Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

k 2 bepasty-dual: use krebs.nginx.ssl + acme

Browse Source
This commit is contained in:
makefu 2016-07-18 15:34:46 +02:00
parent 01ee8749ac
commit 34e628453d
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
1 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
makefu/2configs/bepasty-dual.nix
View File

@ -15,6 +15,9 @@ let
sec = toString <secrets>; sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine # secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>; secKey = import <secrets/bepasty-secret.nix>;
acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/";
ext-dom = "paste.krebsco.de" ;
in { in {
krebs.nginx.enable = mkDefault true; krebs.nginx.enable = mkDefault true;
@ -25,7 +28,7 @@ in {
servers = { servers = {
internal = { internal = {
nginx = { nginx = {
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
}; };
defaultPermissions = "admin,list,create,read,delete"; defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey; secretKey = secKey;
@ -33,17 +36,25 @@ in {
external = { external = {
nginx = { nginx = {
server-names = [ "paste.krebsco.de" ]; server-names = [ ext-dom ];
ssl = {
enable = true;
certificate = "${acmepath}/${ext-dom}/fullchain.pem";
certificate_key = "${acmepath}/${ext-dom}/key.pem";
# these certs will be needed if acme has not yet created certificates:
#certificate = "${sec}/wildcard.krebsco.de.crt";
#certificate_key = "${sec}/wildcard.krebsco.de.key";
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
};
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/;
'');
extraConfig = '' extraConfig = ''
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
ssl_verify_client off; ssl_verify_client off;
proxy_ssl_session_reuse off; proxy_ssl_session_reuse off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($scheme = http){ if ($scheme = http){
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
}''; }'';
@ -53,4 +64,12 @@ in {
}; };
}; };
}; };
security.acme.certs."${ext-dom}" = {
email = "acme@syntax-fehler.de";
webroot = "${acmechall}/${ext-dom}/";
group = "nginx";
allowKeysForGroup = true;
postRun = "systemctl reload nginx.service";
extraDomains."${ext-dom}" = null ;
};
} }