diff options
| -rw-r--r-- | custom/simp_le.nix | 3 | ||||
| -rw-r--r-- | custom/ymir-nginx.nix | 3 | ||||
| -rw-r--r-- | ymir.nix | 20 |
3 files changed, 20 insertions, 6 deletions
diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 686533a6..755d8cd6 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix | |||
| @@ -2,10 +2,11 @@ | |||
| 2 | , simp_le | 2 | , simp_le |
| 3 | , eject | 3 | , eject |
| 4 | }: | 4 | }: |
| 5 | dir: | 5 | #dir: |
| 6 | domain: | 6 | domain: |
| 7 | 7 | ||
| 8 | let | 8 | let |
| 9 | dir = "/etc/ssl/self/${domain}"; | ||
| 9 | script = writeText "${domain}.sh" '' | 10 | script = writeText "${domain}.sh" '' |
| 10 | backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} | 11 | backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} |
| 11 | mkdir -p ${dir} | 12 | mkdir -p ${dir} |
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index fd7d7e94..a130bcd1 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix | |||
| @@ -79,6 +79,9 @@ in { | |||
| 79 | listen [::]:80; | 79 | listen [::]:80; |
| 80 | server_name _; | 80 | server_name _; |
| 81 | 81 | ||
| 82 | include ${favicon}; | ||
| 83 | include ${acme}; | ||
| 84 | |||
| 82 | root /srv/www/praseodym.org; | 85 | root /srv/www/praseodym.org; |
| 83 | } | 86 | } |
| 84 | 87 | ||
| @@ -9,8 +9,8 @@ let | |||
| 9 | enabled = true; | 9 | enabled = true; |
| 10 | domain = name; | 10 | domain = name; |
| 11 | ssl = { | 11 | ssl = { |
| 12 | key = "certs/${name}.key"; | 12 | key = "ssl/${name}/key.pem"; |
| 13 | cert = "certs/${name}.crt"; | 13 | cert = "ssl/${name}/fullchain.pem"; |
| 14 | }; | 14 | }; |
| 15 | }; | 15 | }; |
| 16 | simp_le = pkgs.callPackage ./custom/simp_le.nix {}; | 16 | simp_le = pkgs.callPackage ./custom/simp_le.nix {}; |
| @@ -130,13 +130,23 @@ in rec { | |||
| 130 | enable = true; | 130 | enable = true; |
| 131 | systab = '' | 131 | systab = '' |
| 132 | %weekly * * nix-collect-garbage --delete-older-than '7d' | 132 | %weekly * * nix-collect-garbage --delete-older-than '7d' |
| 133 | %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} | 133 | %monthly * * * ${simp_le "git.yggdrasil.li"} |
| 134 | %monthly * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} | 134 | %monthly * * * ${simp_le "dirty-haskell.org"} |
| 135 | %monthly * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} | 135 | %monthly * * * ${simp_le "www.dirty-haskell.org"} |
| 136 | %monthly * * * ${simp_le "141.li"} | ||
| 137 | %monthly * * * ${simp_le "xmpp.li"} | ||
| 138 | %monthly * * * ${simp_le "yggdrasil.li"} | ||
| 139 | %monthly * * * ${simp_le "praseodym.org"} | ||
| 136 | %daily * * systemctl reload nginx.service | 140 | %daily * * systemctl reload nginx.service |
| 137 | ''; | 141 | ''; |
| 138 | }; | 142 | }; |
| 139 | 143 | ||
| 144 | users.groups."ssl" = { | ||
| 145 | members = [ "prosody" | ||
| 146 | "nginx" | ||
| 147 | ]; | ||
| 148 | }; | ||
| 149 | |||
| 140 | services.chrony = { | 150 | services.chrony = { |
| 141 | enable = true; | 151 | enable = true; |
| 142 | }; | 152 | }; |