From 6d7d4c3d80d0f1b9aa2e05d4983d14b0aa63ed79 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 13 Apr 2016 12:43:30 +0200
Subject: letsencrypt for all domains

---
 custom/simp_le.nix    |  3 ++-
 custom/ymir-nginx.nix |  3 +++
 ymir.nix              | 20 +++++++++++++++-----
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/custom/simp_le.nix b/custom/simp_le.nix
index 686533a6..755d8cd6 100644
--- a/custom/simp_le.nix
+++ b/custom/simp_le.nix
@@ -2,10 +2,11 @@
 , simp_le
 , eject
 }:
-dir:
+#dir:
 domain:
 
 let
+  dir = "/etc/ssl/self/${domain}";
   script = writeText "${domain}.sh" ''
     backupDir=/root/ssl_archive/$(date +'%Y-%m-%d')-$$-${domain}
     mkdir -p ${dir}
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index fd7d7e94..a130bcd1 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -79,6 +79,9 @@ in {
         listen [::]:80;
         server_name _;
 
+        include ${favicon};
+        include ${acme};
+
         root /srv/www/praseodym.org;
       }
 
diff --git a/ymir.nix b/ymir.nix
index 722bbc08..f7308906 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -9,8 +9,8 @@ let
     enabled = true;
     domain = name;
     ssl = {
-      key = "certs/${name}.key";
-      cert = "certs/${name}.crt";
+      key = "ssl/${name}/key.pem";
+      cert = "ssl/${name}/fullchain.pem";
     };
   };
   simp_le = pkgs.callPackage ./custom/simp_le.nix {};
@@ -130,13 +130,23 @@ in rec {
     enable = true;
     systab = ''
       %weekly  * *   nix-collect-garbage --delete-older-than '7d'
-      %monthly * * * ${simp_le "/etc/nginx/ssl/git.yggdrasil.li" "git.yggdrasil.li"}
-      %monthly * * * ${simp_le "/etc/nginx/ssl/dirty-haskell.org" "dirty-haskell.org"}
-      %monthly * * * ${simp_le "/etc/nginx/ssl/www.dirty-haskell.org" "www.dirty-haskell.org"}
+      %monthly * * * ${simp_le "git.yggdrasil.li"}
+      %monthly * * * ${simp_le "dirty-haskell.org"}
+      %monthly * * * ${simp_le "www.dirty-haskell.org"}
+      %monthly * * * ${simp_le "141.li"}
+      %monthly * * * ${simp_le "xmpp.li"}
+      %monthly * * * ${simp_le "yggdrasil.li"}
+      %monthly * * * ${simp_le "praseodym.org"}
       %daily   * *   systemctl reload nginx.service
     '';
   };
 
+  users.groups."ssl" = {
+    members = [ "prosody"
+                "nginx"
+              ];
+  };
+
   services.chrony = {
     enable = true;
   };
-- 
cgit v1.2.3