summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2016-04-26 15:20:25 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2016-04-26 15:20:25 +0200
commit343b071a70f0e45730666dd5497dc6200606538d (patch)
tree93c1778dc7cc8a1daff5c3fabc2663ded9434594
parentc90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c (diff)
downloadnixos-343b071a70f0e45730666dd5497dc6200606538d.tar
nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.gz
nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.bz2
nixos-343b071a70f0e45730666dd5497dc6200606538d.tar.xz
nixos-343b071a70f0e45730666dd5497dc6200606538d.zip
switched ssl certs to security.acme completely
-rw-r--r--custom/simp_le.nix32
-rw-r--r--custom/ymir-nginx.nix15
-rw-r--r--ymir.nix14
3 files changed, 11 insertions, 50 deletions
diff --git a/custom/simp_le.nix b/custom/simp_le.nix
deleted file mode 100644
index d37fbb8c..00000000
--- a/custom/simp_le.nix
+++ /dev/null
@@ -1,32 +0,0 @@
1{ stdenv, writeText
2, simp_le
3, eject
4}:
5#dir:
6domain:
7
8let
9 dir = "/etc/ssl/self/${domain}";
10 script = writeText "${domain}.sh" ''
11 backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
12 mkdir -p ${dir}
13 cd ${dir}
14 mkdir -p $backupDir
15 for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do
16 [[ -e $f ]] && mv -v $f $backupDir
17 done
18 ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \
19 --email "phikeebaogobaegh@141.li" \
20 -f account_key.json \
21 -f cert.pem \
22 -f fullchain.pem \
23 -f key.pem
24 if [[ $? -ne 0 ]]; then
25 for f in ./*; do rm -v $f; done
26 mv -v $backupDir/* . && rmdir $backupDir
27 else
28 [[ -e key.pem ]] && ln -s -f key.pem privkey.pem
29 fi
30 '';
31in
32 "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info"
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 54b0084f..0506b5c7 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -28,6 +28,11 @@ let
28 root /srv/www/acme/$host/; 28 root /srv/www/acme/$host/;
29 } 29 }
30 ''; 30 '';
31
32 ssl = builtins.toFile "ssl" ''
33 ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
34 ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;
35 '';
31in { 36in {
32 services.nginx = { 37 services.nginx = {
33 enable = true; 38 enable = true;
@@ -104,8 +109,7 @@ in {
104 include ${favicon}; 109 include ${favicon};
105 include ${acme}; 110 include ${acme};
106 111
107 ssl_certificate /etc/ssl/self/dirty-haskell.org/fullchain.pem; 112 include ${ssl};
108 ssl_certificate_key /etc/ssl/self/dirty-haskell.org/privkey.pem;
109 113
110 root /srv/www/dirty-haskell.org; 114 root /srv/www/dirty-haskell.org;
111 } 115 }
@@ -118,8 +122,7 @@ in {
118 include ${favicon}; 122 include ${favicon};
119 include ${acme}; 123 include ${acme};
120 124
121 ssl_certificate /etc/ssl/self/www.dirty-haskell.org/fullchain.pem; 125 include ${ssl};
122 ssl_certificate_key /etc/ssl/self/www.dirty-haskell.org/privkey.pem;
123 126
124 root /srv/www/dirty-haskell.org; 127 root /srv/www/dirty-haskell.org;
125 } 128 }
@@ -129,8 +132,6 @@ in {
129 listen *:443 ssl; 132 listen *:443 ssl;
130 listen [::]:80; 133 listen [::]:80;
131 listen [::]:443 ssl; 134 listen [::]:443 ssl;
132 ssl_certificate /etc/ssl/self/git.yggdrasil.li/fullchain.pem;
133 ssl_certificate_key /etc/ssl/self/git.yggdrasil.li/key.pem;
134 server_name git.yggdrasil.li; 135 server_name git.yggdrasil.li;
135 136
136 root ${pkgs.cgit}/cgit; 137 root ${pkgs.cgit}/cgit;
@@ -140,6 +141,8 @@ in {
140 include ${favicon}; 141 include ${favicon};
141 include ${acme}; 142 include ${acme};
142 143
144 include ${ssl};
145
143 location @cgit { 146 location @cgit {
144 include ${uwsgi_params}; 147 include ${uwsgi_params};
145 uwsgi_pass unix:/tmp/cgit.sock; 148 uwsgi_pass unix:/tmp/cgit.sock;
diff --git a/ymir.nix b/ymir.nix
index 773b5a71..8a17cfe4 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -9,11 +9,10 @@ let
9 enabled = true; 9 enabled = true;
10 domain = name; 10 domain = name;
11 ssl = { 11 ssl = {
12 key = "/etc/ssl/self/${name}/key.pem"; 12 key = "/var/lib/acme/yggdrasil.li/key.pem";
13 cert = "/etc/ssl/self/${name}/fullchain.pem"; 13 cert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
14 }; 14 };
15 }; 15 };
16 simp_le = pkgs.callPackage ./custom/simp_le.nix {};
17in rec { 16in rec {
18 imports = 17 imports =
19 [ 18 [
@@ -142,15 +141,6 @@ in rec {
142 enable = true; 141 enable = true;
143 systab = '' 142 systab = ''
144 %weekly * * nix-collect-garbage --delete-older-than '7d' 143 %weekly * * nix-collect-garbage --delete-older-than '7d'
145 %monthly * * * ${simp_le "git.yggdrasil.li"}
146 %monthly * * * ${simp_le "dirty-haskell.org"}
147 %monthly * * * ${simp_le "www.dirty-haskell.org"}
148 %monthly * * * ${simp_le "141.li"}
149 %monthly * * * ${simp_le "xmpp.li"}
150 %monthly * * * ${simp_le "yggdrasil.li"}
151 %monthly * * * ${simp_le "praseodym.org"}
152 %daily * * systemctl reload nginx.service
153 %daily * * prosodyctl reload
154 ''; 144 '';
155 }; 145 };
156 146