From 3e294aac74745042fedc9032e14e8049e953ec91 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 29 Jul 2016 19:04:28 +0200 Subject: [PATCH] encrypt pub --- roles/pub.nix | 42 +++++++++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/roles/pub.nix b/roles/pub.nix index 6bf0edb..9b8fe30 100644 --- a/roles/pub.nix +++ b/roles/pub.nix @@ -1,6 +1,10 @@ { config, pkgs, lib, ... }: +let secrets = import ; + acmeWebRoot = "/etc/sslcerts/acmeroot"; + acmeKeyDir = "${config.security.acme.directory}/pub.yori.cc"; +in { - imports = [../modules/le_nginx.nix]; + imports = [../modules/nginx.nix]; config = { users.extraUsers.public = { home = "/home/public"; @@ -8,11 +12,35 @@ openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [public]; createHome = true; }; - le_nginx.servers."pub.yori.cc" = '' - location / { - root /home/public/public; - index index.html; - } - ''; + nginxssl.servers."pub.yori.cc" = { + key_root = acmeKeyDir; + key_webroot = "/etc/sslcerts/acmeroot"; + contents = '' + location / { + root /home/public/public; + index index.html; + } + ''; + }; + # Let's Encrypt configuration. + security.acme.certs."pub.yori.cc" = + { email = secrets.email; + webroot = config.nginxssl.servers."pub.yori.cc".key_webroot; + postRun = "systemctl reload nginx.service"; + }; + # Generate a dummy self-signed certificate until we get one from + # Let's Encrypt. + system.activationScripts.letsEncryptKeys = + '' + dir=${acmeKeyDir} + mkdir -m 0700 -p $dir + if ! [[ -e $dir/key.pem ]]; then + ${pkgs.openssl}/bin/openssl genrsa -passout pass:foo -des3 -out $dir/key-in.pem 1024 + ${pkgs.openssl}/bin/openssl req -passin pass:foo -new -key $dir/key-in.pem -out $dir/key.csr \ + -subj "/C=NL/CN=www.example.com" + ${pkgs.openssl}/bin/openssl rsa -passin pass:foo -in $dir/key-in.pem -out $dir/key.pem + ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem + fi + ''; }; }