mastus: switch to nixos acme service

This commit is contained in:
Gabriel Ebner 2016-06-17 07:48:07 +02:00
parent 76b02eb2cd
commit c7f961c4bc
7 changed files with 52 additions and 67 deletions

@ -8,8 +8,8 @@
server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org; server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/key.pem; ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /etc/sslcerts/fullchain.pem; ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
@ -29,8 +29,8 @@
server_name gebner.org; server_name gebner.org;
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/key.pem; ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /etc/sslcerts/fullchain.pem; ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

@ -52,8 +52,8 @@ in
server_name git.gebner.org; server_name git.gebner.org;
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/mastus.key; ssl_certificate_key /var/lib/acme/gebner.org/mastus.key;
ssl_certificate /etc/sslcerts/git.cert; ssl_certificate /var/lib/acme/gebner.org/git.cert;
location / { location / {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

@ -80,7 +80,7 @@ in
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
default_type text/plain; default_type text/plain;
alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; alias /var/lib/acme/www/.well-known/acme-challenge;
} }
location / { location / {
@ -94,8 +94,8 @@ in
server_name git.gebner.org; server_name git.gebner.org;
ssl on; ssl on;
ssl_certificate_key /etc/sslcerts/key.pem; ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /etc/sslcerts/fullchain.pem; ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem; ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

@ -1,35 +1,27 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
systemd.services.letsencrypt = { security.acme.certs = {
path = [ pkgs.simp_le ]; "gebner.org" = {
webroot = "/var/lib/acme/www";
email = "gebner@gebner.org";
extraDomains = {
"git.gebner.org" = null;
"mail.gebner.org" = null;
"gebner.org" = null;
"www.gebner.org" = null;
"gabrielebner.at" = null;
"www.gabrielebner.at" = null;
"2b7e.org" = null;
"www.2b7e.org" = null;
};
restartIfChanged = false; postRun = ''
serviceConfig = { systemctl reload nginx
Type = "oneshot"; systemctl restart dovecotSslKey
systemctl reload dovecot2
'';
}; };
script = ''
mkdir -p /etc/sslcerts/acmeroot
cd /etc/sslcerts
simp_le \
-d git.gebner.org \
-d mail.gebner.org \
-d gebner.org \
-d www.gebner.org \
-d gabrielebner.at \
-d www.gabrielebner.at \
-d 2b7e.org \
-d www.2b7e.org \
--default_root $PWD/acmeroot \
-f account_key.json -f fullchain.pem -f key.pem \
--email gebner@gebner.org
cp key.pem key-dovecot.pem
chown dovecot2 key-dovecot.pem
'';
startAt = "04:00";
}; };
} }

@ -20,8 +20,8 @@
cutintro: gebner cutintro: gebner
''; '';
hostname = "mastus.gebner.org"; hostname = "mastus.gebner.org";
sslCert = "/etc/sslcerts/fullchain.pem"; sslCert = "/var/lib/acme/gebner.org/fullchain.pem";
sslKey = "/etc/sslcerts/key.pem"; sslKey = "/var/lib/acme/gebner.org/key.pem";
destination = [ "gebner.org" "gabrielebner.at" "2b7e.org" destination = [ "gebner.org" "gabrielebner.at" "2b7e.org"
"mastus.gebner.org" "localhost" ]; "mastus.gebner.org" "localhost" ];
@ -57,9 +57,9 @@
enable = true; enable = true;
enablePop3 = false; enablePop3 = false;
mailLocation = "maildir:~/mail"; mailLocation = "maildir:~/mail";
sslCACert = "/etc/sslcerts/fullchain.pem"; sslCACert = "/var/lib/acme/gebner.org/fullchain.pem";
sslServerCert = "/etc/sslcerts/fullchain.pem"; sslServerCert = "/var/lib/acme/gebner.org/fullchain.pem";
sslServerKey = "/etc/sslcerts/key-dovecot.pem"; sslServerKey = "/var/lib/acme/gebner.org-dovecot/key.pem";
extraConfig = '' extraConfig = ''
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3
@ -72,6 +72,21 @@
} }
''; '';
}; };
systemd.services.dovecotSslKey = rec {
wantedBy = [ "dovecot2.service" ];
before = wantedBy;
after = [ "acme-gebner.org.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
cd /var/lib/acme
mkdir gebner.org-dovecot
cp gebner.org/key.pem gebner.org-dovecot/key.pem
chown dovecot2 gebner.org-dovecot/key.pem
'';
};
services.spamassassin.enable = true; services.spamassassin.enable = true;
systemd.services.setupSpamassassin = { systemd.services.setupSpamassassin = {

@ -8,32 +8,9 @@ let
boot.enableContainers = true; boot.enableContainers = true;
systemd.services.createSSLKeys = {
path = [ pkgs.easyrsa ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
rm -rf /etc/sslcerts
mkdir -p /etc/sslcerts
cd /etc/sslcerts
easyrsa-init
easyrsa init-pki
easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
easyrsa --req-cn=gebner.org build-server-full gebner_org nopass
cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
cp pki/private/gebner_org.key key.pem
cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
'';
};
systemd.services.setupVM = rec { systemd.services.setupVM = rec {
wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ]; wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
before = wantedBy; before = wantedBy;
wants = [ "createSSLKeys.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = "yes"; RemainAfterExit = "yes";

@ -1,10 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
systemd.services.createNginxDH = { systemd.services.createNginxDH = rec {
path = [ pkgs.openssl ]; path = [ pkgs.openssl ];
serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; }; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; };
wantedBy = [ "nginx.service" ]; wantedBy = [ "nginx.service" ];
before = wantedBy;
script = '' script = ''
if [ ! -f /etc/nginx/dhparam.pem ]; then if [ ! -f /etc/nginx/dhparam.pem ]; then
mkdir -p /etc/nginx/ mkdir -p /etc/nginx/
@ -23,7 +24,7 @@
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
default_type text/plain; default_type text/plain;
alias /etc/sslcerts/acmeroot/.well-known/acme-challenge; alias /var/lib/acme/www/.well-known/acme-challenge;
} }
location / { location / {