summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--bragi.nix19
-rw-r--r--custom/simp_le.nix26
-rw-r--r--custom/ymir-nginx.nix44
-rw-r--r--ymir.nix9
4 files changed, 86 insertions, 12 deletions
diff --git a/bragi.nix b/bragi.nix
index 21dd9548..f520d05c 100644
--- a/bragi.nix
+++ b/bragi.nix
@@ -189,7 +189,8 @@ in rec {
189 enable = true; 189 enable = true;
190 allowPing = true; 190 allowPing = true;
191 allowedTCPPorts = [ 22 # SSH 191 allowedTCPPorts = [ 22 # SSH
192 8080 # thermoprint 192 # 8080 # thermoprint
193 6600 # MPD
193 ]; 194 ];
194 allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh 195 allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh
195 ]; 196 ];
@@ -247,14 +248,14 @@ in rec {
247 home = "/var/lib/thermoprint"; 248 home = "/var/lib/thermoprint";
248 }; 249 };
249 250
250 systemd.services."thermoprint" = { 251 # systemd.services."thermoprint" = {
251 serviceConfig = { 252 # serviceConfig = {
252 Type = "simple"; 253 # Type = "simple";
253 ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0''; 254 # ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0'';
254 User = users.extraUsers."thermoprint".name; 255 # User = users.extraUsers."thermoprint".name;
255 Group = users.extraUsers."thermoprint".group; 256 # Group = users.extraUsers."thermoprint".group;
256 }; 257 # };
257 }; 258 # };
258 259
259 nix = { 260 nix = {
260 extraOptions = '' 261 extraOptions = ''
diff --git a/custom/simp_le.nix b/custom/simp_le.nix
new file mode 100644
index 00000000..686533a6
--- /dev/null
+++ b/custom/simp_le.nix
@@ -0,0 +1,26 @@
1{ stdenv, writeText
2, simp_le
3, eject
4}:
5dir:
6domain:
7
8let
9 script = writeText "${domain}.sh" ''
10 backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
11 mkdir -p ${dir}
12 cd ${dir}
13 mkdir -p $backupDir
14 for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do
15 [[ -e $f ]] && mv $f $backupDir
16 done
17 ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \
18 --email "phikeebaogobaegh@141.li" \
19 -f account_key.json \
20 -f cert.pem \
21 -f fullchain.pem \
22 -f key.pem || { for f in *; do rm $f; done; mv $backupDir/* . && rmdir $backupDir; }
23 [[ -e key.pem ]] && ln -s -f key.pem privkey.pem
24 '';
25in
26 "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info"
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 861b0720..fd7d7e94 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -16,6 +16,18 @@ let
16 uwsgi_param SERVER_PORT $server_port; 16 uwsgi_param SERVER_PORT $server_port;
17 uwsgi_param SERVER_NAME $server_name; 17 uwsgi_param SERVER_NAME $server_name;
18 ''; 18 '';
19
20 favicon = builtins.toFile "favicon" ''
21 location = /favicon.ico {
22 root /srv/www/praseodym.org;
23 }
24 '';
25
26 acme = builtins.toFile "acme" ''
27 location /.well-known/acme-challenge {
28 root /srv/www/acme/$host/;
29 }
30 '';
19in { 31in {
20 services.nginx = { 32 services.nginx = {
21 enable = true; 33 enable = true;
@@ -56,11 +68,28 @@ in {
56 access_log stderr; 68 access_log stderr;
57 error_log stderr; 69 error_log stderr;
58 70
71 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
72 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
73 ssl_prefer_server_ciphers on;
74 ssl_session_cache shared:SSL:10m;
75 ssl_dhparam /etc/ssl/dhparam.pem;
76
77 server {
78 listen *:80;
79 listen [::]:80;
80 server_name _;
81
82 root /srv/www/praseodym.org;
83 }
84
59 server { 85 server {
60 listen *:80; 86 listen *:80;
61 listen [::]:80; 87 listen [::]:80;
62 server_name dirty-haskell.org www.dirty-haskell.org; 88 server_name dirty-haskell.org www.dirty-haskell.org;
63 89
90 include ${favicon};
91 include ${acme};
92
64 root /srv/www/dirty-haskell.org; 93 root /srv/www/dirty-haskell.org;
65 } 94 }
66 95
@@ -69,6 +98,9 @@ in {
69 listen [::]:443 ssl; 98 listen [::]:443 ssl;
70 server_name dirty-haskell.org; 99 server_name dirty-haskell.org;
71 100
101 include ${favicon};
102 include ${acme};
103
72 ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem; 104 ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;
73 ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem; 105 ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;
74 106
@@ -80,6 +112,9 @@ in {
80 listen [::]:443 ssl; 112 listen [::]:443 ssl;
81 server_name www.dirty-haskell.org; 113 server_name www.dirty-haskell.org;
82 114
115 include ${favicon};
116 include ${acme};
117
83 ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem; 118 ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;
84 ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem; 119 ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;
85 120
@@ -88,13 +123,20 @@ in {
88 123
89 server { 124 server {
90 listen *:80; 125 listen *:80;
126 listen *:443 ssl;
91 listen [::]:80; 127 listen [::]:80;
92 server_name git.yggdrasil.li www.git.yggdrasil.li; 128 listen [::]:443 ssl;
129 ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem;
130 ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem;
131 server_name git.yggdrasil.li;
93 132
94 root ${pkgs.cgit}/cgit; 133 root ${pkgs.cgit}/cgit;
95 134
96 try_files $uri @cgit; 135 try_files $uri @cgit;
97 136
137 include ${favicon};
138 include ${acme};
139
98 location @cgit { 140 location @cgit {
99 include ${uwsgi_params}; 141 include ${uwsgi_params};
100 uwsgi_pass unix:/tmp/cgit.sock; 142 uwsgi_pass unix:/tmp/cgit.sock;
diff --git a/ymir.nix b/ymir.nix
index e668ecfc..42a75439 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -13,6 +13,7 @@ let
13 cert = "certs/${name}.crt"; 13 cert = "certs/${name}.crt";
14 }; 14 };
15 }; 15 };
16 simp_le = pkgs.callPackage ./custom/simp_le.nix {};
16in rec { 17in rec {
17 imports = 18 imports =
18 [ 19 [
@@ -128,7 +129,11 @@ in rec {
128 services.fcron = { 129 services.fcron = {
129 enable = true; 130 enable = true;
130 systab = '' 131 systab = ''
131 %weekly * * nix-collect-garbage --delete-older-than '7d' 132 %weekly * * nix-collect-garbage --delete-older-than '7d'
133 %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"}
134 %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"}
135 %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"}
136 %daily * * systemctl reload nginx.service
132 ''; 137 '';
133 }; 138 };
134 139
@@ -235,7 +240,7 @@ in rec {
235 readme=:readme.txt 240 readme=:readme.txt
236 readme=:readme 241 readme=:readme
237 242
238 clone-url=git://git.yggdrasil.li/$CGIT_REPO_NAME http://git.yggdrasil.li/$CGIT_REPO_NAME 243 clone-prefix=git://git.yggdrasil.li http://git.yggdrasil.li
239 244
240 strict-export=git-daemon-export-ok 245 strict-export=git-daemon-export-ok
241 project-list=/srv/git/projects.list 246 project-list=/srv/git/projects.list
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-28 02:15:12 +0000