magic_rb/cluster
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/cluster synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

SSL-ify ingress

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2021-05-14 00:04:14 +02:00
parent 2de30a1e88
commit 25738be7c4
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
4 changed files with 126 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
containers/ingress.nix
View file

@ -2,7 +2,7 @@ nglib:
(nglib "x86_64-linux").makeSystem {
system = "x86_64-linux";
name = "nixng-ingress";
config = ({ pkgs, config, ... }:
config = ({ pkgs, config, nglib, ... }:
let
ids = config.ids;
in
@ -43,6 +43,24 @@ nglib:
init.services.nginx = {
shutdownOnExit = true;
};
services.certbot = {
enable = true;
acceptTerms = true;
domains = {
"redalder.org" = {
extraDomains = [
"hydra.redalder.org"
"gitea.redalder.org"
"nixng.org"
];
webroot = "/var/www/certbot";
email = "admin@redalder.org";
extraOptions = "--expand --keep-until-expiring --renew-with-new-domains";
};
};
};
services.nginx = {
enable = true;
envsubst = true;
@ -58,7 +76,6 @@ nglib:
};
error_log = [ "/dev/stderr" "warn" ];
access_log = [ "/dev/stdout" "combined" ];
pid = "/nginx.pid";
@ -69,6 +86,16 @@ nglib:
[ "/local/upstreams.conf" ]
];
charset = "utf-8";
access_log = [ "/dev/stdout" "combined" ];
server."" = {
listen = "80";
server_name = "_";
location."/" = {
return = [ "301" "https://$host$request_uri" ];
};
};
};
}
];

8
flake.lock
View file

@ -21,11 +21,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1620819154,
"narHash": "sha256-4XjEBhhgMSv1yCWNdiv1Uz0F4QEVbBFKiXM0PRhuJYM=",
"lastModified": 1620941842,
"narHash": "sha256-y8Y9LE7GkAVwtYNdf8kcosHXeD4qNA0AFWGsgMztjx8=",
"ref": "master",
"rev": "e96649fd984f0b7b3bdb3d797ff9ca56448f1521",
"revCount": 76,
"rev": "d5146db73cfd31712950608560a387ad71243cee",
"revCount": 82,
"type": "git",
"url": "https://gitea.redalder.org/Magic_RB/NixNG"
},

15
infrastructure/ingress/ingress-letsencrypt.hcl Normal file
View file

@ -0,0 +1,15 @@
type = "csi"
id = "ingress-letsencrypt"
name = "ingress-letsencrypt"
plugin_id = "nfs"
access_mode = "single-node-writer"
attachment_mode = "file-system"
context {
server = "blowhole.in.redalder.org"
share = "/ingress-letsencrypt"
}
mount_options {
fs_type = "nfs"
}

98
infrastructure/ingress/nomad.hcl
View file

@ -10,11 +10,24 @@ job "ingress" {
group "ingress" {
count = 1
volume "ingress-letsencrypt" {
type = "csi"
source = "ingress-letsencrypt"
read_only = false
}
network {
port "http" {
static = "8080"
host_network = "wg"
to = "80"
}
port "https" {
static = "8443"
host_network = "wg"
to = "443"
}
}
service {
@ -25,9 +38,56 @@ job "ingress" {
task "nginx" {
driver = "docker"
volume_mount {
volume = "ingress-letsencrypt"
destination = "/etc/letsencrypt"
read_only = false
}
config {
image = "nixng-ingress:local"
ports = ["http"]
ports = ["http", "https"]
}
template {
data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
destination = "local/ssl.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
destination = "local/headers.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
destination = "local/security.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
@ -61,60 +121,58 @@ upstream website {
}
server {
listen 80;
listen 443 ssl;
server_name _;
include /local/ssl.conf;
return 404;
}
server {
listen 80;
listen 443 ssl;
server_name gitea.redalder.org;
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
include /local/security.conf;
include /local/ssl.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
include /local/headers.conf;
proxy_pass http://gitea;
}
}
server {
listen 80;
listen 443 ssl;
server_name hydra.redalder.org;
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
include /local/security.conf;
include /local/ssl.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
include /local/headers.conf;
proxy_pass http://hydra;
}
}
server {
listen 80;
listen 443 ssl;
server_name redalder.org;
server_name redalder.org nixng.org;
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
include /local/security.conf;
include /local/ssl.conf;
location /nextcloud/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
include /local/headers.conf;
proxy_pass http://nextcloud/;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
include /local/headers.conf;
proxy_pass http://website;
}
}