letsencrypt

2015-12-05 13:41:20 +01:00 · 2015-12-05 13:41:20 +01:00 · a5bcc5c66b
commit a5bcc5c66b
parent 46e516f178
4 changed files with 41 additions and 0 deletions
--- a/mastus/configuration.nix
+++ b/mastus/configuration.nix
@ -10,6 +10,7 @@
      ./mail.nix
      ./www.nix
      ./gogs.nix
+      ./letsencrypt.nix
    ];

  boot.loader.grub.enable = true;
--- a/mastus/gogs.nix
+++ b/mastus/gogs.nix
@ -78,6 +78,11 @@ in
      listen 80;
      server_name git.gebner.org;

+      location /.well-known/acme-challenge {
+        default_type text/plain;
+        alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
+      }
+
      rewrite ^(.*) https://$host$1 permanent;
    }

--- a/mastus/letsencrypt.nix
+++ b/mastus/letsencrypt.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.letsencrypt = {
+    path = [ pkgs.simp_le ];
+
+    restartIfChanged = false;
+    serviceConfig = {
+      Type = "oneshot";
+    };
+
+    script = ''
+      mkdir -p /etc/sslcerts/acmeroot
+      cd /etc/sslcerts
+
+      simp_le -d git.gebner.org -d mail.gebner.org --default_root $PWD/acmeroot -f fullchain.pem -f key.pem
+    '';
+
+    startAt = "04:00";
+  };
+}
--- a/mastus/www.nix
+++ b/mastus/www.nix
@ -15,5 +15,19 @@

  services.nginx = {
    enable = true;
+    httpConfig = ''
+      server {
+        listen [::]:80;
+        listen 80;
+        server_name _;
+
+        location /.well-known/acme-challenge {
+          default_type text/plain;
+          alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
+        }
+
+        rewrite ^(.*) https://gebner.org$1 permanent;
+      }
+    '';
  };
 }