wry: is the new provider for paste.krebsco.de

author: makefu <github@syntax-fehler.de> 2015-10-21 18:49:20 +0200
committer: makefu <github@syntax-fehler.de> 2015-10-21 18:49:20 +0200
commit: 6eb195b0bc1b2ecd1a39c842da4d14d4837d98cc (patch)
tree: 4c93b735d949659488cb022ef98fcbed984b0d91
parent: 34fd2ceb299d55b5edff124f86adf0883101197c (diff)
3 files changed, 104 insertions, 36 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index acc5d7dd2..6b3781b49 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -163,10 +163,11 @@ with import ../../4lib { inherit lib; };
       dc = "makefu"; #dc = "cac";
       extraZones = {
         "krebsco.de" = ''
-          wry            IN A ${head nets.internet.addrs4}
-          io             IN NS     wry.krebsco.de.
-          graphs         IN A ${head nets.internet.addrs4}
-          tinc           IN A ${head nets.internet.addrs4}
+          wry            IN A  ${head nets.internet.addrs4}
+          io             IN NS wry.krebsco.de.
+          graphs         IN A  ${head nets.internet.addrs4}
+          paste       60 IN A  ${head nets.internet.addrs4}
+          tinc           IN A  ${head nets.internet.addrs4}
           '';
       };
       nets = rec {
@@ -174,6 +175,7 @@ with import ../../4lib { inherit lib; };
           addrs4 = ["104.233.87.86"];
           aliases = [
             "wry.internet"
+            "paste.internet"
           ];
         };
         retiolum = {
@@ -182,6 +184,8 @@ with import ../../4lib { inherit lib; };
           addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"];
           aliases = [
             "graphs.wry.retiolum"
+            "paste.wry.retiolum"
+            "paste.retiolum"
             "wry.retiolum"
           ];
           tinc.pubkey = ''
@@ -210,8 +214,7 @@ with import ../../4lib { inherit lib; };
         "krebsco.de" = ''
           omo               IN A      ${head nets.internet.addrs4}
           euer              IN A      ${head nets.internet.addrs4}
-          gum               IN A      ${head nets.internet.addrs4}
-          paste             IN A      ${head nets.internet.addrs4}'';
+          gum               IN A      ${head nets.internet.addrs4} '';
       };
       nets = {
         internet = {
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index a7ed93c43..63b1f47f7 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -1,59 +1,72 @@
 { config, lib, pkgs, ... }:
 
+with lib;
 let
 
-  ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
+  external-ip = head config.krebs.build.host.nets.internet.addrs4;
+  internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
 in {
   imports = [
       # TODO: copy this config or move to krebs
       ../../tv/2configs/CAC-CentOS-7-64bit.nix
       ../2configs/base.nix
-      ../2configs/base-sources.nix
+      ../2configs/unstable-sources.nix
       ../2configs/tinc-basic-retiolum.nix
 
+      ../2configs/bepasty-dual.nix
+
       ../2configs/iodined.nix
 
       # Reaktor
       ../2configs/Reaktor/simpleExtend.nix
   ];
 
-  krebs.Reaktor.enable = true;
+  krebs.build = {
+    user = config.krebs.users.makefu;
+    target = "root@wry";
+    host = config.krebs.hosts.wry;
+  };
 
-  networking.firewall.allowPing = true;
-  networking.interfaces.enp2s1.ip4 = [
-  {
-    address = ip;
-    prefixLength = 24;
-  }
-  ];
-  networking.defaultGateway = "104.233.87.1";
-  networking.nameservers = [
-    "8.8.8.8"
-  ];
 
-  # based on ../../tv/2configs/CAC-Developer-2.nix
-  sound.enable = false;
 
-  # prepare graphs
-  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+  krebs.Reaktor.enable = true;
+
+  # bepasty to listen only on the correct interfaces
+  krebs.bepasty.servers.internal.nginx.listen  = [ "${internal-ip}:80" ];
+  krebs.bepasty.servers.external.nginx.listen  = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
 
+  # prepare graphs
   krebs.nginx.enable = true;
   krebs.retiolum-bootstrap.enable = true;
-  makefu.tinc_graphs.enable = true;
 
-  makefu.tinc_graphs.krebsNginx = {
+  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+  makefu.tinc_graphs = {
     enable = true;
-    # TODO: remove hard-coded hostname
-    hostnames_complete  = [ "graphs.wry" ];
-    hostnames_anonymous = [ "graphs.krebsco.de" ];
+    nginx = {
+      enable = true;
+      # TODO: remove hard-coded hostname
+      complete = {
+        listen = [ "${internal-ip}:80" ];
+        server-names = [ "graphs.wry" ];
+      };
+      anonymous = {
+        listen = [ "${external-ip}:80" ] ;
+        server-names = [ "graphs.krebsco.de" ];
+      };
+    };
   };
-
-  networking.firewall.allowedTCPPorts = [ 53 80 443 ];
-
-  krebs.build = {
-    user = config.krebs.users.makefu;
-    target = "root@${ip}";
-    host = config.krebs.hosts.wry;
+  networking = {
+    firewall.allowPing = true;
+    firewall.allowedTCPPorts = [ 53 80 443 ];
+    interfaces.enp2s1.ip4 = [{
+      address = external-ip;
+      prefixLength = 24;
+    }];
+    defaultGateway = "104.233.87.1";
+    nameservers = [ "8.8.8.8" ];
   };
 
+
+  # based on ../../tv/2configs/CAC-Developer-2.nix
+  sound.enable = false;
 }
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
new file mode 100644
index 000000000..fb170957a
--- /dev/null
+++ b/makefu/2configs/bepasty-dual.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+# 1systems should configure itself:
+#   krebs.bepasty.servers.internal.nginx.listen  = [ "80" ]
+#   krebs.bepasty.servers.external.nginx.listen  = [ "80" "443 ssl" ]
+#     80 is redirected to 443 ssl
+
+# secrets used:
+#   wildcard.krebsco.de.crt
+#   wildcard.krebsco.de.key
+#   bepasty-secret.nix     <- contains single string
+
+with lib;
+{
+
+  krebs.nginx.enable = mkDefault true;
+  krebs.bepasty = {
+    enable = true;
+    serveNginx= true;
+
+    servers = {
+      internal = {
+        nginx = {
+          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+        };
+        defaultPermissions = "admin,list,create,read,delete";
+        secretKey = import <secrets/bepasty-secret.nix>;
+      };
+
+      external = {
+        nginx = {
+          server-names = [ "paste.krebsco.de" ];
+          extraConfig = ''
+          ssl_session_cache    shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_certificate     /root/secrets/wildcard.krebsco.de.crt;
+          ssl_certificate_key /root/secrets/wildcard.krebsco.de.key;
+          ssl_verify_client off;
+          proxy_ssl_session_reuse off;
+          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
+          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+          ssl_prefer_server_ciphers on;
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }'';
+        };
+        defaultPermissions = "read";
+        secretKey = import <secrets/bepasty-secret.nix>;
+      };
+    };
+  };
+}
author	makefu <github@syntax-fehler.de>	2015-10-21 18:49:20 +0200
committer	makefu <github@syntax-fehler.de>	2015-10-21 18:49:20 +0200
commit	6eb195b0bc1b2ecd1a39c842da4d14d4837d98cc (patch)
tree	4c93b735d949659488cb022ef98fcbed984b0d91
parent	34fd2ceb299d55b5edff124f86adf0883101197c (diff)