gebner/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of https://git.gebner.org/gebner/nixos-config

Browse Source
This commit is contained in:
Gabriel Ebner 2016-04-24 16:57:31 +02:00
commit 4bb542695d
4 changed files with 57 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common.nix
View File

@ -109,8 +109,8 @@
name = "idea-community-${version}"; name = "idea-community-${version}";
version = "2016.1.eap"; version = "2016.1.eap";
src = pkgs.fetchurl { src = pkgs.fetchurl {
url = "https://download.jetbrains.com/idea/ideaIC-145.844.1-no-jdk.tar.gz"; url = "https://download.jetbrains.com/idea/ideaIC-145.969.6-no-jdk.tar.gz";
sha256 = "fff7641713037645b6b287069c9a0cc5d35285d4960f5cb3a45bf93b473fee7e"; sha256 = "b9d0abc4cc7a5e2ee019028335dfd096da2587ed8165d30871cb00a8592148cc";
}; };
}); });

46
mastus/blog.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, pkgs, ... }:
{
services.nginx.httpConfig = ''
server {
listen [::]:443;
listen 443;
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
ssl on;
ssl_certificate_key /etc/sslcerts/key.pem;
ssl_certificate /etc/sslcerts/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
rewrite ^(.*) https://gebner.org$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name gebner.org;
ssl on;
ssl_certificate_key /etc/sslcerts/key.pem;
ssl_certificate /etc/sslcerts/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
root /srv/www.gebner.org;
error_page 404 403 /pages/404.html;
}
'';
}

1
mastus/configuration.nix
View File

@ -11,6 +11,7 @@
./www.nix ./www.nix
./gogs.nix ./gogs.nix
./letsencrypt.nix ./letsencrypt.nix
./blog.nix
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;

42
mastus/vmtest.nix
View File

@ -16,48 +16,22 @@ let
}; };
script = '' script = ''
rm -rf /etc/sslcerts rm -rf /etc/sslcerts
mkdir -p /etc/sslcerts/keys mkdir -p /etc/sslcerts
cd /etc/sslcerts cd /etc/sslcerts
# export PKCS11TOOL="pkcs11-tool" easyrsa-init
export KEY_CONFIG=`${pkgs.easyrsa}/share/easy-rsa/whichopensslcnf ${pkgs.easyrsa}/share/easy-rsa/` easyrsa init-pki
export KEY_DIR="$PWD/keys" easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
easyrsa --req-cn=gebner.org build-server-full gebner_org nopass
# PKCS11 fixes cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
# export PKCS11_MODULE_PATH="dummy" cp pki/private/gebner_org.key key.pem
# export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="AT"
export KEY_PROVINCE="AT"
export KEY_CITY="Vienna"
export KEY_ORG="Gabriel"
export KEY_EMAIL="testing@gebner.org"
export KEY_CN=testing.gebner.org
export KEY_NAME=testing.gebner.org
export KEY_OU=testing
# export PKCS11_MODULE_PATH=changeme
# export PKCS11_PIN=1234
clean-all
build-dh
pkitool --initca
KEY_CN=gebner.org pkitool --server gebner_org
cat keys/gebner_org.crt keys/ca.crt >fullchain.pem
cp keys/gebner_org.key key.pem
cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
''; '';
}; };
systemd.services.setupVM = rec { systemd.services.setupVM = rec {
wantedBy = [ "gogs.service" "dovecot2.service" ]; wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
before = wantedBy; before = wantedBy;
wants = [ "createSSLKeys.service" ]; wants = [ "createSSLKeys.service" ];
serviceConfig = { serviceConfig = {