mastus: switch to nixos acme service
This commit is contained in:
parent
76b02eb2cd
commit
c7f961c4bc
@ -8,8 +8,8 @@
|
|||||||
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
|
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate_key /etc/sslcerts/key.pem;
|
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||||
ssl_certificate /etc/sslcerts/fullchain.pem;
|
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
ssl_protocols TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1.1 TLSv1.2;
|
||||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||||
@ -29,8 +29,8 @@
|
|||||||
server_name gebner.org;
|
server_name gebner.org;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate_key /etc/sslcerts/key.pem;
|
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||||
ssl_certificate /etc/sslcerts/fullchain.pem;
|
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
ssl_protocols TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1.1 TLSv1.2;
|
||||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||||
|
@ -52,8 +52,8 @@ in
|
|||||||
server_name git.gebner.org;
|
server_name git.gebner.org;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate_key /etc/sslcerts/mastus.key;
|
ssl_certificate_key /var/lib/acme/gebner.org/mastus.key;
|
||||||
ssl_certificate /etc/sslcerts/git.cert;
|
ssl_certificate /var/lib/acme/gebner.org/git.cert;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
@ -80,7 +80,7 @@ in
|
|||||||
|
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
default_type text/plain;
|
default_type text/plain;
|
||||||
alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
|
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
@ -94,8 +94,8 @@ in
|
|||||||
server_name git.gebner.org;
|
server_name git.gebner.org;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate_key /etc/sslcerts/key.pem;
|
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
|
||||||
ssl_certificate /etc/sslcerts/fullchain.pem;
|
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
ssl_protocols TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1.1 TLSv1.2;
|
||||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||||
|
@ -1,35 +1,27 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.services.letsencrypt = {
|
security.acme.certs = {
|
||||||
path = [ pkgs.simp_le ];
|
"gebner.org" = {
|
||||||
|
webroot = "/var/lib/acme/www";
|
||||||
|
email = "gebner@gebner.org";
|
||||||
|
extraDomains = {
|
||||||
|
"git.gebner.org" = null;
|
||||||
|
"mail.gebner.org" = null;
|
||||||
|
"gebner.org" = null;
|
||||||
|
"www.gebner.org" = null;
|
||||||
|
"gabrielebner.at" = null;
|
||||||
|
"www.gabrielebner.at" = null;
|
||||||
|
"2b7e.org" = null;
|
||||||
|
"www.2b7e.org" = null;
|
||||||
|
};
|
||||||
|
|
||||||
restartIfChanged = false;
|
postRun = ''
|
||||||
serviceConfig = {
|
systemctl reload nginx
|
||||||
Type = "oneshot";
|
systemctl restart dovecotSslKey
|
||||||
|
systemctl reload dovecot2
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
script = ''
|
|
||||||
mkdir -p /etc/sslcerts/acmeroot
|
|
||||||
cd /etc/sslcerts
|
|
||||||
|
|
||||||
simp_le \
|
|
||||||
-d git.gebner.org \
|
|
||||||
-d mail.gebner.org \
|
|
||||||
-d gebner.org \
|
|
||||||
-d www.gebner.org \
|
|
||||||
-d gabrielebner.at \
|
|
||||||
-d www.gabrielebner.at \
|
|
||||||
-d 2b7e.org \
|
|
||||||
-d www.2b7e.org \
|
|
||||||
--default_root $PWD/acmeroot \
|
|
||||||
-f account_key.json -f fullchain.pem -f key.pem \
|
|
||||||
--email gebner@gebner.org
|
|
||||||
|
|
||||||
cp key.pem key-dovecot.pem
|
|
||||||
chown dovecot2 key-dovecot.pem
|
|
||||||
'';
|
|
||||||
|
|
||||||
startAt = "04:00";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -20,8 +20,8 @@
|
|||||||
cutintro: gebner
|
cutintro: gebner
|
||||||
'';
|
'';
|
||||||
hostname = "mastus.gebner.org";
|
hostname = "mastus.gebner.org";
|
||||||
sslCert = "/etc/sslcerts/fullchain.pem";
|
sslCert = "/var/lib/acme/gebner.org/fullchain.pem";
|
||||||
sslKey = "/etc/sslcerts/key.pem";
|
sslKey = "/var/lib/acme/gebner.org/key.pem";
|
||||||
|
|
||||||
destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
|
destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
|
||||||
"mastus.gebner.org" "localhost" ];
|
"mastus.gebner.org" "localhost" ];
|
||||||
@ -57,9 +57,9 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
enablePop3 = false;
|
enablePop3 = false;
|
||||||
mailLocation = "maildir:~/mail";
|
mailLocation = "maildir:~/mail";
|
||||||
sslCACert = "/etc/sslcerts/fullchain.pem";
|
sslCACert = "/var/lib/acme/gebner.org/fullchain.pem";
|
||||||
sslServerCert = "/etc/sslcerts/fullchain.pem";
|
sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
|
||||||
sslServerKey = "/etc/sslcerts/key-dovecot.pem";
|
sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
ssl_protocols = !SSLv2 !SSLv3
|
ssl_protocols = !SSLv2 !SSLv3
|
||||||
|
|
||||||
@ -72,6 +72,21 @@
|
|||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
systemd.services.dovecotSslKey = rec {
|
||||||
|
wantedBy = [ "dovecot2.service" ];
|
||||||
|
before = wantedBy;
|
||||||
|
after = [ "acme-gebner.org.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = "yes";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
cd /var/lib/acme
|
||||||
|
mkdir gebner.org-dovecot
|
||||||
|
cp gebner.org/key.pem gebner.org-dovecot/key.pem
|
||||||
|
chown dovecot2 gebner.org-dovecot/key.pem
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
services.spamassassin.enable = true;
|
services.spamassassin.enable = true;
|
||||||
systemd.services.setupSpamassassin = {
|
systemd.services.setupSpamassassin = {
|
||||||
|
@ -8,32 +8,9 @@ let
|
|||||||
|
|
||||||
boot.enableContainers = true;
|
boot.enableContainers = true;
|
||||||
|
|
||||||
systemd.services.createSSLKeys = {
|
|
||||||
path = [ pkgs.easyrsa ];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = "yes";
|
|
||||||
};
|
|
||||||
script = ''
|
|
||||||
rm -rf /etc/sslcerts
|
|
||||||
mkdir -p /etc/sslcerts
|
|
||||||
cd /etc/sslcerts
|
|
||||||
|
|
||||||
easyrsa-init
|
|
||||||
easyrsa init-pki
|
|
||||||
easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
|
|
||||||
easyrsa --req-cn=gebner.org build-server-full gebner_org nopass
|
|
||||||
|
|
||||||
cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
|
|
||||||
cp pki/private/gebner_org.key key.pem
|
|
||||||
cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.setupVM = rec {
|
systemd.services.setupVM = rec {
|
||||||
wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
|
wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
|
||||||
before = wantedBy;
|
before = wantedBy;
|
||||||
wants = [ "createSSLKeys.service" ];
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = "yes";
|
RemainAfterExit = "yes";
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.services.createNginxDH = {
|
systemd.services.createNginxDH = rec {
|
||||||
path = [ pkgs.openssl ];
|
path = [ pkgs.openssl ];
|
||||||
serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
|
serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
|
||||||
wantedBy = [ "nginx.service" ];
|
wantedBy = [ "nginx.service" ];
|
||||||
|
before = wantedBy;
|
||||||
script = ''
|
script = ''
|
||||||
if [ ! -f /etc/nginx/dhparam.pem ]; then
|
if [ ! -f /etc/nginx/dhparam.pem ]; then
|
||||||
mkdir -p /etc/nginx/
|
mkdir -p /etc/nginx/
|
||||||
@ -23,7 +24,7 @@
|
|||||||
|
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
default_type text/plain;
|
default_type text/plain;
|
||||||
alias /etc/sslcerts/acmeroot/.well-known/acme-challenge;
|
alias /var/lib/acme/www/.well-known/acme-challenge;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
Loading…
Reference in New Issue
Block a user