mastus: switch to nixos acme service

mastus/blog.nix

@@ -8,8 +8,8 @@
       server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
 
       ssl on;
-      ssl_certificate_key /etc/sslcerts/key.pem;
-      ssl_certificate /etc/sslcerts/fullchain.pem;
+      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
+      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
       ssl_dhparam /etc/nginx/dhparam.pem;
       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
@@ -29,8 +29,8 @@
       server_name gebner.org;
 
       ssl on;
-      ssl_certificate_key /etc/sslcerts/key.pem;
-      ssl_certificate /etc/sslcerts/fullchain.pem;
+      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
+      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
       ssl_dhparam /etc/nginx/dhparam.pem;
       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

mastus/gitblit.nix

@@ -52,8 +52,8 @@ in
       server_name git.gebner.org;
 
       ssl on;
-      ssl_certificate_key /etc/sslcerts/mastus.key;
-      ssl_certificate /etc/sslcerts/git.cert;
+      ssl_certificate_key /var/lib/acme/gebner.org/mastus.key;
+      ssl_certificate /var/lib/acme/gebner.org/git.cert;
 
       location / {
         proxy_set_header X-Real-IP $remote_addr;

mastus/gogs.nix

@@ -80,7 +80,7 @@ in
 
       location /.well-known/acme-challenge {
         default_type text/plain;
-        alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
+        alias /var/lib/acme/www/.well-known/acme-challenge;
       }
 
       location / {
@@ -94,8 +94,8 @@ in
       server_name git.gebner.org;
 
       ssl on;
-      ssl_certificate_key /etc/sslcerts/key.pem;
-      ssl_certificate /etc/sslcerts/fullchain.pem;
+      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
+      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
       ssl_dhparam /etc/nginx/dhparam.pem;
       ssl_protocols TLSv1.1 TLSv1.2;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

mastus/letsencrypt.nix

@@ -1,35 +1,27 @@
 { config, pkgs, ... }:
 
 {
-  systemd.services.letsencrypt = {
-    path = [ pkgs.simp_le ];
+  security.acme.certs = {
+    "gebner.org" = {
+      webroot = "/var/lib/acme/www";
+      email = "gebner@gebner.org";
+      extraDomains = {
+        "git.gebner.org" = null;
+        "mail.gebner.org" = null;
+        "gebner.org" = null;
+        "www.gebner.org" = null;
+        "gabrielebner.at" = null;
+        "www.gabrielebner.at" = null;
+        "2b7e.org" = null;
+        "www.2b7e.org" = null;
+      };
 
-    restartIfChanged = false;
-    serviceConfig = {
-      Type = "oneshot";
+      postRun = ''
+        systemctl reload nginx
+        systemctl restart dovecotSslKey
+        systemctl reload dovecot2
+      '';
     };
-
-    script = ''
-      mkdir -p /etc/sslcerts/acmeroot
-      cd /etc/sslcerts
-
-      simp_le \
-        -d git.gebner.org \
-        -d mail.gebner.org \
-        -d gebner.org \
-        -d www.gebner.org \
-        -d gabrielebner.at \
-        -d www.gabrielebner.at \
-        -d 2b7e.org \
-        -d www.2b7e.org \
-        --default_root $PWD/acmeroot \
-        -f account_key.json -f fullchain.pem -f key.pem \
-        --email gebner@gebner.org
-
-      cp key.pem key-dovecot.pem
-      chown dovecot2 key-dovecot.pem
-    '';
-
-    startAt = "04:00";
   };
+
 }

mastus/mail.nix

@@ -20,8 +20,8 @@
       cutintro: gebner
     '';
     hostname = "mastus.gebner.org";
-    sslCert = "/etc/sslcerts/fullchain.pem";
-    sslKey = "/etc/sslcerts/key.pem";
+    sslCert = "/var/lib/acme/gebner.org/fullchain.pem";
+    sslKey = "/var/lib/acme/gebner.org/key.pem";
 
     destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
       "mastus.gebner.org" "localhost" ];
@@ -57,9 +57,9 @@
     enable = true;
     enablePop3 = false;
     mailLocation = "maildir:~/mail";
-    sslCACert = "/etc/sslcerts/fullchain.pem";
-    sslServerCert = "/etc/sslcerts/fullchain.pem";
-    sslServerKey = "/etc/sslcerts/key-dovecot.pem";
+    sslCACert = "/var/lib/acme/gebner.org/fullchain.pem";
+    sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
+    sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
     extraConfig = ''
       ssl_protocols = !SSLv2 !SSLv3
 
@@ -72,6 +72,21 @@
       }
     '';
   };
+  systemd.services.dovecotSslKey = rec {
+    wantedBy = [ "dovecot2.service" ];
+    before = wantedBy;
+    after = [ "acme-gebner.org.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+    };
+    script = ''
+      cd /var/lib/acme
+      mkdir gebner.org-dovecot
+      cp gebner.org/key.pem gebner.org-dovecot/key.pem
+      chown dovecot2 gebner.org-dovecot/key.pem
+    '';
+  };
 
   services.spamassassin.enable = true;
   systemd.services.setupSpamassassin = {

mastus/vmtest.nix

@@ -8,32 +8,9 @@ let
 
     boot.enableContainers = true;
 
-    systemd.services.createSSLKeys = {
-      path = [ pkgs.easyrsa ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = "yes";
-      };
-      script = ''
-rm -rf /etc/sslcerts
-mkdir -p /etc/sslcerts
-cd /etc/sslcerts
-
-easyrsa-init
-easyrsa init-pki
-easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
-easyrsa --req-cn=gebner.org build-server-full gebner_org nopass
-
-cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
-cp pki/private/gebner_org.key key.pem
-cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
-      '';
-    };
-
     systemd.services.setupVM = rec {
       wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
       before = wantedBy;
-      wants = [ "createSSLKeys.service" ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = "yes";

mastus/www.nix

@@ -1,10 +1,11 @@
 { config, pkgs, ... }:
 
 {
-  systemd.services.createNginxDH = {
+  systemd.services.createNginxDH = rec {
     path = [ pkgs.openssl ];
     serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
     wantedBy = [ "nginx.service" ];
+    before = wantedBy;
     script = ''
       if [ ! -f /etc/nginx/dhparam.pem ]; then
         mkdir -p /etc/nginx/
@@ -23,7 +24,7 @@
 
         location /.well-known/acme-challenge {
           default_type text/plain;
-          alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
+          alias /var/lib/acme/www/.well-known/acme-challenge;
         }
 
         location / {