2 files changed, 69 insertions, 1 deletions
diff --git a/custom/simp_le.nix b/custom/simp_le.nix
new file mode 100644
index 00000000..686533a6
--- /dev/null
+++ b/custom/simp_le.nix
@@ -0,0 +1,26 @@
+{ stdenv, writeText
+, simp_le
+, eject
+}:
+dir:
+domain:
+let
+  script = writeText "${domain}.sh" ''
+    backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
+    mkdir -p ${dir}
+    cd ${dir}
+    mkdir -p $backupDir
+    for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do
+      [[ -e $f ]] && mv $f $backupDir
+    done
+    ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \
+      --email "phikeebaogobaegh@141.li" \
+      -f account_key.json \
+      -f cert.pem \
+      -f fullchain.pem \
+      -f key.pem || { for f in *; do rm $f; done; mv $backupDir/* . && rmdir $backupDir; }
+    [[ -e key.pem ]] && ln -s -f key.pem privkey.pem
+  '';
+in
+  "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info"
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 861b0720..fd7d7e94 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -16,6 +16,18 @@ let
    uwsgi_param SERVER_PORT $server_port;
    uwsgi_param SERVER_NAME $server_name;
  '';
+  favicon = builtins.toFile "favicon" ''
+    location = /favicon.ico {
+      root /srv/www/praseodym.org;
+    }
+  '';
+  acme = builtins.toFile "acme" ''
+    location /.well-known/acme-challenge {
+      root /srv/www/acme/$host/;
+    }
+  '';
 in {
  services.nginx = {
    enable = true;
@@ -56,11 +68,28 @@ in {
      access_log stderr;
      error_log stderr;
+      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+      ssl_prefer_server_ciphers on;
+      ssl_session_cache shared:SSL:10m;
+      ssl_dhparam /etc/ssl/dhparam.pem;
+      server {
+        listen *:80;
+        listen [::]:80;
+        server_name _;
+        root /srv/www/praseodym.org;
+      }
      server {
        listen *:80;
        listen [::]:80;
        server_name dirty-haskell.org www.dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        root /srv/www/dirty-haskell.org;
      }
@@ -69,6 +98,9 @@ in {
        listen [::]:443 ssl;
        server_name dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;
@@ -80,6 +112,9 @@ in {
        listen [::]:443 ssl;
        server_name www.dirty-haskell.org;
+        include ${favicon};
+        include ${acme};
        ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;
@@ -88,13 +123,20 @@ in {
      server {
        listen *:80;
+        listen *:443 ssl;
        listen [::]:80;
-        server_name git.yggdrasil.li www.git.yggdrasil.li;
+        listen [::]:443 ssl;
+        ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem;
+        server_name git.yggdrasil.li;
        root ${pkgs.cgit}/cgit;
        try_files $uri @cgit;
+        include ${favicon};
+        include ${acme};
        location @cgit {
          include ${uwsgi_params};
          uwsgi_pass unix:/tmp/cgit.sock;

diff --git a/custom/simp_le.nix b/custom/simp_le.nix new file mode 100644 index 00000000..686533a6 --- /dev/null +++ b/custom/simp_le.nix
@@ -0,0 +1,26 @@
		1	{ stdenv, writeText
		2	, simp_le
		3	, eject
		4	}:
		5	dir:
		6	domain:
		7
		8	let
		9	script = writeText "${domain}.sh" ''
		10	backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
		11	mkdir -p ${dir}
		12	cd ${dir}
		13	mkdir -p $backupDir
		14	for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do
		15	[[ -e $f ]] && mv $f $backupDir
		16	done
		17	${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \
		18	--email "phikeebaogobaegh@141.li" \
		19	-f account_key.json \
		20	-f cert.pem \
		21	-f fullchain.pem \
		22	-f key.pem \|\| { for f in ; do rm $f; done; mv $backupDir/ . && rmdir $backupDir; }
		23	[[ -e key.pem ]] && ln -s -f key.pem privkey.pem
		24	'';
		25	in
		26	"bash ${script} 2>&1 \| ${eject}/bin/logger -p auth.info"


diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 861b0720..fd7d7e94 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix
@@ -16,6 +16,18 @@ let
16	uwsgi_param SERVER_PORT $server_port;	16	uwsgi_param SERVER_PORT $server_port;
17	uwsgi_param SERVER_NAME $server_name;	17	uwsgi_param SERVER_NAME $server_name;
18	'';	18	'';
		19
		20	favicon = builtins.toFile "favicon" ''
		21	location = /favicon.ico {
		22	root /srv/www/praseodym.org;
		23	}
		24	'';
		25
		26	acme = builtins.toFile "acme" ''
		27	location /.well-known/acme-challenge {
		28	root /srv/www/acme/$host/;
		29	}
		30	'';
19	in {	31	in {
20	services.nginx = {	32	services.nginx = {
21	enable = true;	33	enable = true;
@@ -56,11 +68,28 @@ in {
56	access_log stderr;	68	access_log stderr;
57	error_log stderr;	69	error_log stderr;
58		70
		71	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		72	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
		73	ssl_prefer_server_ciphers on;
		74	ssl_session_cache shared:SSL:10m;
		75	ssl_dhparam /etc/ssl/dhparam.pem;
		76
		77	server {
		78	listen *:80;
		79	listen [::]:80;
		80	server_name _;
		81
		82	root /srv/www/praseodym.org;
		83	}
		84
59	server {	85	server {
60	listen *:80;	86	listen *:80;
61	listen [::]:80;	87	listen [::]:80;
62	server_name dirty-haskell.org www.dirty-haskell.org;	88	server_name dirty-haskell.org www.dirty-haskell.org;
63		89
		90	include ${favicon};
		91	include ${acme};
		92
64	root /srv/www/dirty-haskell.org;	93	root /srv/www/dirty-haskell.org;
65	}	94	}
66		95
@@ -69,6 +98,9 @@ in {
69	listen [::]:443 ssl;	98	listen [::]:443 ssl;
70	server_name dirty-haskell.org;	99	server_name dirty-haskell.org;
71		100
		101	include ${favicon};
		102	include ${acme};
		103
72	ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;	104	ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;
73	ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;	105	ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;
74		106
@@ -80,6 +112,9 @@ in {
80	listen [::]:443 ssl;	112	listen [::]:443 ssl;
81	server_name www.dirty-haskell.org;	113	server_name www.dirty-haskell.org;
82		114
		115	include ${favicon};
		116	include ${acme};
		117
83	ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;	118	ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;
84	ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;	119	ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;
85		120
@@ -88,13 +123,20 @@ in {
88		123
89	server {	124	server {
90	listen *:80;	125	listen *:80;
		126	listen *:443 ssl;
91	listen [::]:80;	127	listen [::]:80;
92	server_name git.yggdrasil.li www.git.yggdrasil.li;	128	listen [::]:443 ssl;
		129	ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem;
		130	ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem;
		131	server_name git.yggdrasil.li;
93		132
94	root ${pkgs.cgit}/cgit;	133	root ${pkgs.cgit}/cgit;
95		134
96	try_files $uri @cgit;	135	try_files $uri @cgit;
97		136
		137	include ${favicon};
		138	include ${acme};
		139
98	location @cgit {	140	location @cgit {
99	include ${uwsgi_params};	141	include ${uwsgi_params};
100	uwsgi_pass unix:/tmp/cgit.sock;	142	uwsgi_pass unix:/tmp/cgit.sock;