From e7bb728c00cfbf8f8df3d29d71e07bf40882f977 Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Mon, 18 Apr 2016 11:34:51 +0200
Subject: [PATCH 1/3] update intellij eap

---
 common.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common.nix b/common.nix
index a40fe4a..c68fef3 100644
--- a/common.nix
+++ b/common.nix
@@ -110,8 +110,8 @@
         name = "idea-community-${version}";
         version = "2016.1.eap";
         src = pkgs.fetchurl {
-          url = "https://download.jetbrains.com/idea/ideaIC-145.844.1-no-jdk.tar.gz";
-          sha256 = "fff7641713037645b6b287069c9a0cc5d35285d4960f5cb3a45bf93b473fee7e";
+          url = "https://download.jetbrains.com/idea/ideaIC-145.969.6-no-jdk.tar.gz";
+          sha256 = "b9d0abc4cc7a5e2ee019028335dfd096da2587ed8165d30871cb00a8592148cc";
         };
       });
 

From 91bd193c60940ea82547a2bde2dbf1e8bda98610 Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Sun, 24 Apr 2016 16:44:51 +0200
Subject: [PATCH 2/3] mastus/vmtest: update to new easyrsa version

---
 mastus/vmtest.nix | 42 ++++++++----------------------------------
 1 file changed, 8 insertions(+), 34 deletions(-)

diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix
index 8b026be..047b5c3 100644
--- a/mastus/vmtest.nix
+++ b/mastus/vmtest.nix
@@ -16,48 +16,22 @@ let
       };
       script = ''
 rm -rf /etc/sslcerts
-mkdir -p /etc/sslcerts/keys
+mkdir -p /etc/sslcerts
 cd /etc/sslcerts
 
-# export PKCS11TOOL="pkcs11-tool"
-export KEY_CONFIG=`${pkgs.easyrsa}/share/easy-rsa/whichopensslcnf ${pkgs.easyrsa}/share/easy-rsa/`
-export KEY_DIR="$PWD/keys"
+easyrsa-init
+easyrsa init-pki
+easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
+easyrsa --req-cn=gebner.org build-server-full gebner_org nopass
 
-# PKCS11 fixes
-# export PKCS11_MODULE_PATH="dummy"
-# export PKCS11_PIN="dummy"
-
-export KEY_SIZE=1024
-
-export CA_EXPIRE=3650
-export KEY_EXPIRE=3650
-
-export KEY_COUNTRY="AT"
-export KEY_PROVINCE="AT"
-export KEY_CITY="Vienna"
-export KEY_ORG="Gabriel"
-export KEY_EMAIL="testing@gebner.org"
-export KEY_CN=testing.gebner.org
-export KEY_NAME=testing.gebner.org
-export KEY_OU=testing
-# export PKCS11_MODULE_PATH=changeme
-# export PKCS11_PIN=1234
-
-clean-all
-build-dh
-pkitool --initca
-
-KEY_CN=gebner.org pkitool --server gebner_org
-
-cat keys/gebner_org.crt keys/ca.crt >fullchain.pem
-cp keys/gebner_org.key key.pem
+cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
+cp pki/private/gebner_org.key key.pem
 cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
-
       '';
     };
 
     systemd.services.setupVM = rec {
-      wantedBy = [ "gogs.service" "dovecot2.service" ];
+      wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
       before = wantedBy;
       wants = [ "createSSLKeys.service" ];
       serviceConfig = {

From 146d6a818e5bb329a29ba15a3c11ab0cd6cb783e Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Sun, 24 Apr 2016 16:45:15 +0200
Subject: [PATCH 3/3] mastus: www.gebner.org

---
 mastus/blog.nix          | 46 ++++++++++++++++++++++++++++++++++++++++
 mastus/configuration.nix |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 mastus/blog.nix

diff --git a/mastus/blog.nix b/mastus/blog.nix
new file mode 100644
index 0000000..8a069ef
--- /dev/null
+++ b/mastus/blog.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.httpConfig = ''
+    server {
+      listen [::]:443;
+      listen 443;
+      server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
+
+      ssl on;
+      ssl_certificate_key /etc/sslcerts/key.pem;
+      ssl_certificate /etc/sslcerts/fullchain.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+      ssl_prefer_server_ciphers on;
+      add_header Strict-Transport-Security max-age=15768000;
+      ssl_stapling on;
+      ssl_stapling_verify on;
+
+      location / {
+        rewrite ^(.*) https://gebner.org$1 permanent;
+      }
+    }
+
+    server {
+      listen [::]:443;
+      listen 443;
+      server_name gebner.org;
+
+      ssl on;
+      ssl_certificate_key /etc/sslcerts/key.pem;
+      ssl_certificate /etc/sslcerts/fullchain.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
+      ssl_protocols TLSv1.1 TLSv1.2;
+      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+      ssl_prefer_server_ciphers on;
+      add_header Strict-Transport-Security max-age=15768000;
+      ssl_stapling on;
+      ssl_stapling_verify on;
+
+      root /srv/www.gebner.org;
+      error_page 404 403 /pages/404.html;
+    }
+  '';
+}
diff --git a/mastus/configuration.nix b/mastus/configuration.nix
index b347fb5..8dfeee0 100644
--- a/mastus/configuration.nix
+++ b/mastus/configuration.nix
@@ -11,6 +11,7 @@
       ./www.nix
       ./gogs.nix
       ./letsencrypt.nix
+      ./blog.nix
     ];
 
   boot.loader.grub.enable = true;