4 files changed, 86 insertions, 12 deletions
diff --git a/bragi.nix b/bragi.nix
index 21dd9548..f520d05c 100644
--- a/bragi.nix
+++ b/bragi.nix
@@ -189,7 +189,8 @@ in rec {
    enable = true;
    allowPing = true;
    allowedTCPPorts = [ 22 # SSH
-                        8080 # thermoprint
+                        # 8080 # thermoprint
+                        6600 # MPD
                      ];
    allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh
                           ];
@@ -247,14 +248,14 @@ in rec {
    home = "/var/lib/thermoprint";
  };
-  systemd.services."thermoprint" = {
+  # systemd.services."thermoprint" = {
-    serviceConfig = {
+  #   serviceConfig = {
-      Type = "simple";
+  #     Type = "simple";
-      ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0'';
+  #     ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0'';
-      User = users.extraUsers."thermoprint".name;
+  #     User = users.extraUsers."thermoprint".name;
-      Group = users.extraUsers."thermoprint".group;
+  #     Group = users.extraUsers."thermoprint".group;
-    };
+  #   };
-  };
+  # };
  nix = {
    extraOptions = ''
diff --git a/custom/simp_le.nix b/custom/simp_le.nix
new file mode 100644
index 00000000..686533a6
--- /dev/null
+++ b/custom/simp_le.nix
@@ -0,0 +1,26 @@
+{ stdenv, writeText
+, simp_le
+, eject
+}:
+dir:
+domain:
+let
+  script = writeText "${domain}.sh" ''
+    backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
+    mkdir -p ${dir}
+    cd ${dir}
+    mkdir -p $backupDir
+    for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do
+      [[ -e $f ]] && mv $f $backupDir
+    done
+    ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \
+      --email "phikeebaogobaegh@141.li" \
+      -f account_key.json \
+      -f cert.pem \
+      -f fullchain.pem \
+      -f key.pem || { for f in *; do rm $f; done; mv $backupDir/* . && rmdir $backupDir; }
+    [[ -e key.pem ]] && ln -s -f key.pem privkey.pem
+  '';
+in
+  "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info"
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 861b0720..fd7d7e94 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -16,6 +16,18 @@ let
    uwsgi_param SERVER_PORT $server_port;
    uwsgi_param SERVER_NAME $server_name;
  '';
+  favicon = builtins.toFile "favicon" ''
+    location = /favicon.ico {
+      root /srv/www/praseodym.org;
+    }
+  '';
+  acme = builtins.toFile "acme" ''
+    location /.well-known/acme-challenge {
+      root /srv/www/acme/$host/;
+    }
+  '';
 in {
  services.nginx = {
    enable = true;
@@ -56,11 +68,28 @@ in {
      access_log stderr;
      error_log stderr;
+      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+      ssl_prefer_server_ciphers on;
+      ssl_session_cache shared:SSL:10m;
+      ssl_dhparam /etc/ssl/dhparam.pem;
+      server {
+        listen *:80;
+        listen [::]:80;
+        server_name _;
+        root /srv/www/praseodym.org;
+      }
      server {
        listen *:80;
        listen [::]:80;
        server_name dirty-haskell.org www.dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        root /srv/www/dirty-haskell.org;
      }
@@ -69,6 +98,9 @@ in {
        listen [::]:443 ssl;
        server_name dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;
@@ -80,6 +112,9 @@ in {
        listen [::]:443 ssl;
        server_name www.dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;
@@ -88,13 +123,20 @@ in {
      server {
        listen *:80;
+        listen *:443 ssl;
        listen [::]:80;
-        server_name git.yggdrasil.li www.git.yggdrasil.li;
+        listen [::]:443 ssl;
+        ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem;
+        server_name git.yggdrasil.li;
        root ${pkgs.cgit}/cgit;
        try_files $uri @cgit;
+        include ${favicon};
+        include ${acme};
        location @cgit {
          include ${uwsgi_params};
          uwsgi_pass unix:/tmp/cgit.sock;
diff --git a/ymir.nix b/ymir.nix
index e668ecfc..42a75439 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -13,6 +13,7 @@ let
      cert = "certs/${name}.crt";
    };
  };
+  simp_le = pkgs.callPackage ./custom/simp_le.nix {};
 in rec {
  imports =
    [
@@ -128,7 +129,11 @@ in rec {
  services.fcron = {
    enable = true;
    systab = ''
-      %weekly * * nix-collect-garbage --delete-older-than '7d'
+      %weekly  * *   nix-collect-garbage --delete-older-than '7d'
+      %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"}
+      %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"}
+      %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"}
+      %daily   * *   systemctl reload nginx.service
    '';
  };
@@ -235,7 +240,7 @@ in rec {
      readme=:readme.txt
      readme=:readme
-      clone-url=git://git.yggdrasil.li/$CGIT_REPO_NAME http://git.yggdrasil.li/$CGIT_REPO_NAME
+      clone-prefix=git://git.yggdrasil.li http://git.yggdrasil.li
      strict-export=git-daemon-export-ok
      project-list=/srv/git/projects.list