diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-26 15:20:25 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2016-04-26 15:20:25 +0200 |
commit | 343b071a70f0e45730666dd5497dc6200606538d (patch) | |
tree | 93c1778dc7cc8a1daff5c3fabc2663ded9434594 | |
parent | c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c (diff) | |
download | nixos-343b071a70f0e45730666dd5497dc6200606538d.tar nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.gz nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.bz2 nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.xz nixos-343b071a70f0e45730666dd5497dc6200606538d.zip |
switched ssl certs to security.acme completely
-rw-r--r-- | custom/simp_le.nix | 32 | ||||
-rw-r--r-- | custom/ymir-nginx.nix | 15 | ||||
-rw-r--r-- | ymir.nix | 14 |
3 files changed, 11 insertions, 50 deletions
diff --git a/custom/simp_le.nix b/custom/simp_le.nix deleted file mode 100644 index d37fbb8c..00000000 --- a/custom/simp_le.nix +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | { stdenv, writeText | ||
2 | , simp_le | ||
3 | , eject | ||
4 | }: | ||
5 | #dir: | ||
6 | domain: | ||
7 | |||
8 | let | ||
9 | dir = "/etc/ssl/self/${domain}"; | ||
10 | script = writeText "${domain}.sh" '' | ||
11 | backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} | ||
12 | mkdir -p ${dir} | ||
13 | cd ${dir} | ||
14 | mkdir -p $backupDir | ||
15 | for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do | ||
16 | [[ -e $f ]] && mv -v $f $backupDir | ||
17 | done | ||
18 | ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ | ||
19 | --email "phikeebaogobaegh@141.li" \ | ||
20 | -f account_key.json \ | ||
21 | -f cert.pem \ | ||
22 | -f fullchain.pem \ | ||
23 | -f key.pem | ||
24 | if [[ $? -ne 0 ]]; then | ||
25 | for f in ./*; do rm -v $f; done | ||
26 | mv -v $backupDir/* . && rmdir $backupDir | ||
27 | else | ||
28 | [[ -e key.pem ]] && ln -s -f key.pem privkey.pem | ||
29 | fi | ||
30 | ''; | ||
31 | in | ||
32 | "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" | ||
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 54b0084f..0506b5c7 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix | |||
@@ -28,6 +28,11 @@ let | |||
28 | root /srv/www/acme/$host/; | 28 | root /srv/www/acme/$host/; |
29 | } | 29 | } |
30 | ''; | 30 | ''; |
31 | |||
32 | ssl = builtins.toFile "ssl" '' | ||
33 | ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; | ||
34 | ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; | ||
35 | ''; | ||
31 | in { | 36 | in { |
32 | services.nginx = { | 37 | services.nginx = { |
33 | enable = true; | 38 | enable = true; |
@@ -104,8 +109,7 @@ in { | |||
104 | include ${favicon}; | 109 | include ${favicon}; |
105 | include ${acme}; | 110 | include ${acme}; |
106 | 111 | ||
107 | ssl_certificate /etc/ssl/self/dirty-haskell.org/fullchain.pem; | 112 | include ${ssl}; |
108 | ssl_certificate_key /etc/ssl/self/dirty-haskell.org/privkey.pem; | ||
109 | 113 | ||
110 | root /srv/www/dirty-haskell.org; | 114 | root /srv/www/dirty-haskell.org; |
111 | } | 115 | } |
@@ -118,8 +122,7 @@ in { | |||
118 | include ${favicon}; | 122 | include ${favicon}; |
119 | include ${acme}; | 123 | include ${acme}; |
120 | 124 | ||
121 | ssl_certificate /etc/ssl/self/www.dirty-haskell.org/fullchain.pem; | 125 | include ${ssl}; |
122 | ssl_certificate_key /etc/ssl/self/www.dirty-haskell.org/privkey.pem; | ||
123 | 126 | ||
124 | root /srv/www/dirty-haskell.org; | 127 | root /srv/www/dirty-haskell.org; |
125 | } | 128 | } |
@@ -129,8 +132,6 @@ in { | |||
129 | listen *:443 ssl; | 132 | listen *:443 ssl; |
130 | listen [::]:80; | 133 | listen [::]:80; |
131 | listen [::]:443 ssl; | 134 | listen [::]:443 ssl; |
132 | ssl_certificate /etc/ssl/self/git.yggdrasil.li/fullchain.pem; | ||
133 | ssl_certificate_key /etc/ssl/self/git.yggdrasil.li/key.pem; | ||
134 | server_name git.yggdrasil.li; | 135 | server_name git.yggdrasil.li; |
135 | 136 | ||
136 | root ${pkgs.cgit}/cgit; | 137 | root ${pkgs.cgit}/cgit; |
@@ -140,6 +141,8 @@ in { | |||
140 | include ${favicon}; | 141 | include ${favicon}; |
141 | include ${acme}; | 142 | include ${acme}; |
142 | 143 | ||
144 | include ${ssl}; | ||
145 | |||
143 | location @cgit { | 146 | location @cgit { |
144 | include ${uwsgi_params}; | 147 | include ${uwsgi_params}; |
145 | uwsgi_pass unix:/tmp/cgit.sock; | 148 | uwsgi_pass unix:/tmp/cgit.sock; |
@@ -9,11 +9,10 @@ let | |||
9 | enabled = true; | 9 | enabled = true; |
10 | domain = name; | 10 | domain = name; |
11 | ssl = { | 11 | ssl = { |
12 | key = "/etc/ssl/self/${name}/key.pem"; | 12 | key = "/var/lib/acme/yggdrasil.li/key.pem"; |
13 | cert = "/etc/ssl/self/${name}/fullchain.pem"; | 13 | cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; |
14 | }; | 14 | }; |
15 | }; | 15 | }; |
16 | simp_le = pkgs.callPackage ./custom/simp_le.nix {}; | ||
17 | in rec { | 16 | in rec { |
18 | imports = | 17 | imports = |
19 | [ | 18 | [ |
@@ -142,15 +141,6 @@ in rec { | |||
142 | enable = true; | 141 | enable = true; |
143 | systab = '' | 142 | systab = '' |
144 | %weekly * * nix-collect-garbage --delete-older-than '7d' | 143 | %weekly * * nix-collect-garbage --delete-older-than '7d' |
145 | %monthly * * * ${simp_le "git.yggdrasil.li"} | ||
146 | %monthly * * * ${simp_le "dirty-haskell.org"} | ||
147 | %monthly * * * ${simp_le "www.dirty-haskell.org"} | ||
148 | %monthly * * * ${simp_le "141.li"} | ||
149 | %monthly * * * ${simp_le "xmpp.li"} | ||
150 | %monthly * * * ${simp_le "yggdrasil.li"} | ||
151 | %monthly * * * ${simp_le "praseodym.org"} | ||
152 | %daily * * systemctl reload nginx.service | ||
153 | %daily * * prosodyctl reload | ||
154 | ''; | 144 | ''; |
155 | }; | 145 | }; |
156 | 146 | ||