From 45d7aaa82b0b8577e507cc8769998911bf8ce527 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:30:55 +0100 Subject: praseodym.org nginx --- custom/ymir-nginx.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 861b0720..7aaa0464 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -16,6 +16,12 @@ let uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; ''; + + favicon = builtins.toFile "favicon" '' + location /favicon.ico { + root /srv/www/praseodym.org; + } + ''; in { services.nginx = { enable = true; @@ -101,6 +107,14 @@ in { uwsgi_modifier1 9; } } + + server { + listen *:80; + listen [::]:80; + server_name _; + + root /srv/www/praseodym.org; + } ''; }; } -- cgit v1.2.3 From cbf358b332b2b0909c8726432866aa02affd550b Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:31:44 +0100 Subject: *poke* --- custom/ymir-nginx.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 7aaa0464..e3cc2870 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -62,6 +62,14 @@ in { access_log stderr; error_log stderr; + server { + listen *:80; + listen [::]:80; + server_name _; + + root /srv/www/praseodym.org; + } + server { listen *:80; listen [::]:80; @@ -107,14 +115,6 @@ in { uwsgi_modifier1 9; } } - - server { - listen *:80; - listen [::]:80; - server_name _; - - root /srv/www/praseodym.org; - } ''; }; } -- cgit v1.2.3 From 7689ce8c7890eda81cae0a2aa2660c6c54c6ae96 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:33:08 +0100 Subject: Favicons for everything --- custom/ymir-nginx.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index e3cc2870..4e13e019 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -75,6 +75,8 @@ in { listen [::]:80; server_name dirty-haskell.org www.dirty-haskell.org; + include ${favicon}; + root /srv/www/dirty-haskell.org; } @@ -83,6 +85,8 @@ in { listen [::]:443 ssl; server_name dirty-haskell.org; + include ${favicon}; + ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem; @@ -94,6 +98,8 @@ in { listen [::]:443 ssl; server_name www.dirty-haskell.org; + include ${favicon}; + ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem; @@ -109,6 +115,8 @@ in { try_files $uri @cgit; + include ${favicon}; + location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/cgit.sock; -- cgit v1.2.3 From 0a49126bc3e2a2b2ef45f192a5a46c58ff1f01f2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:38:32 +0100 Subject: acme-challenge --- custom/ymir-nginx.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 4e13e019..8750ac9f 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -18,10 +18,16 @@ let ''; favicon = builtins.toFile "favicon" '' - location /favicon.ico { + location = /favicon.ico { root /srv/www/praseodym.org; } ''; + + acme = builtins.toFile "acme" '' + location /.well-known/acme-challenge { + root /srv/www/acme/$hostname/.well-known/acme-challenge; + } + ''; in { services.nginx = { enable = true; @@ -76,6 +82,7 @@ in { server_name dirty-haskell.org www.dirty-haskell.org; include ${favicon}; + include ${acme}; root /srv/www/dirty-haskell.org; } @@ -86,6 +93,7 @@ in { server_name dirty-haskell.org; include ${favicon}; + include ${acme}; ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem; @@ -99,6 +107,7 @@ in { server_name www.dirty-haskell.org; include ${favicon}; + include ${acme}; ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem; @@ -116,6 +125,7 @@ in { try_files $uri @cgit; include ${favicon}; + include ${acme}; location @cgit { include ${uwsgi_params}; -- cgit v1.2.3 From 7e4868c3ec05f70e68bc80db8cc7334efbbfce12 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:41:13 +0100 Subject: *poke* --- custom/ymir-nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 8750ac9f..c0b7f23b 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -25,7 +25,7 @@ let acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { - root /srv/www/acme/$hostname/.well-known/acme-challenge; + root /srv/www/acme/$server_name/.well-known/acme-challenge; } ''; in { -- cgit v1.2.3 From 7b1c4e0c395f358cb9d4b6850af01cdd3e2a3a80 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 11:41:58 +0100 Subject: *poke* --- custom/ymir-nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index c0b7f23b..32707ee6 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -25,7 +25,7 @@ let acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { - root /srv/www/acme/$server_name/.well-known/acme-challenge; + root /srv/www/acme/$server_name/; } ''; in { -- cgit v1.2.3 From 0fb62fe4d86f3e140bd989d3a3aca2d76c395549 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:10:16 +0100 Subject: simp_le test --- custom/simp_le.nix | 18 ++++++++++++++++++ custom/ymir-nginx.nix | 5 +++++ ymir.nix | 4 +++- 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 custom/simp_le.nix diff --git a/custom/simp_le.nix b/custom/simp_le.nix new file mode 100644 index 00000000..ed85fc51 --- /dev/null +++ b/custom/simp_le.nix @@ -0,0 +1,18 @@ +{ stdenv, simp_le +, util-linux +}: +dir: +domain: + +let + script = bulitins.toFile "cert.sh" '' + cd $dir + ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ + --email "phikeebaogobaegh@141.li" \ + -f account_key.json \ + -f cert.pem \ + -f fullchain.pem \ + -f key.pem + ''; +in + "${stdenv}/bin/bash ${script} ${dir} ${domain} > ${util-linux}/bin/logger -p auth.info" diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 32707ee6..4c3880ce 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -117,9 +117,14 @@ in { server { listen *:80; + listen *:443 ssl; listen [::]:80; + listen [::]:443 ssl; server_name git.yggdrasil.li www.git.yggdrasil.li; + ssl_certificate /etc/nginx/ssl/$server_name/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/$server_name/privkey.pem; + root ${pkgs.cgit}/cgit; try_files $uri @cgit; diff --git a/ymir.nix b/ymir.nix index e668ecfc..bed72276 100644 --- a/ymir.nix +++ b/ymir.nix @@ -13,6 +13,7 @@ let cert = "certs/${name}.crt"; }; }; + simp_le = pkgs.callPackage ./custom/simp_le.nix {}; in rec { imports = [ @@ -128,7 +129,8 @@ in rec { services.fcron = { enable = true; systab = '' - %weekly * * nix-collect-garbage --delete-older-than '7d' + %weekly * * nix-collect-garbage --delete-older-than '7d' + %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} ''; }; -- cgit v1.2.3 From 94508ad6f57ad38f13cb08629b96179ffc100a19 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:10:35 +0100 Subject: typo --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index ed85fc51..f975bdb2 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -5,7 +5,7 @@ dir: domain: let - script = bulitins.toFile "cert.sh" '' + script = bulitin.toFile "cert.sh" '' cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -- cgit v1.2.3 From 48860df6ff917274a837c8470ff8aa6784c5bcf0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:10:49 +0100 Subject: typo --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index f975bdb2..537cb915 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -5,7 +5,7 @@ dir: domain: let - script = bulitin.toFile "cert.sh" '' + script = builtins.toFile "cert.sh" '' cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -- cgit v1.2.3 From 3600019a6db787978b5996819fc6cad6d1832236 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:11:23 +0100 Subject: typo --- custom/simp_le.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 537cb915..83582c24 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -1,5 +1,5 @@ { stdenv, simp_le -, util-linux +, eject }: dir: domain: @@ -15,4 +15,4 @@ let -f key.pem ''; in - "${stdenv}/bin/bash ${script} ${dir} ${domain} > ${util-linux}/bin/logger -p auth.info" + "${stdenv}/bin/bash ${script} ${dir} ${domain} > ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From f6e28e7f6cc4709ed677efd2231c38ed31b71418 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:14:19 +0100 Subject: writeText instead of toFile --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 83582c24..f5b2232f 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -5,7 +5,7 @@ dir: domain: let - script = builtins.toFile "cert.sh" '' + script = stdenv.lib.writeText "cert.sh" '' cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -- cgit v1.2.3 From 49dc2220c842c2f5b0c330a0ae6448087d7e4bce Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:15:00 +0100 Subject: typo --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index f5b2232f..590b3cac 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -5,7 +5,7 @@ dir: domain: let - script = stdenv.lib.writeText "cert.sh" '' + script = stdenv.writeText "cert.sh" '' cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -- cgit v1.2.3 From 3765ee37aca35d4173f583f039e18486e2eb1b5d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:15:28 +0100 Subject: wrong namespace --- custom/simp_le.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 590b3cac..2b2de3fa 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -1,11 +1,12 @@ -{ stdenv, simp_le +{ stdenv, writeText +, simp_le , eject }: dir: domain: let - script = stdenv.writeText "cert.sh" '' + script = writeText "cert.sh" '' cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -- cgit v1.2.3 From ca22017caf8255aa214333468daff387a7e1a048 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:17:46 +0100 Subject: nginx config --- custom/ymir-nginx.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 4c3880ce..3664ad7d 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -116,14 +116,21 @@ in { } server { - listen *:80; - listen *:443 ssl; - listen [::]:80; - listen [::]:443 ssl; - server_name git.yggdrasil.li www.git.yggdrasil.li; + http { + listen *:80; + listen *:443 ssl; + listen [::]:80; + listen [::]:443 ssl; + ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; + server_name git.yggdrasil.li; + } - ssl_certificate /etc/nginx/ssl/$server_name/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/$server_name/privkey.pem; + http { + listen *:80; + listen [::]:80; + server_name www.git.yggdrasil.li; + } root ${pkgs.cgit}/cgit; -- cgit v1.2.3 From 2c2adb123227bac3f63726d3a232a270ebb4174d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:19:31 +0100 Subject: shell & directory creation --- custom/simp_le.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 2b2de3fa..5d502817 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -1,4 +1,5 @@ { stdenv, writeText +, bash , simp_le , eject }: @@ -7,6 +8,7 @@ domain: let script = writeText "cert.sh" '' + mkdir -p $dir cd $dir ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ @@ -16,4 +18,4 @@ let -f key.pem ''; in - "${stdenv}/bin/bash ${script} ${dir} ${domain} > ${eject}/bin/logger -p auth.info" + "${bash}/bin/bash ${script} ${dir} ${domain} > ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From 3deb5a33ee217240ac87bc627007c7aa1c58b007 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:21:44 +0100 Subject: typos --- custom/simp_le.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 5d502817..4082612e 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -8,8 +8,8 @@ domain: let script = writeText "cert.sh" '' - mkdir -p $dir - cd $dir + mkdir -p ${dir} + cd ${dir} ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -f account_key.json \ @@ -18,4 +18,4 @@ let -f key.pem ''; in - "${bash}/bin/bash ${script} ${dir} ${domain} > ${eject}/bin/logger -p auth.info" + "${bash}/bin/bash ${script} > ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From 94346f25829ba066e571dc951a6621e001d518d8 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:26:20 +0100 Subject: better nginx conf --- custom/simp_le.nix | 2 +- custom/ymir-nginx.nix | 22 +++++++--------------- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 4082612e..2143dfad 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -7,7 +7,7 @@ dir: domain: let - script = writeText "cert.sh" '' + script = writeText "${domain}.sh" '' mkdir -p ${dir} cd ${dir} ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 3664ad7d..ac64cac7 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -116,21 +116,13 @@ in { } server { - http { - listen *:80; - listen *:443 ssl; - listen [::]:80; - listen [::]:443 ssl; - ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; - server_name git.yggdrasil.li; - } - - http { - listen *:80; - listen [::]:80; - server_name www.git.yggdrasil.li; - } + listen *:80; + listen *:443 ssl; + listen [::]:80; + listen [::]:443 ssl; + ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; + server_name git.yggdrasil.li; root ${pkgs.cgit}/cgit; -- cgit v1.2.3 From 8136f93fd98515aae456168f2bdb11f6bd8e73fd Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:27:15 +0100 Subject: commenting ssl for now --- custom/ymir-nginx.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index ac64cac7..f3b3fecb 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -117,11 +117,11 @@ in { server { listen *:80; - listen *:443 ssl; + #listen *:443 ssl; listen [::]:80; - listen [::]:443 ssl; - ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; + #listen [::]:443 ssl; + #ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; + #ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; server_name git.yggdrasil.li; root ${pkgs.cgit}/cgit; -- cgit v1.2.3 From 46c75cd0b819c724a859d6ed4b65c01d2c12d225 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:28:41 +0100 Subject: now with ssl --- custom/simp_le.nix | 1 + custom/ymir-nginx.nix | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 2143dfad..114a6028 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -16,6 +16,7 @@ let -f cert.pem \ -f fullchain.pem \ -f key.pem + [[ -e key.pem ]] && ln -s key.pem privkey.pem ''; in "${bash}/bin/bash ${script} > ${eject}/bin/logger -p auth.info" diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index f3b3fecb..747efb67 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -117,11 +117,11 @@ in { server { listen *:80; - #listen *:443 ssl; + listen *:443 ssl; listen [::]:80; - #listen [::]:443 ssl; - #ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; - #ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/privkey.pem; + listen [::]:443 ssl; + ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem; server_name git.yggdrasil.li; root ${pkgs.cgit}/cgit; -- cgit v1.2.3 From edadb8332a43f10520fbfabcaf007717a724a9fd Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:33:43 +0100 Subject: overwrite old privkey.pem files --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 114a6028..9ff98364 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -16,7 +16,7 @@ let -f cert.pem \ -f fullchain.pem \ -f key.pem - [[ -e key.pem ]] && ln -s key.pem privkey.pem + [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in "${bash}/bin/bash ${script} > ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From 5ee3e5bfbe1b4c76e4e7b73bb8781a225cf71dba Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:34:14 +0100 Subject: actually log everything --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 9ff98364..4caf50ce 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -19,4 +19,4 @@ let [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in - "${bash}/bin/bash ${script} > ${eject}/bin/logger -p auth.info" + "${bash}/bin/bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From cd2886462a8a079bebf47e25847f8dcdfa157d3e Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:35:39 +0100 Subject: (www.|)dirty-haskell.org --- ymir.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ymir.nix b/ymir.nix index bed72276..4fc294d2 100644 --- a/ymir.nix +++ b/ymir.nix @@ -131,6 +131,8 @@ in rec { systab = '' %weekly * * nix-collect-garbage --delete-older-than '7d' %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} + %monthly * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} + %monthly * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} ''; }; -- cgit v1.2.3 From a2b53ca94318207687dabc033e6b346088711d25 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:45:09 +0100 Subject: old cert backups --- custom/simp_le.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 4caf50ce..30341179 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -8,8 +8,14 @@ domain: let script = writeText "${domain}.sh" '' + #!${bash}/bin/bash + mkdir -p ${dir} cd ${dir} + mkdir -p /root/ssl_archive/$(date +'%Y-%m-%d')-${domain} + for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do + [[ -e $f ]] && mv $f /root/ssl_archive/$(date +'%Y-%m-%d')-${domain} + done ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -f account_key.json \ @@ -19,4 +25,4 @@ let [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in - "${bash}/bin/bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" + "${script} 2>&1 | ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From fccd19527d271d8c323860e45f4337abd6398dc8 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:46:23 +0100 Subject: shebang wont work --- custom/simp_le.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 30341179..45d7a5ca 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -8,8 +8,6 @@ domain: let script = writeText "${domain}.sh" '' - #!${bash}/bin/bash - mkdir -p ${dir} cd ${dir} mkdir -p /root/ssl_archive/$(date +'%Y-%m-%d')-${domain} @@ -25,4 +23,4 @@ let [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in - "${script} 2>&1 | ${eject}/bin/logger -p auth.info" + "${bash}/bin/bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From 8a205da9cf2f89792a468abda275483d8b762b3a Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:47:55 +0100 Subject: better nginx acme conf --- custom/ymir-nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 747efb67..9c98d2ab 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -25,7 +25,7 @@ let acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { - root /srv/www/acme/$server_name/; + root /srv/www/acme/$host/; } ''; in { -- cgit v1.2.3 From 89c7daa75a9e67eaaf36fb17d8498de64e71e359 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:49:01 +0100 Subject: restore from backup on simp_le fail --- custom/simp_le.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 45d7a5ca..94adb44d 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -8,18 +8,19 @@ domain: let script = writeText "${domain}.sh" '' + backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-${domain} mkdir -p ${dir} cd ${dir} - mkdir -p /root/ssl_archive/$(date +'%Y-%m-%d')-${domain} + mkdir -p $backupDir for f in account_key.json cert.pem fullchain.pem key.pem privkey.pem; do - [[ -e $f ]] && mv $f /root/ssl_archive/$(date +'%Y-%m-%d')-${domain} + [[ -e $f ]] && mv $f $backupDir done ${simp_le}/bin/simp_le -d ${domain}:/srv/www/acme/${domain}/ \ --email "phikeebaogobaegh@141.li" \ -f account_key.json \ -f cert.pem \ -f fullchain.pem \ - -f key.pem + -f key.pem || { rm *; mv $backupDir/* . && rmdir $backupDir } [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in -- cgit v1.2.3 From 724fa9257742c92bbe5550ece6fd657bc24edf8a Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:50:48 +0100 Subject: typo --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 94adb44d..fb68eb02 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -20,7 +20,7 @@ let -f account_key.json \ -f cert.pem \ -f fullchain.pem \ - -f key.pem || { rm *; mv $backupDir/* . && rmdir $backupDir } + -f key.pem || { rm *; mv $backupDir/* . && rmdir $backupDir; } [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in -- cgit v1.2.3 From f281e1d83d49dc467569c74c37fd51c2cbe32838 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:52:54 +0100 Subject: not hardlinking bash --- custom/simp_le.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index fb68eb02..f90abc71 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -1,5 +1,4 @@ { stdenv, writeText -, bash , simp_le , eject }: @@ -24,4 +23,4 @@ let [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in - "${bash}/bin/bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" + "bash ${script} 2>&1 | ${eject}/bin/logger -p auth.info" -- cgit v1.2.3 From ab39f049c6d2467ca8e133493ff6f07775c6dd50 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 12:54:56 +0100 Subject: better use of wildcards --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index f90abc71..7478bcbf 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -19,7 +19,7 @@ let -f account_key.json \ -f cert.pem \ -f fullchain.pem \ - -f key.pem || { rm *; mv $backupDir/* . && rmdir $backupDir; } + -f key.pem || { for f in *; do rm $f; done; mv $backupDir/* . && rmdir $backupDir; } [[ -e key.pem ]] && ln -s -f key.pem privkey.pem ''; in -- cgit v1.2.3 From b948a2688a1a5f570fdb56b44a921194080fed52 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 13:02:46 +0100 Subject: daily reload of nginx to get ssl certs into nginx --- ymir.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/ymir.nix b/ymir.nix index 4fc294d2..2db35d87 100644 --- a/ymir.nix +++ b/ymir.nix @@ -133,6 +133,7 @@ in rec { %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} %monthly * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} %monthly * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} + %daily * * systemctl reload nginx.service ''; }; -- cgit v1.2.3 From 260d6d41a7eab55a051a5a8497f7bae2c9538006 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 13:06:19 +0100 Subject: better backup dirs --- custom/simp_le.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/custom/simp_le.nix b/custom/simp_le.nix index 7478bcbf..686533a6 100644 --- a/custom/simp_le.nix +++ b/custom/simp_le.nix @@ -7,7 +7,7 @@ domain: let script = writeText "${domain}.sh" '' - backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-${domain} + backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain} mkdir -p ${dir} cd ${dir} mkdir -p $backupDir -- cgit v1.2.3 From 60fd55bbeea060640fde6834f7488544a58a6f27 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 13:17:48 +0100 Subject: ssl cert renewal jitter --- ymir.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ymir.nix b/ymir.nix index 2db35d87..b4817508 100644 --- a/ymir.nix +++ b/ymir.nix @@ -130,9 +130,9 @@ in rec { enable = true; systab = '' %weekly * * nix-collect-garbage --delete-older-than '7d' - %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} - %monthly * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} - %monthly * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} + %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"} + %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"} + %monthly,jitter(300) * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"} %daily * * systemctl reload nginx.service ''; }; -- cgit v1.2.3 From ad3aa5365577c3f25ccc81ae5a0fd94c0d68e71f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 24 Jan 2016 14:13:18 +0100 Subject: better tls config --- custom/ymir-nginx.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix index 9c98d2ab..fd7d7e94 100644 --- a/custom/ymir-nginx.nix +++ b/custom/ymir-nginx.nix @@ -68,6 +68,12 @@ in { access_log stderr; error_log stderr; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_dhparam /etc/ssl/dhparam.pem; + server { listen *:80; listen [::]:80; -- cgit v1.2.3 From e35802125a7322e93602c9a4d827580f488ff9fa Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 3 Feb 2016 13:08:56 +0100 Subject: Fixed issue with cgit clone urls --- ymir.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ymir.nix b/ymir.nix index b4817508..fe8a2dbf 100644 --- a/ymir.nix +++ b/ymir.nix @@ -240,7 +240,7 @@ in rec { readme=:readme.txt readme=:readme - clone-url=git://git.yggdrasil.li/$CGIT_REPO_NAME http://git.yggdrasil.li/$CGIT_REPO_NAME + clone-url=git://git.yggdrasil.li/$CGIT_REPO_PATH http://git.yggdrasil.li/$CGIT_REPO_PATH strict-export=git-daemon-export-ok project-list=/srv/git/projects.list -- cgit v1.2.3 From 2ec3047d3ad63b4030cb4de82b55fdc3c9d2527a Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 3 Feb 2016 13:14:38 +0100 Subject: *poke* --- ymir.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ymir.nix b/ymir.nix index fe8a2dbf..b115835d 100644 --- a/ymir.nix +++ b/ymir.nix @@ -240,7 +240,7 @@ in rec { readme=:readme.txt readme=:readme - clone-url=git://git.yggdrasil.li/$CGIT_REPO_PATH http://git.yggdrasil.li/$CGIT_REPO_PATH + clone-prefix=git://git.yggdrasil.li/, http://git.yggdrasil.li/ strict-export=git-daemon-export-ok project-list=/srv/git/projects.list -- cgit v1.2.3 From 40c2e71eec07560cbeac25b9a90eae66bc8c3676 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 3 Feb 2016 13:15:08 +0100 Subject: typo --- ymir.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ymir.nix b/ymir.nix index b115835d..b64b50bc 100644 --- a/ymir.nix +++ b/ymir.nix @@ -240,7 +240,7 @@ in rec { readme=:readme.txt readme=:readme - clone-prefix=git://git.yggdrasil.li/, http://git.yggdrasil.li/ + clone-prefix=git://git.yggdrasil.li/ http://git.yggdrasil.li/ strict-export=git-daemon-export-ok project-list=/srv/git/projects.list -- cgit v1.2.3 From 501ae307c1fecbb7a68454459f61e49e4a595387 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 3 Feb 2016 13:15:38 +0100 Subject: *poke* --- ymir.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ymir.nix b/ymir.nix index b64b50bc..42a75439 100644 --- a/ymir.nix +++ b/ymir.nix @@ -240,7 +240,7 @@ in rec { readme=:readme.txt readme=:readme - clone-prefix=git://git.yggdrasil.li/ http://git.yggdrasil.li/ + clone-prefix=git://git.yggdrasil.li http://git.yggdrasil.li strict-export=git-daemon-export-ok project-list=/srv/git/projects.list -- cgit v1.2.3 From af5abbd056dab4c242469a4946be9cfe70a06701 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 11 Feb 2016 20:12:47 +0100 Subject: allow mpd connections to bragi --- bragi.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/bragi.nix b/bragi.nix index 21dd9548..d9cf6bf3 100644 --- a/bragi.nix +++ b/bragi.nix @@ -190,6 +190,7 @@ in rec { allowPing = true; allowedTCPPorts = [ 22 # SSH 8080 # thermoprint + 6600 # MPD ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh ]; -- cgit v1.2.3 From b848cdd2e63781c4cd01518ebec7e9bf81ce7781 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 11 Feb 2016 20:39:57 +0100 Subject: No thermoprint on bragi for now --- bragi.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/bragi.nix b/bragi.nix index d9cf6bf3..f520d05c 100644 --- a/bragi.nix +++ b/bragi.nix @@ -189,7 +189,7 @@ in rec { enable = true; allowPing = true; allowedTCPPorts = [ 22 # SSH - 8080 # thermoprint + # 8080 # thermoprint 6600 # MPD ]; allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh @@ -248,14 +248,14 @@ in rec { home = "/var/lib/thermoprint"; }; - systemd.services."thermoprint" = { - serviceConfig = { - Type = "simple"; - ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0''; - User = users.extraUsers."thermoprint".name; - Group = users.extraUsers."thermoprint".group; - }; - }; + # systemd.services."thermoprint" = { + # serviceConfig = { + # Type = "simple"; + # ExecStart = ''${thermoprint-servant}/bin/thermoprint --database ${users.extraUsers."thermoprint".home}/database.sqlite /dev/usb/lp0''; + # User = users.extraUsers."thermoprint".name; + # Group = users.extraUsers."thermoprint".group; + # }; + # }; nix = { extraOptions = '' -- cgit v1.2.3