M-Labs
/
it-infra
8
0
Fork 4
Code Issues 8 Pull Requests Releases Wiki Activity

nixbld: remove obsolete ACME workaround

force-ssl-main-website
Sebastien Bourdeauducq 2022-07-04 16:22:40 +08:00
parent 328a85c504
commit 048863593a
1 changed files with 14 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
nixbld-etc-nixos/configuration.nix
View File

@ -543,29 +543,7 @@ in
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk"; security.acme.defaults.email = "sb" + "@m-labs.hk";
security.acme.certs = {
"nixbld.m-labs.hk" = {
group = "nginx";
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [
"m-labs.hk"
"www.m-labs.hk"
"conda.m-labs.hk"
"lab.m-labs.hk"
"git.m-labs.hk"
"chat.m-labs.hk"
"hooks.m-labs.hk"
"forum.m-labs.hk"
"perso.m-labs.hk"
"call.m-labs.hk"
"rt.m-labs.hk"
"nmigen.org"
"www.nmigen.org"
"m-labs.science"
"www.m-labs.science"
];
};
};
# https://github.com/NixOS/nixpkgs/issues/106862 # https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
@ -576,7 +554,7 @@ in
virtualHosts = let virtualHosts = let
mainWebsite = { mainWebsite = {
addSSL = true; addSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
root = "${hydraWwwOutputs}/web"; root = "${hydraWwwOutputs}/web";
extraConfig = '' extraConfig = ''
error_page 404 /404.html; error_page 404 /404.html;
@ -655,7 +633,7 @@ in
"www.m-labs.science" = mainWebsite; "www.m-labs.science" = mainWebsite;
"lab.m-labs.hk" = { "lab.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/munin/".alias = "/var/www/munin/"; locations."/munin/".alias = "/var/www/munin/";
locations."/munin".extraConfig = '' locations."/munin".extraConfig = ''
auth_basic "Munin"; auth_basic "Munin";
@ -670,12 +648,12 @@ in
}; };
"nixbld.m-labs.hk" = { "nixbld.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3000"; locations."/".proxyPass = "http://127.0.0.1:3000";
}; };
"conda.m-labs.hk" = { "conda.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/artiq-beta/" = { locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/"; alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
extraConfig = '' extraConfig = ''
@ -707,7 +685,7 @@ in
}; };
"git.m-labs.hk" = { "git.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3001"; locations."/".proxyPass = "http://127.0.0.1:3001";
extraConfig = '' extraConfig = ''
client_max_body_size 300M; client_max_body_size 300M;
@ -715,14 +693,14 @@ in
}; };
"chat.m-labs.hk" = { "chat.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8065"; locations."/".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065"; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
}; };
"hooks.m-labs.hk" = { "hooks.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/mattermost-github".extraConfig = '' locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params; include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock; uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
@ -734,7 +712,7 @@ in
}; };
"forum.m-labs.hk" = { "forum.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
root = "/var/www/flarum/public"; root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = '' locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket}; fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
@ -746,18 +724,17 @@ in
''; '';
}; };
"call.m-labs.hk" = { "call.m-labs.hk" = {
useACMEHost = "nixbld.m-labs.hk";
enableACME = false;
forceSSL = true; forceSSL = true;
enableACME = true;
}; };
"perso.m-labs.hk" = { "perso.m-labs.hk" = {
addSSL = true; addSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
root = "/var/www/perso"; root = "/var/www/perso";
}; };
"rt.m-labs.hk" = { "rt.m-labs.hk" = {
forceSSL = true; forceSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4201"; proxyPass = "http://127.0.0.1:4201";
extraConfig = '' extraConfig = ''
@ -779,14 +756,14 @@ in
}; };
"nmigen.org" = { "nmigen.org" = {
addSSL = true; addSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 307 https://m-labs.hk/gateware/nmigen/; return 307 https://m-labs.hk/gateware/nmigen/;
''; '';
}; };
"www.nmigen.org" = { "www.nmigen.org" = {
addSSL = true; addSSL = true;
useACMEHost = "nixbld.m-labs.hk"; enableACME = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 307 https://m-labs.hk/gateware/nmigen/; return 307 https://m-labs.hk/gateware/nmigen/;
''; '';