diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-26 15:20:25 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-26 15:20:25 +0200 |
| commit | 343b071a70f0e45730666dd5497dc6200606538d (patch) | |
| tree | 93c1778dc7cc8a1daff5c3fabc2663ded9434594 | |
| parent | c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c (diff) | |
| download | nixos-343b071a70f0e45730666dd5497dc6200606538d.tar nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.gz nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.bz2 nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.xz nixos-343b071a70f0e45730666dd5497dc6200606538d.zip | |
switched ssl certs to security.acme completely
| -rw-r--r-- | custom/simp_le.nix | 32 | ||||
| -rw-r--r-- | custom/ymir-nginx.nix | 15 | ||||
| -rw-r--r-- | ymir.nix | 14 |
3 files changed, 11 insertions, 50 deletions
diff --git a/custom/simp_le.nix b/custom/simp_le.nix deleted file mode 100644 index d37fbb8c..00000000 --- a/custom/simp_le.nix +++ /dev/null | |||
| @@ -1,32 +0,0 @@ | |||
| 1 | { stdenv, writeText | ||
| 2 | , simp_le | ||
| 3 | , eject | ||
| 4 | }: | ||
| 5 | #dir: | ||
| 6 | domain: | ||
| 7 | |||
| 8 | let | ||
| 9 | dir = "/etc/ssl/self/${domain}"; | ||
| 10 | script = writeText "${domain}.sh" '' | ||
| 11 | backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} | ||
| 12 | mkdir -p ${dir} | ||
| 13 | cd ${dir} | ||
| 14 | mkdir -p $backupDir | ||
| 15 | for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do | ||
| 16 | [[ -e $f ]] && mv -v $f $backupDir | ||
| 17 | done | ||
| 18 | ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ | ||
| 19 | --email "phikeebaogobaegh@141.li" \ | ||
| 20 | -f account_key.json \ | ||
| 21 | -f cert.pem \ | ||
| 22 | -f fullchain.pem \ | ||
| 23 | -f key.pem | ||
| 24 | if [[ $? -ne 0 ]]; then | ||
| 25 | for f in ./*; do rm -v $f; done | ||
| 26 | mv -v $backupDir/* . && rmdir $backupDir | ||
| 27 | else | ||
| 28 | [[ -e key.pem ]] && ln -s -f key.pem privkey.pem | ||
| 29 | fi | ||
| 30 | ''; | ||
| 31 | in | ||
| 32 | "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" | ||
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 54b0084f..0506b5c7 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix | |||
| @@ -28,6 +28,11 @@ let | |||
| 28 | root /srv/www/acme/$host/; | 28 | root /srv/www/acme/$host/; |
| 29 | } | 29 | } |
| 30 | ''; | 30 | ''; |
| 31 | |||
| 32 | ssl = builtins.toFile "ssl" '' | ||
| 33 | ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; | ||
| 34 | ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; | ||
| 35 | ''; | ||
| 31 | in { | 36 | in { |
| 32 | services.nginx = { | 37 | services.nginx = { |
| 33 | enable = true; | 38 | enable = true; |
| @@ -104,8 +109,7 @@ in { | |||
| 104 | include ${favicon}; | 109 | include ${favicon}; |
| 105 | include ${acme}; | 110 | include ${acme}; |
| 106 | 111 | ||
| 107 | ssl_certificate /etc/ssl/self/dirty-haskell.org/fullchain.pem; | 112 | include ${ssl}; |
| 108 | ssl_certificate_key /etc/ssl/self/dirty-haskell.org/privkey.pem; | ||
| 109 | 113 | ||
| 110 | root /srv/www/dirty-haskell.org; | 114 | root /srv/www/dirty-haskell.org; |
| 111 | } | 115 | } |
| @@ -118,8 +122,7 @@ in { | |||
| 118 | include ${favicon}; | 122 | include ${favicon}; |
| 119 | include ${acme}; | 123 | include ${acme}; |
| 120 | 124 | ||
| 121 | ssl_certificate /etc/ssl/self/www.dirty-haskell.org/fullchain.pem; | 125 | include ${ssl}; |
| 122 | ssl_certificate_key /etc/ssl/self/www.dirty-haskell.org/privkey.pem; | ||
| 123 | 126 | ||
| 124 | root /srv/www/dirty-haskell.org; | 127 | root /srv/www/dirty-haskell.org; |
| 125 | } | 128 | } |
| @@ -129,8 +132,6 @@ in { | |||
| 129 | listen *:443 ssl; | 132 | listen *:443 ssl; |
| 130 | listen [::]:80; | 133 | listen [::]:80; |
| 131 | listen [::]:443 ssl; | 134 | listen [::]:443 ssl; |
| 132 | ssl_certificate /etc/ssl/self/git.yggdrasil.li/fullchain.pem; | ||
| 133 | ssl_certificate_key /etc/ssl/self/git.yggdrasil.li/key.pem; | ||
| 134 | server_name git.yggdrasil.li; | 135 | server_name git.yggdrasil.li; |
| 135 | 136 | ||
| 136 | root ${pkgs.cgit}/cgit; | 137 | root ${pkgs.cgit}/cgit; |
| @@ -140,6 +141,8 @@ in { | |||
| 140 | include ${favicon}; | 141 | include ${favicon}; |
| 141 | include ${acme}; | 142 | include ${acme}; |
| 142 | 143 | ||
| 144 | include ${ssl}; | ||
| 145 | |||
| 143 | location @cgit { | 146 | location @cgit { |
| 144 | include ${uwsgi_params}; | 147 | include ${uwsgi_params}; |
| 145 | uwsgi_pass unix:/tmp/cgit.sock; | 148 | uwsgi_pass unix:/tmp/cgit.sock; |
| @@ -9,11 +9,10 @@ let | |||
| 9 | enabled = true; | 9 | enabled = true; |
| 10 | domain = name; | 10 | domain = name; |
| 11 | ssl = { | 11 | ssl = { |
| 12 | key = "/etc/ssl/self/${name}/key.pem"; | 12 | key = "/var/lib/acme/yggdrasil.li/key.pem"; |
| 13 | cert = "/etc/ssl/self/${name}/fullchain.pem"; | 13 | cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; |
| 14 | }; | 14 | }; |
| 15 | }; | 15 | }; |
| 16 | simp_le = pkgs.callPackage ./custom/simp_le.nix {}; | ||
| 17 | in rec { | 16 | in rec { |
| 18 | imports = | 17 | imports = |
| 19 | [ | 18 | [ |
| @@ -142,15 +141,6 @@ in rec { | |||
| 142 | enable = true; | 141 | enable = true; |
| 143 | systab = '' | 142 | systab = '' |
| 144 | %weekly * * nix-collect-garbage --delete-older-than '7d' | 143 | %weekly * * nix-collect-garbage --delete-older-than '7d' |
| 145 | %monthly * * * ${simp_le "git.yggdrasil.li"} | ||
| 146 | %monthly * * * ${simp_le "dirty-haskell.org"} | ||
| 147 | %monthly * * * ${simp_le "www.dirty-haskell.org"} | ||
| 148 | %monthly * * * ${simp_le "141.li"} | ||
| 149 | %monthly * * * ${simp_le "xmpp.li"} | ||
| 150 | %monthly * * * ${simp_le "yggdrasil.li"} | ||
| 151 | %monthly * * * ${simp_le "praseodym.org"} | ||
| 152 | %daily * * systemctl reload nginx.service | ||
| 153 | %daily * * prosodyctl reload | ||
| 154 | ''; | 144 | ''; |
| 155 | }; | 145 | }; |
| 156 | 146 | ||