From 343b071a70f0e45730666dd5497dc6200606538d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 26 Apr 2016 15:20:25 +0200 Subject: switched ssl certs to security.acme completely --- custom/simp_le.nix | 32 -------------------------------- custom/ymir-nginx.nix | 15 +++++++++------ ymir.nix | 14 ++------------ 3 files changed, 11 insertions(+), 50 deletions(-) delete mode 100644 custom/simp_le.nix diff --git a/custom/simp_le.nix b/custom/simp_le.nix deleted file mode 100644 index d37fbb8c..00000000 --- a/custom/simp_le.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ stdenv, writeText -, simp_le -, eject -}: -#dir: -domain: - -let - dir = "/etc/ssl/self/${domain}"; - script = writeText "${domain}.sh" '' - backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} - mkdir -p ${dir} - cd ${dir} - mkdir -p $backupDir - for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do - [[ -e $f ]] && mv -v $f $backupDir - done - ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ - --email "phikeebaogobaegh@141.li" \ - -f account_key.json \ - -f cert.pem \ - -f fullchain.pem \ - -f key.pem - if [[ $? -ne 0 ]]; then - for f in ./*; do rm -v $f; done - mv -v $backupDir/* . && rmdir $backupDir - else - [[ -e key.pem ]] && ln -s -f key.pem privkey.pem - fi - ''; -in - "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 54b0084f..0506b5c7 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -28,6 +28,11 @@ let root /srv/www/acme/$host/; } ''; + + ssl = builtins.toFile "ssl" '' + ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; + ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; + ''; in { services.nginx = { enable = true; @@ -104,8 +109,7 @@ in { include ${favicon}; include ${acme}; - ssl_certificate /etc/ssl/self/dirty-haskell.org/fullchain.pem; - ssl_certificate_key /etc/ssl/self/dirty-haskell.org/privkey.pem; + include ${ssl}; root /srv/www/dirty-haskell.org; } @@ -118,8 +122,7 @@ in { include ${favicon}; include ${acme}; - ssl_certificate /etc/ssl/self/www.dirty-haskell.org/fullchain.pem; - ssl_certificate_key /etc/ssl/self/www.dirty-haskell.org/privkey.pem; + include ${ssl}; root /srv/www/dirty-haskell.org; } @@ -129,8 +132,6 @@ in { listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; - ssl_certificate /etc/ssl/self/git.yggdrasil.li/fullchain.pem; - ssl_certificate_key /etc/ssl/self/git.yggdrasil.li/key.pem; server_name git.yggdrasil.li; root ${pkgs.cgit}/cgit; @@ -140,6 +141,8 @@ in { include ${favicon}; include ${acme}; + include ${ssl}; + location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/cgit.sock; diff --git a/ymir.nix b/ymir.nix index 773b5a71..8a17cfe4 100644 --- a/ymir.nix +++ b/ymir.nix @@ -9,11 +9,10 @@ let enabled = true; domain = name; ssl = { - key = "/etc/ssl/self/${name}/key.pem"; - cert = "/etc/ssl/self/${name}/fullchain.pem"; + key = "/var/lib/acme/yggdrasil.li/key.pem"; + cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; }; }; - simp_le = pkgs.callPackage ./custom/simp_le.nix {}; in rec { imports = [ @@ -142,15 +141,6 @@ in rec { enable = true; systab = '' %weekly * * nix-collect-garbage --delete-older-than '7d' - %monthly * * * ${simp_le "git.yggdrasil.li"} - %monthly * * * ${simp_le "dirty-haskell.org"} - %monthly * * * ${simp_le "www.dirty-haskell.org"} - %monthly * * * ${simp_le "141.li"} - %monthly * * * ${simp_le "xmpp.li"} - %monthly * * * ${simp_le "yggdrasil.li"} - %monthly * * * ${simp_le "praseodym.org"} - %daily * * systemctl reload nginx.service - %daily * * prosodyctl reload ''; }; -- cgit v1.2.3