From 69ead6d8cfb05590079cfe0d6ba4ec66b59fcffb Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 3 Jul 2016 21:14:07 +0200
Subject: cd nginx: enable https

---
 tv/1systems/cd.nix | 52 +++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 41 insertions(+), 11 deletions(-)

(limited to 'tv/1systems/cd.nix')

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index a46edb4d..75c19008 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -44,20 +44,50 @@ with config.krebs.lib;
         "cgit.cd.viljetic.de"
       ];
       # TODO make public_html also available to cd, cd.retiolum (AKA default)
-      krebs.nginx.servers.public_html = {
-        server-names = singleton "cd.viljetic.de";
-        locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-          alias /home/$1/public_html$2;
-        '');
+      krebs.nginx.servers."https://viljetic.de" = {
+        server-names = singleton "viljetic.de";
+        listen = mkForce []; # disable default
+        ssl = {
+          enable = true;
+          certificate = "/var/lib/acme/viljetic.de/fullchain.pem";
+          certificate_key = "/var/lib/acme/viljetic.de/key.pem";
+        };
+        locations = [
+          (nameValuePair "/" ''
+            root ${pkgs.viljetic-pages};
+          '')
+          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
       };
-      krebs.nginx.servers.viljetic = {
+      krebs.nginx.servers."http://viljetic.de" = {
         server-names = singleton "viljetic.de";
-        # TODO directly set root (instead via location)
-        locations = singleton (nameValuePair "/" ''
-          root ${pkgs.viljetic-pages};
-        '');
+        locations = [
+          (nameValuePair "/.well-known/acme-challenge/" ''
+            root /var/lib/acme/challenges/viljetic.de/;
+          '')
+          (nameValuePair "/" ''
+            return 301 https://viljetic.de$request_uri;
+          '')
+        ];
+      };
+      security.acme = {
+        certs."viljetic.de" = {
+          email = "tomislav@viljetic.de";
+          webroot = "/var/lib/acme/challenges/viljetic.de";
+          plugins = [
+            "account_key.json"
+            "key.pem"
+            "fullchain.pem"
+          ];
+          user = "nginx";
+        };
       };
-      tv.iptables.input-internet-accept-tcp = singleton "http";
+      tv.iptables.input-internet-accept-tcp = [
+        "http"
+        "https"
+      ];
     }
   ];
 
-- 
cgit v1.2.3


From 99136e1764d5eb0d2e04252af7097062e6aaaa0b Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 3 Jul 2016 21:30:46 +0200
Subject: tv: define journald default extraConfig

---
 tv/1systems/cd.nix | 5 -----
 1 file changed, 5 deletions(-)

(limited to 'tv/1systems/cd.nix')

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 75c19008..2120134c 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -112,9 +112,4 @@ with config.krebs.lib;
     rxvt_unicode.terminfo
     tcpdump
   ];
-
-  services.journald.extraConfig = ''
-    SystemMaxUse=1G
-    RuntimeMaxUse=128M
-  '';
 }
-- 
cgit v1.2.3


From fa14575ce2fbcf0fd7f1df4934b54c19d34401b5 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 3 Jul 2016 21:35:34 +0200
Subject: tv: use timesyncd

---
 tv/1systems/cd.nix | 1 -
 1 file changed, 1 deletion(-)

(limited to 'tv/1systems/cd.nix')

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 2120134c..2ad4a150 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -108,7 +108,6 @@ with config.krebs.lib;
     iotop
     iptables
     nethogs
-    ntp     # ntpate
     rxvt_unicode.terminfo
     tcpdump
   ];
-- 
cgit v1.2.3