitutes.in.freya.cat"))
(listen (if bootstrapping
'("9090") ; allow default 80 server to handle .well-known
'("443 ssl")))
(ssl-certificate (if bootstrapping #f certificate))
(ssl-certificate-key (if bootstrapping #f certificate-key))
(raw-content '("rewrite ^//(.*)$ /$1 redirect;"))
(index (list "index.html"))
(locations
(list
(nginx-location-configuration
(uri "/signing-key.pub")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/file/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/log/")
(body '("proxy_pass http://publish;")))
(nginx-location-configuration
(uri "/nix-cache-info")
(body (list
"proxy_pass http://publish;"
"proxy_hide_header Set-Cookie;")))
(nginx-location-configuration
(uri "/nar/")
(body (list
"proxy_pass http://publish;"
"client_body_buffer_size 256k;"
;; Nars are already compressed. -> no perf change
"gzip off;"
"proxy_pass_header Cache-Control;")))
(nginx-location-configuration
(uri "~ \\.narinfo$")
(body
(list
"proxy_pass http://publish;"
"client_body_buffer_size 128k;"
"proxy_connect_timeout 2s;"
"proxy_read_timeout 2s;"
"proxy_send_timeout 2s;"
"proxy_pass_header Cache-Control;"
"proxy_ignore_client_abort on;")))))))))))
%base-freya-services))
(swap-devices (list (swap-space
(target (uuid