From 25738be7c4b9b60af86efe4543a1ab1321d1a72e Mon Sep 17 00:00:00 2001
From: Magic_RB <magic_rb@redalder.org>
Date: Fri, 14 May 2021 00:04:14 +0200
Subject: [PATCH] SSL-ify ingress

Signed-off-by: Magic_RB <magic_rb@redalder.org>
---
 containers/ingress.nix                        | 31 +++++-
 flake.lock                                    |  8 +-
 .../ingress/ingress-letsencrypt.hcl           | 15 +++
 infrastructure/ingress/nomad.hcl              | 98 +++++++++++++++----
 4 files changed, 126 insertions(+), 26 deletions(-)
 create mode 100644 infrastructure/ingress/ingress-letsencrypt.hcl

diff --git a/containers/ingress.nix b/containers/ingress.nix
index 788cb80..65b504b 100644
--- a/containers/ingress.nix
+++ b/containers/ingress.nix
@@ -2,7 +2,7 @@ nglib:
 (nglib "x86_64-linux").makeSystem {
   system = "x86_64-linux";
   name = "nixng-ingress";
-  config = ({ pkgs, config, ... }:
+  config = ({ pkgs, config, nglib, ... }:
     let
       ids = config.ids;
     in
@@ -43,6 +43,24 @@ nglib:
           init.services.nginx = {
             shutdownOnExit = true;
           };
+          services.certbot = {
+            enable = true;
+
+            acceptTerms = true;
+
+            domains = {
+              "redalder.org" = {
+                extraDomains = [
+                  "hydra.redalder.org"
+                  "gitea.redalder.org"
+                  "nixng.org"
+                ];
+                webroot = "/var/www/certbot";
+                email = "admin@redalder.org";
+                extraOptions = "--expand --keep-until-expiring --renew-with-new-domains";
+              }; 
+            };
+          };
           services.nginx = {
             enable = true;
             envsubst = true;
@@ -58,7 +76,6 @@ nglib:
                 };
 
                 error_log = [ "/dev/stderr" "warn" ];
-                access_log = [ "/dev/stdout" "combined" ];
 
                 pid = "/nginx.pid";
 
@@ -69,6 +86,16 @@ nglib:
                     [ "/local/upstreams.conf" ]
                   ];
                   charset = "utf-8";
+                  access_log = [ "/dev/stdout" "combined" ];
+
+                  server."" = {
+                    listen = "80";
+                    server_name = "_";
+
+                    location."/" = {
+                      return = [ "301" "https://$host$request_uri" ];
+                    };
+                  };
                 };
               }
             ];
diff --git a/flake.lock b/flake.lock
index 47ea0a8..e3a6a9d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -21,11 +21,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1620819154,
-        "narHash": "sha256-4XjEBhhgMSv1yCWNdiv1Uz0F4QEVbBFKiXM0PRhuJYM=",
+        "lastModified": 1620941842,
+        "narHash": "sha256-y8Y9LE7GkAVwtYNdf8kcosHXeD4qNA0AFWGsgMztjx8=",
         "ref": "master",
-        "rev": "e96649fd984f0b7b3bdb3d797ff9ca56448f1521",
-        "revCount": 76,
+        "rev": "d5146db73cfd31712950608560a387ad71243cee",
+        "revCount": 82,
         "type": "git",
         "url": "https://gitea.redalder.org/Magic_RB/NixNG"
       },
diff --git a/infrastructure/ingress/ingress-letsencrypt.hcl b/infrastructure/ingress/ingress-letsencrypt.hcl
new file mode 100644
index 0000000..7bf1df2
--- /dev/null
+++ b/infrastructure/ingress/ingress-letsencrypt.hcl
@@ -0,0 +1,15 @@
+type = "csi"
+id = "ingress-letsencrypt"
+name = "ingress-letsencrypt"
+plugin_id = "nfs"
+access_mode = "single-node-writer"
+attachment_mode = "file-system"
+
+context {
+  server = "blowhole.in.redalder.org"
+  share = "/ingress-letsencrypt"
+}
+
+mount_options {
+  fs_type = "nfs"
+}
diff --git a/infrastructure/ingress/nomad.hcl b/infrastructure/ingress/nomad.hcl
index 6acfdbd..bbebf42 100644
--- a/infrastructure/ingress/nomad.hcl
+++ b/infrastructure/ingress/nomad.hcl
@@ -10,11 +10,24 @@ job "ingress" {
   group "ingress" {
     count = 1
 
+    volume "ingress-letsencrypt" {
+      type = "csi"
+      source = "ingress-letsencrypt"
+      read_only = false
+    }
+
     network {
       port "http" {
 	static = "8080"
+	host_network = "wg"
 	to = "80"
       }
+
+      port "https" {
+	static = "8443"
+	host_network = "wg"
+	to = "443"
+      }
     }
 
     service {
@@ -25,9 +38,56 @@ job "ingress" {
     task "nginx" {
       driver = "docker"
 
+      volume_mount {
+	volume = "ingress-letsencrypt"
+	destination = "/etc/letsencrypt"
+	read_only = false
+      }
+
       config {
 	image = "nixng-ingress:local"
-	ports = ["http"]
+	ports = ["http", "https"]
+      }
+
+      template {
+	data = <<EOF
+ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
+ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+EOF
+        destination   = "local/ssl.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+	data = <<EOF
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+EOF
+	destination   = "local/headers.conf"
+	change_mode   = "signal"
+	change_signal = "SIGHUP"
+      }
+
+      template {
+	data = <<EOF
+add_header X-Frame-Options "SAMEORIGIN";
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+EOF
+	destination   = "local/security.conf"
+	change_mode   = "signal"
+	change_signal = "SIGHUP"
       }
 
       template {
@@ -61,60 +121,58 @@ upstream website {
 }
 
 server {
-  listen 80;
+  listen 443 ssl;
   
   server_name _;
 
+  include /local/ssl.conf;
+
   return 404;
 }
 
 server {
-  listen 80;
+  listen 443 ssl;
   
   server_name gitea.redalder.org;
 
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+  include /local/security.conf;
+  include /local/ssl.conf;
 
   location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+    include /local/headers.conf;
     proxy_pass http://gitea;
   }
 }
 
 server {
-  listen 80;
+  listen 443 ssl;
    
   server_name hydra.redalder.org;
 
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+  include /local/security.conf;
+  include /local/ssl.conf;
 
   location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+    include /local/headers.conf;
     proxy_pass http://hydra;
   }
 }
 
 server {
-  listen 80;
+  listen 443 ssl;
 
-  server_name redalder.org;
+  server_name redalder.org nixng.org;
   
-  add_header X-Frame-Options "SAMEORIGIN";
-  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+  include /local/security.conf;
+  include /local/ssl.conf;
 
   location /nextcloud/ {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+    include /local/headers.conf;
     proxy_pass http://nextcloud/;
   }
 
   location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
+    include /local/headers.conf;
     proxy_pass http://website;
   }
 }