From d7b19ea3e9ad40267ee1962d35a41abe939078f6 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 1 Feb 2019 22:07:38 +0100
Subject: dhparams

---
 custom/ymir-nginx.nix |  6 +++---
 ymir.nix              | 47 ++++++++++++++++++++++++++++-------------------
 2 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 854dd4d4..975bb344 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -86,10 +86,10 @@ in {
       ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
       ssl_prefer_server_ciphers on;
       ssl_session_cache shared:SSL:10m;
-      ssl_dhparam /etc/ssl/dhparam.pem;
+      ssl_dhparam ${config.security.dhparams.params.nginx.path};
       
-      ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem;
-      ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem;
+      ssl_certificate ${config.security.acme.directory}/yggdrasil.li/fullchain.pem;
+      ssl_certificate_key ${config.security.acme.directory}/yggdrasil.li/key.pem;
 
       server {
         listen *:80;
diff --git a/ymir.nix b/ymir.nix
index 57137333..01e38833 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -11,8 +11,11 @@ let
     enabled = true;
     domain = name;
     ssl = {
-      key = "/var/lib/acme/yggdrasil.li/key.pem";
-      cert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
+      key = "${config.security.acme.directory}/yggdrasil.li/key.pem";
+      cert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
+      extraOptions = {
+        dhparam = config.security.dhparams.params.prosody.path;
+      };
     };
   };
   myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
@@ -402,7 +405,7 @@ in rec {
 
       strict-export=git-daemon-export-ok
       section-from-path=2
-      scan-path=/srv/git/repositories
+      scan-path=${config.services.gitolite.dataDir}/repositories
     '';
   };
   environment.etc."cgit/git.rheperire.org" = {
@@ -440,7 +443,7 @@ in rec {
         cryptoids.git
       ''}
       section-from-path=2
-      scan-path=/srv/git/repositories
+      scan-path=${config.services.gitolite.dataDir}/repositories
     '';
   };
 
@@ -492,12 +495,13 @@ in rec {
         /^localhost$/ ACCEPT
         /\.?ymir$/ ACCEPT
       ''}''];
-    sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
-    sslKey = "/var/lib/acme/yggdrasil.li/key.pem";
+    sslCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
+    sslKey = "${config.security.acme.directory}/yggdrasil.li/key.pem";
     config = {
       #the dh params
-      smtpd_tls_dh1024_param_file = "/etc/ssl/dhparam.pem";
-      smtpd_tls_dh512_param_file = "/etc/ssl/dhparam.pem";
+      smtpd_tls_dh2048_param_file = config.security.dhparams.params.postfix-2048.path;
+      smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix-1024.path;
+      smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix-512.path;
       #enable ECDH
       smtpd_tls_eecdh_grade = "strong";
       #enabled SSL protocols, don't allow SSLv2 and SSLv3
@@ -728,8 +732,8 @@ in rec {
     enableLmtp = true;
     enablePop3 = false;
     enablePAM = false; # do that manualy
-    sslServerCert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
-    sslServerKey = "/var/lib/acme/yggdrasil.li/key.pem";
+    sslServerCert = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
+    sslServerKey = "${config.security.acme.directory}/yggdrasil.li/key.pem";
     mailLocation = "maildir:~/mail:LAYOUT=index:UTF-8";
     modules = with pkgs; [ dovecot_pigeonhole ];
     protocols = [ "sieve" ];
@@ -809,11 +813,6 @@ in rec {
         }
       }
 
-      service managesieve {
-      }
-      protocol sieve {
-      }
-
       plugin {
         sieve = file:~/sieve;active=~/.dovecot.sieve
         sieve_redirect_envelope_from = orig_recipient
@@ -981,8 +980,8 @@ in rec {
 
   services.infinoted = {
     enable = true;
-    keyFile = "/var/lib/acme/yggdrasil.li/key.pem";
-    certificateFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
+    keyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem";
+    certificateFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
     plugins = [ "note-text" "note-chat" "logging" "autosave" "certificate-auth" "directory-sync" ];
     extraConfig = ''
       [certificate-auth]
@@ -1053,8 +1052,8 @@ in rec {
     localUsers = true;
     writeEnable = true;
     chrootlocalUser = true;
-    rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem";
-    rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
+    rsaKeyFile = "${config.security.acme.directory}/yggdrasil.li/key.pem";
+    rsaCertFile = "${config.security.acme.directory}/yggdrasil.li/fullchain.pem";
     extraConfig = ''
       local_umask=022
     
@@ -1090,4 +1089,14 @@ in rec {
   users.extraUsers."vsftpd" = {
     home = mkForce "/srv/ftp";
   };
+
+  security.dhparams = {
+    enable = true;
+    nginx.bits = 3072;
+    posfix-512.bits = 512;
+    postfix-1024.bits = 1024;
+    postfix-2048.bits = 2048;
+    dovecot2.bits = 2048;
+    prosody.bits = 3072;
+  };
 }
-- 
cgit v1.2.3