diff --git a/mastus/blog.nix b/mastus/blog.nix index 8a069ef..d13bdf1 100644 --- a/mastus/blog.nix +++ b/mastus/blog.nix @@ -8,8 +8,8 @@ server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org; ssl on; - ssl_certificate_key /etc/sslcerts/key.pem; - ssl_certificate /etc/sslcerts/fullchain.pem; + ssl_certificate_key /var/lib/acme/gebner.org/key.pem; + ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; @@ -29,8 +29,8 @@ server_name gebner.org; ssl on; - ssl_certificate_key /etc/sslcerts/key.pem; - ssl_certificate /etc/sslcerts/fullchain.pem; + ssl_certificate_key /var/lib/acme/gebner.org/key.pem; + ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; diff --git a/mastus/gitblit.nix b/mastus/gitblit.nix index 50ede1d..9f79c30 100644 --- a/mastus/gitblit.nix +++ b/mastus/gitblit.nix @@ -52,8 +52,8 @@ in server_name git.gebner.org; ssl on; - ssl_certificate_key /etc/sslcerts/mastus.key; - ssl_certificate /etc/sslcerts/git.cert; + ssl_certificate_key /var/lib/acme/gebner.org/mastus.key; + ssl_certificate /var/lib/acme/gebner.org/git.cert; location / { proxy_set_header X-Real-IP $remote_addr; diff --git a/mastus/gogs.nix b/mastus/gogs.nix index 1281900..98b538b 100644 --- a/mastus/gogs.nix +++ b/mastus/gogs.nix @@ -80,7 +80,7 @@ in location /.well-known/acme-challenge { default_type text/plain; - alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; + alias /var/lib/acme/www/.well-known/acme-challenge; } location / { @@ -94,8 +94,8 @@ in server_name git.gebner.org; ssl on; - ssl_certificate_key /etc/sslcerts/key.pem; - ssl_certificate /etc/sslcerts/fullchain.pem; + ssl_certificate_key /var/lib/acme/gebner.org/key.pem; + ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; diff --git a/mastus/letsencrypt.nix b/mastus/letsencrypt.nix index 778a33d..a25fc02 100644 --- a/mastus/letsencrypt.nix +++ b/mastus/letsencrypt.nix @@ -1,35 +1,27 @@ { config, pkgs, ... }: { - systemd.services.letsencrypt = { - path = [ pkgs.simp_le ]; + security.acme.certs = { + "gebner.org" = { + webroot = "/var/lib/acme/www"; + email = "gebner@gebner.org"; + extraDomains = { + "git.gebner.org" = null; + "mail.gebner.org" = null; + "gebner.org" = null; + "www.gebner.org" = null; + "gabrielebner.at" = null; + "www.gabrielebner.at" = null; + "2b7e.org" = null; + "www.2b7e.org" = null; + }; - restartIfChanged = false; - serviceConfig = { - Type = "oneshot"; + postRun = '' + systemctl reload nginx + systemctl restart dovecotSslKey + systemctl reload dovecot2 + ''; }; - - script = '' - mkdir -p /etc/sslcerts/acmeroot - cd /etc/sslcerts - - simp_le \ - -d git.gebner.org \ - -d mail.gebner.org \ - -d gebner.org \ - -d www.gebner.org \ - -d gabrielebner.at \ - -d www.gabrielebner.at \ - -d 2b7e.org \ - -d www.2b7e.org \ - --default_root $PWD/acmeroot \ - -f account_key.json -f fullchain.pem -f key.pem \ - --email gebner@gebner.org - - cp key.pem key-dovecot.pem - chown dovecot2 key-dovecot.pem - ''; - - startAt = "04:00"; }; + } diff --git a/mastus/mail.nix b/mastus/mail.nix index 2edd9fc..85ba5a8 100644 --- a/mastus/mail.nix +++ b/mastus/mail.nix @@ -20,8 +20,8 @@ cutintro: gebner ''; hostname = "mastus.gebner.org"; - sslCert = "/etc/sslcerts/fullchain.pem"; - sslKey = "/etc/sslcerts/key.pem"; + sslCert = "/var/lib/acme/gebner.org/fullchain.pem"; + sslKey = "/var/lib/acme/gebner.org/key.pem"; destination = [ "gebner.org" "gabrielebner.at" "2b7e.org" "mastus.gebner.org" "localhost" ]; @@ -57,9 +57,9 @@ enable = true; enablePop3 = false; mailLocation = "maildir:~/mail"; - sslCACert = "/etc/sslcerts/fullchain.pem"; - sslServerCert = "/etc/sslcerts/fullchain.pem"; - sslServerKey = "/etc/sslcerts/key-dovecot.pem"; + sslCACert = "/var/lib/acme/gebner.org/fullchain.pem"; + sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem"; + sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem"; extraConfig = '' ssl_protocols = !SSLv2 !SSLv3 @@ -72,6 +72,21 @@ } ''; }; + systemd.services.dovecotSslKey = rec { + wantedBy = [ "dovecot2.service" ]; + before = wantedBy; + after = [ "acme-gebner.org.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = '' + cd /var/lib/acme + mkdir gebner.org-dovecot + cp gebner.org/key.pem gebner.org-dovecot/key.pem + chown dovecot2 gebner.org-dovecot/key.pem + ''; + }; services.spamassassin.enable = true; systemd.services.setupSpamassassin = { diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix index 75d78d6..bb7f4bd 100644 --- a/mastus/vmtest.nix +++ b/mastus/vmtest.nix @@ -8,32 +8,9 @@ let boot.enableContainers = true; - systemd.services.createSSLKeys = { - path = [ pkgs.easyrsa ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = '' -rm -rf /etc/sslcerts -mkdir -p /etc/sslcerts -cd /etc/sslcerts - -easyrsa-init -easyrsa init-pki -easyrsa --batch --req-cn=testing.gebner.org build-ca nopass -easyrsa --req-cn=gebner.org build-server-full gebner_org nopass - -cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem -cp pki/private/gebner_org.key key.pem -cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem - ''; - }; - systemd.services.setupVM = rec { wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ]; before = wantedBy; - wants = [ "createSSLKeys.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; diff --git a/mastus/www.nix b/mastus/www.nix index ceda151..02ed409 100644 --- a/mastus/www.nix +++ b/mastus/www.nix @@ -1,10 +1,11 @@ { config, pkgs, ... }: { - systemd.services.createNginxDH = { + systemd.services.createNginxDH = rec { path = [ pkgs.openssl ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; }; wantedBy = [ "nginx.service" ]; + before = wantedBy; script = '' if [ ! -f /etc/nginx/dhparam.pem ]; then mkdir -p /etc/nginx/ @@ -23,7 +24,7 @@ location /.well-known/acme-challenge { default_type text/plain; - alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; + alias /var/lib/acme/www/.well-known/acme-challenge; } location / {