diff options
-rw-r--r-- | krebs/1systems/hotdog/config.nix | 1 | ||||
-rw-r--r-- | krebs/2configs/acme.nix | 4 | ||||
-rw-r--r-- | krebs/3modules/ssl.nix | 18 | ||||
-rw-r--r-- | krebs/6assets/krebsAcmeCA.crt | 15 |
4 files changed, 20 insertions, 18 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 9f1ac9134..84eaeaa19 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -10,6 +10,7 @@ <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/wiki.nix> + <stockholm/krebs/2configs/acme.nix> ## shackie irc bot <stockholm/krebs/2configs/shack/reaktor.nix> diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index b5e51a1a2..056aa7ae4 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -7,15 +7,17 @@ in { email = "spam@krebsco.de"; certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts.${domain} = { - forceSSL = true; + addSSL = true; enableACME = true; locations."/" = { proxyPass = "https://localhost:1443"; }; + locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt; }; }; krebs.secret.files.krebsAcme = { diff --git a/krebs/3modules/ssl.nix b/krebs/3modules/ssl.nix index 5d28ac841..3a9b5d329 100644 --- a/krebs/3modules/ssl.nix +++ b/krebs/3modules/ssl.nix @@ -29,23 +29,7 @@ in { intermediateCA = lib.mkOption { type = lib.types.str; readOnly = true; - default = '' - -----BEGIN CERTIFICATE----- - MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB - gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl - YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq - hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5 - MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ - MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp - PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO - BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758 - A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB - lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT - ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ - dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH - YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw== - -----END CERTIFICATE----- - ''; + default = builtins.readFile ../6assets/krebsAcmeCA.crt; }; acmeURL = lib.mkOption { type = lib.types.str; diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt new file mode 100644 index 000000000..54729e250 --- /dev/null +++ b/krebs/6assets/krebsAcmeCA.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB +gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl +YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq +hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5 +MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp +PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO +BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758 +A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB +lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT +ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ +dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH +YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw== +-----END CERTIFICATE----- |