diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2019-02-01 22:07:38 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2019-02-01 22:07:38 +0100 |
commit | d7b19ea3e9ad40267ee1962d35a41abe939078f6 (patch) | |
tree | 06b96f3c1c766d15e23465a3924f2859c95c9cfe | |
parent | 6deef9d0ea097de48b510f4556c57b0fc0796217 (diff) | |
download | nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.gz nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.bz2 nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.tar.xz nixos-d7b19ea3e9ad40267ee1962d35a41abe939078f6.zip |
dhparams
-rw-r--r-- | custom/ymir-nginx.nix | 6 | ||||
-rw-r--r-- | ymir.nix | 47 |
2 files changed, 31 insertions, 22 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 854dd4d4..975bb344 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix | |||
@@ -86,10 +86,10 @@ in { | |||
86 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | 86 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; |
87 | ssl_prefer_server_ciphers on; | 87 | ssl_prefer_server_ciphers on; |
88 | ssl_session_cache shared:SSL:10m; | 88 | ssl_session_cache shared:SSL:10m; |
89 | ssl_dhparam /etc/ssl/dhparam.pem; | 89 | ssl_dhparam ${config.security.dhparams.params.nginx.path}; |
90 | 90 | ||
91 | ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; | 91 | ssl_certificate ${config.security.acme.directory}/yggdrasil.li/fullchain.pem; |
92 | ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; | 92 | ssl_certificate_key ${config.security.acme.directory}/yggdrasil.li/key.pem; |
93 | 93 | ||
94 | server { | 94 | server { |
95 | listen *:80; | 95 | listen *:80; |
@@ -11,8 +11,11 @@ let | |||
11 | enabled = true; | 11 | enabled = true; |
12 | domain = name; | 12 | domain = name; |
13 | ssl = { | 13 | ssl = { |
14 | key = "/var/lib/acme/yggdrasil.li/key.pem"; | 14 | key = "${config.security.acme.directory}/yggdrasil.li/key.pem"; |
15 | cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | 15 | cert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem"; |
16 | extraOptions = { | ||
17 | dhparam = config.security.dhparams.params.prosody.path; | ||
18 | }; | ||
16 | }; | 19 | }; |
17 | }; | 20 | }; |
18 | myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" | 21 | myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" |
@@ -402,7 +405,7 @@ in rec { | |||
402 | 405 | ||
403 | strict-export=git-daemon-export-ok | 406 | strict-export=git-daemon-export-ok |
404 | section-from-path=2 | 407 | section-from-path=2 |
405 | scan-path=/srv/git/repositories | 408 | scan-path=${config.services.gitolite.dataDir}/repositories |
406 | ''; | 409 | ''; |
407 | }; | 410 | }; |
408 | environment.etc."cgit/git.rheperire.org" = { | 411 | environment.etc."cgit/git.rheperire.org" = { |
@@ -440,7 +443,7 @@ in rec { | |||
440 | cryptoids.git | 443 | cryptoids.git |
441 | ''} | 444 | ''} |
442 | section-from-path=2 | 445 | section-from-path=2 |
443 | scan-path=/srv/git/repositories | 446 | scan-path=${config.services.gitolite.dataDir}/repositories |
444 | ''; | 447 | ''; |
445 | }; | 448 | }; |
446 | 449 | ||
@@ -492,12 +495,13 @@ in rec { | |||
492 | /^localhost$/ ACCEPT | 495 | /^localhost$/ ACCEPT |
493 | /\.?ymir$/ ACCEPT | 496 | /\.?ymir$/ ACCEPT |
494 | ''}'']; | 497 | ''}'']; |
495 | sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | 498 | sslCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem"; |
496 | sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; | 499 | sslKey = "${config.security.acme.directory}/yggdrasil.li/key.pem"; |
497 | config = { | 500 | config = { |
498 | #the dh params | 501 | #the dh params |
499 | smtpd_tls_dh1024_param_file = "/etc/ssl/dhparam.pem"; | 502 | smtpd_tls_dh2048_param_file = config.security.dhparams.params.postfix-2048.path; |
500 | smtpd_tls_dh512_param_file = "/etc/ssl/dhparam.pem"; | 503 | smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix-1024.path; |
504 | smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix-512.path; | ||
501 | #enable ECDH | 505 | #enable ECDH |
502 | smtpd_tls_eecdh_grade = "strong"; | 506 | smtpd_tls_eecdh_grade = "strong"; |
503 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 | 507 | #enabled SSL protocols, don't allow SSLv2 and SSLv3 |
@@ -728,8 +732,8 @@ in rec { | |||
728 | enableLmtp = true; | 732 | enableLmtp = true; |
729 | enablePop3 = false; | 733 | enablePop3 = false; |
730 | enablePAM = false; # do that manualy | 734 | enablePAM = false; # do that manualy |
731 | sslServerCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | 735 | sslServerCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem"; |
732 | sslServerKey = "/var/lib/acme/yggdrasil.li/key.pem"; | 736 | sslServerKey = "${config.security.acme.directory}/yggdrasil.li/key.pem"; |
733 | mailLocation = "maildir:~/mail:LAYOUT=index:UTF-8"; | 737 | mailLocation = "maildir:~/mail:LAYOUT=index:UTF-8"; |
734 | modules = with pkgs; [ dovecot_pigeonhole ]; | 738 | modules = with pkgs; [ dovecot_pigeonhole ]; |
735 | protocols = [ "sieve" ]; | 739 | protocols = [ "sieve" ]; |
@@ -809,11 +813,6 @@ in rec { | |||
809 | } | 813 | } |
810 | } | 814 | } |
811 | 815 | ||
812 | service managesieve { | ||
813 | } | ||
814 | protocol sieve { | ||
815 | } | ||
816 | |||
817 | plugin { | 816 | plugin { |
818 | sieve = file:~/sieve;active=~/.dovecot.sieve | 817 | sieve = file:~/sieve;active=~/.dovecot.sieve |
819 | sieve_redirect_envelope_from = orig_recipient | 818 | sieve_redirect_envelope_from = orig_recipient |
@@ -981,8 +980,8 @@ in rec { | |||
981 | 980 | ||
982 | services.infinoted = { | 981 | services.infinoted = { |
983 | enable = true; | 982 | enable = true; |
984 | keyFile = "/var/lib/acme/yggdrasil.li/key.pem"; | 983 | keyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem"; |
985 | certificateFile = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | 984 | certificateFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem"; |
986 | plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ]; | 985 | plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ]; |
987 | extraConfig = '' | 986 | extraConfig = '' |
988 | [certificate-auth] | 987 | [certificate-auth] |
@@ -1053,8 +1052,8 @@ in rec { | |||
1053 | localUsers = true; | 1052 | localUsers = true; |
1054 | writeEnable = true; | 1053 | writeEnable = true; |
1055 | chrootlocalUser = true; | 1054 | chrootlocalUser = true; |
1056 | rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem"; | 1055 | rsaKeyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem"; |
1057 | rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | 1056 | rsaCertFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem"; |
1058 | extraConfig = '' | 1057 | extraConfig = '' |
1059 | local_umask=022 | 1058 | local_umask=022 |
1060 | 1059 | ||
@@ -1090,4 +1089,14 @@ in rec { | |||
1090 | users.extraUsers."vsftpd" = { | 1089 | users.extraUsers."vsftpd" = { |
1091 | home = mkForce "/srv/ftp"; | 1090 | home = mkForce "/srv/ftp"; |
1092 | }; | 1091 | }; |
1092 | |||
1093 | security.dhparams = { | ||
1094 | enable = true; | ||
1095 | nginx.bits = 3072; | ||
1096 | posfix-512.bits = 512; | ||
1097 | postfix-1024.bits = 1024; | ||
1098 | postfix-2048.bits = 2048; | ||
1099 | dovecot2.bits = 2048; | ||
1100 | prosody.bits = 3072; | ||
1101 | }; | ||
1093 | } | 1102 | } |