From 9276e8acbfd62e187a5029e1b524d85aea7c9678 Mon Sep 17 00:00:00 2001
From: Gabriel Ebner <gebner@gebner.org>
Date: Sat, 5 Dec 2015 14:14:55 +0100
Subject: [PATCH] mastus: switch to letsencrypt certificates

---
 mastus/gogs.nix   |  4 ++--
 mastus/mail.nix   | 11 +++++------
 mastus/vmtest.nix | 12 ++++--------
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/mastus/gogs.nix b/mastus/gogs.nix
index 3eccbe1..1281900 100644
--- a/mastus/gogs.nix
+++ b/mastus/gogs.nix
@@ -94,8 +94,8 @@ in
       server_name git.gebner.org;
 
       ssl on;
-      ssl_certificate_key /etc/sslcerts/mastus.key;
-      ssl_certificate /etc/sslcerts/git.cert;
+      ssl_certificate_key /etc/sslcerts/key.pem;
+      ssl_certificate /etc/sslcerts/fullchain.pem;
       ssl_dhparam /etc/nginx/dhparam.pem;
       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
diff --git a/mastus/mail.nix b/mastus/mail.nix
index f43b937..3764f26 100644
--- a/mastus/mail.nix
+++ b/mastus/mail.nix
@@ -20,9 +20,8 @@
       cutintro: gebner
     '';
     hostname = "mastus.gebner.org";
-    sslCACert = "/etc/sslcerts/startssl.cert";
-    sslCert = "/etc/sslcerts/mail.cert";
-    sslKey = "/etc/sslcerts/mail.key";
+    sslCert = "/etc/sslcerts/fullchain.pem";
+    sslKey = "/etc/sslcerts/key.pem";
 
     destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
       "mastus.gebner.org" "localhost" ];
@@ -50,9 +49,9 @@
     enable = true;
     enablePop3 = false;
     mailLocation = "maildir:~/mail";
-    sslCACert = "/etc/sslcerts/startssl.cert";
-    sslServerCert = "/etc/sslcerts/mail.cert";
-    sslServerKey = "/etc/sslcerts/mail-dovecot.key";
+    sslCACert = "/etc/sslcerts/fullchain.pem";
+    sslServerCert = "/etc/sslcerts/fullchain.pem";
+    sslServerKey = "/etc/sslcerts/key-dovecot.pem";
     extraConfig = ''
       ssl_protocols = !SSLv2 !SSLv3
 
diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix
index df5b61f..8b026be 100644
--- a/mastus/vmtest.nix
+++ b/mastus/vmtest.nix
@@ -47,15 +47,11 @@ clean-all
 build-dh
 pkitool --initca
 
-KEY_CN=git.gebner.org pkitool --server git
-KEY_CN=imap.gebner.org pkitool --server mail
+KEY_CN=gebner.org pkitool --server gebner_org
 
-cp keys/ca.crt startssl.cert
-cp keys/mail.crt mail.cert
-cp keys/mail.key mail.key
-cp keys/mail.key mail-dovecot.key && chown dovecot2 mail-dovecot.key
-cp keys/git.crt git.cert
-cp keys/git.key mastus.key
+cat keys/gebner_org.crt keys/ca.crt >fullchain.pem
+cp keys/gebner_org.key key.pem
+cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
 
       '';
     };