summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2019-02-01 22:07:38 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2019-02-01 22:07:38 +0100
commitd7b19ea3e9ad40267ee1962d35a41abe939078f6 (patch)
tree06b96f3c1c766d15e23465a3924f2859c95c9cfe
parent6deef9d0ea097de48b510f4556c57b0fc0796217 (diff)
downloadnixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar
nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.gz
nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.bz2
nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.xz
nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.zip
dhparams
-rw-r--r--custom/ymir-nginx.nix6
-rw-r--r--ymir.nix47
2 files changed, 31 insertions, 22 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 854dd4d4..975bb344 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -86,10 +86,10 @@ in {
86 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; 86 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
87 ssl_prefer_server_ciphers on; 87 ssl_prefer_server_ciphers on;
88 ssl_session_cache shared:SSL:10m; 88 ssl_session_cache shared:SSL:10m;
89 ssl_dhparam /etc/ssl/dhparam.pem; 89 ssl_dhparam ${config.security.dhparams.params.nginx.path};
90 90
91 ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; 91 ssl_certificate ${config.security.acme.directory}/yggdrasil.li/fullchain.pem;
92 ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; 92 ssl_certificate_key ${config.security.acme.directory}/yggdrasil.li/key.pem;
93 93
94 server { 94 server {
95 listen *:80; 95 listen *:80;
diff --git a/ymir.nix b/ymir.nix
index 57137333..01e38833 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -11,8 +11,11 @@ let
11 enabled = true; 11 enabled = true;
12 domain = name; 12 domain = name;
13 ssl = { 13 ssl = {
14 key = "/var/lib/acme/yggdrasil.li/key.pem"; 14 key = "${config.security.acme.directory}/yggdrasil.li/key.pem";
15 cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 15 cert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
16 extraOptions = {
17 dhparam = config.security.dhparams.params.prosody.path;
18 };
16 }; 19 };
17 }; 20 };
18 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" 21 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
@@ -402,7 +405,7 @@ in rec {
402 405
403 strict-export=git-daemon-export-ok 406 strict-export=git-daemon-export-ok
404 section-from-path=2 407 section-from-path=2
405 scan-path=/srv/git/repositories 408 scan-path=${config.services.gitolite.dataDir}/repositories
406 ''; 409 '';
407 }; 410 };
408 environment.etc."cgit/git.rheperire.org" = { 411 environment.etc."cgit/git.rheperire.org" = {
@@ -440,7 +443,7 @@ in rec {
440 cryptoids.git 443 cryptoids.git
441 ''} 444 ''}
442 section-from-path=2 445 section-from-path=2
443 scan-path=/srv/git/repositories 446 scan-path=${config.services.gitolite.dataDir}/repositories
444 ''; 447 '';
445 }; 448 };
446 449
@@ -492,12 +495,13 @@ in rec {
492 /^localhost$/ ACCEPT 495 /^localhost$/ ACCEPT
493 /\.?ymir$/ ACCEPT 496 /\.?ymir$/ ACCEPT
494 ''}'']; 497 ''}''];
495 sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 498 sslCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
496 sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; 499 sslKey = "${config.security.acme.directory}/yggdrasil.li/key.pem";
497 config = { 500 config = {
498 #the dh params 501 #the dh params
499 smtpd_tls_dh1024_param_file = "/etc/ssl/dhparam.pem"; 502 smtpd_tls_dh2048_param_file = config.security.dhparams.params.postfix-2048.path;
500 smtpd_tls_dh512_param_file = "/etc/ssl/dhparam.pem"; 503 smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix-1024.path;
504 smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix-512.path;
501 #enable ECDH 505 #enable ECDH
502 smtpd_tls_eecdh_grade = "strong"; 506 smtpd_tls_eecdh_grade = "strong";
503 #enabled SSL protocols, don't allow SSLv2 and SSLv3 507 #enabled SSL protocols, don't allow SSLv2 and SSLv3
@@ -728,8 +732,8 @@ in rec {
728 enableLmtp = true; 732 enableLmtp = true;
729 enablePop3 = false; 733 enablePop3 = false;
730 enablePAM = false; # do that manualy 734 enablePAM = false; # do that manualy
731 sslServerCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 735 sslServerCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
732 sslServerKey = "/var/lib/acme/yggdrasil.li/key.pem"; 736 sslServerKey = "${config.security.acme.directory}/yggdrasil.li/key.pem";
733 mailLocation = "maildir:~/mail:LAYOUT=index:UTF-8"; 737 mailLocation = "maildir:~/mail:LAYOUT=index:UTF-8";
734 modules = with pkgs; [ dovecot_pigeonhole ]; 738 modules = with pkgs; [ dovecot_pigeonhole ];
735 protocols = [ "sieve" ]; 739 protocols = [ "sieve" ];
@@ -809,11 +813,6 @@ in rec {
809 } 813 }
810 } 814 }
811 815
812 service managesieve {
813 }
814 protocol sieve {
815 }
816
817 plugin { 816 plugin {
818 sieve = file:~/sieve;active=~/.dovecot.sieve 817 sieve = file:~/sieve;active=~/.dovecot.sieve
819 sieve_redirect_envelope_from = orig_recipient 818 sieve_redirect_envelope_from = orig_recipient
@@ -981,8 +980,8 @@ in rec {
981 980
982 services.infinoted = { 981 services.infinoted = {
983 enable = true; 982 enable = true;
984 keyFile = "/var/lib/acme/yggdrasil.li/key.pem"; 983 keyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem";
985 certificateFile = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 984 certificateFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
986 plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ]; 985 plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ];
987 extraConfig = '' 986 extraConfig = ''
988 [certificate-auth] 987 [certificate-auth]
@@ -1053,8 +1052,8 @@ in rec {
1053 localUsers = true; 1052 localUsers = true;
1054 writeEnable = true; 1053 writeEnable = true;
1055 chrootlocalUser = true; 1054 chrootlocalUser = true;
1056 rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem"; 1055 rsaKeyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem";
1057 rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 1056 rsaCertFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
1058 extraConfig = '' 1057 extraConfig = ''
1059 local_umask=022 1058 local_umask=022
1060 1059
@@ -1090,4 +1089,14 @@ in rec {
1090 users.extraUsers."vsftpd" = { 1089 users.extraUsers."vsftpd" = {
1091 home = mkForce "/srv/ftp"; 1090 home = mkForce "/srv/ftp";
1092 }; 1091 };
1092
1093 security.dhparams = {
1094 enable = true;
1095 nginx.bits = 3072;
1096 posfix-512.bits = 512;
1097 postfix-1024.bits = 1024;
1098 postfix-2048.bits = 2048;
1099 dovecot2.bits = 2048;
1100 prosody.bits = 3072;
1101 };
1093} 1102}