M-Labs
/
it-infra
8
0
Fork 4
Code Issues 8 Pull Requests Releases Wiki Activity

nixbld: remove obsolete ACME workaround

force-ssl-main-website
Sebastien Bourdeauducq 2022-07-04 16:22:40 +08:00
parent 328a85c504
commit 048863593a
1 changed files with 14 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
nixbld-etc-nixos/configuration.nix
View File

@ -543,29 +543,7 @@ in
security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk";
security.acme.certs = {
"nixbld.m-labs.hk" = {
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [
"m-labs.hk"
"www.m-labs.hk"
"conda.m-labs.hk"
"lab.m-labs.hk"
"git.m-labs.hk"
"chat.m-labs.hk"
"hooks.m-labs.hk"
"forum.m-labs.hk"
"perso.m-labs.hk"
"call.m-labs.hk"
"rt.m-labs.hk"
"nmigen.org"
"www.nmigen.org"
"m-labs.science"
"www.m-labs.science"
];
};
};
# https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
@ -576,7 +554,7 @@ in
virtualHosts = let
mainWebsite = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
root = "${hydraWwwOutputs}/web";
extraConfig = ''
error_page 404 /404.html;
@ -655,7 +633,7 @@ in
"www.m-labs.science" = mainWebsite;
"lab.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/munin/".alias = "/var/www/munin/";
locations."/munin".extraConfig = ''
auth_basic "Munin";
@ -670,12 +648,12 @@ in
};
"nixbld.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3000";
};
"conda.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
extraConfig = ''
@ -707,7 +685,7 @@ in
};
"git.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
client_max_body_size 300M;
@ -715,14 +693,14 @@ in
};
"chat.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
};
"hooks.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
@ -734,7 +712,7 @@ in
};
"forum.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
@ -746,18 +724,17 @@ in
'';
};
"call.m-labs.hk" = {
useACMEHost = "nixbld.m-labs.hk";
enableACME = false;
forceSSL = true;
enableACME = true;
};
"perso.m-labs.hk" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
root = "/var/www/perso";
};
"rt.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4201";
extraConfig = ''
@ -779,14 +756,14 @@ in
};
"nmigen.org" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/".extraConfig = ''
return 307 https://m-labs.hk/gateware/nmigen/;
'';
};
"www.nmigen.org" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
enableACME = true;
locations."/".extraConfig = ''
return 307 https://m-labs.hk/gateware/nmigen/;
'';