gebner/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

mastus: switch to letsencrypt certificates

Browse Source
This commit is contained in:
Gabriel Ebner 2015-12-05 14:14:55 +01:00
parent 46ab866076
commit 9276e8acbf
3 changed files with 11 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mastus/gogs.nix
View File

@ -94,8 +94,8 @@ in
server_name git.gebner.org; server_name git.gebner.org;
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/mastus.key; ssl_certificate_key /etc/sslcerts/key.pem;
ssl_certificate /etc/sslcerts/git.cert; ssl_certificate /etc/sslcerts/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

11
mastus/mail.nix
View File

@ -20,9 +20,8 @@
cutintro: gebner cutintro: gebner
''; '';
hostname = "mastus.gebner.org"; hostname = "mastus.gebner.org";
sslCACert = "/etc/sslcerts/startssl.cert"; sslCert = "/etc/sslcerts/fullchain.pem";
sslCert = "/etc/sslcerts/mail.cert"; sslKey = "/etc/sslcerts/key.pem";
sslKey = "/etc/sslcerts/mail.key";
destination = [ "gebner.org" "gabrielebner.at" "2b7e.org" destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
"mastus.gebner.org" "localhost" ]; "mastus.gebner.org" "localhost" ];
@ -50,9 +49,9 @@
enable = true; enable = true;
enablePop3 = false; enablePop3 = false;
mailLocation = "maildir:~/mail"; mailLocation = "maildir:~/mail";
sslCACert = "/etc/sslcerts/startssl.cert"; sslCACert = "/etc/sslcerts/fullchain.pem";
sslServerCert = "/etc/sslcerts/mail.cert"; sslServerCert = "/etc/sslcerts/fullchain.pem";
sslServerKey = "/etc/sslcerts/mail-dovecot.key"; sslServerKey = "/etc/sslcerts/key-dovecot.pem";
extraConfig = '' extraConfig = ''
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3

12
mastus/vmtest.nix
View File

@ -47,15 +47,11 @@ clean-all
build-dh build-dh
pkitool --initca pkitool --initca
KEY_CN=git.gebner.org pkitool --server git KEY_CN=gebner.org pkitool --server gebner_org
KEY_CN=imap.gebner.org pkitool --server mail
cp keys/ca.crt startssl.cert cat keys/gebner_org.crt keys/ca.crt >fullchain.pem
cp keys/mail.crt mail.cert cp keys/gebner_org.key key.pem
cp keys/mail.key mail.key cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
cp keys/mail.key mail-dovecot.key && chown dovecot2 mail-dovecot.key
cp keys/git.crt git.cert
cp keys/git.key mastus.key
''; '';
}; };