From 34e628453dda4e7aec9f715703eb6c21b05a8a82 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 18 Jul 2016 15:34:46 +0200
Subject: k 2 bepasty-dual: use krebs.nginx.ssl + acme

---
 makefu/2configs/bepasty-dual.nix | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index 5682f5eb6..f675c4ac8 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -15,6 +15,9 @@ let
   sec = toString <secrets>;
   # secKey is nothing worth protecting on a local machine
   secKey = import <secrets/bepasty-secret.nix>;
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  ext-dom = "paste.krebsco.de" ;
 in {
 
   krebs.nginx.enable = mkDefault true;
@@ -25,7 +28,7 @@ in {
     servers = {
       internal = {
         nginx = {
-          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+          server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKey = secKey;
@@ -33,17 +36,25 @@ in {
 
       external = {
         nginx = {
-          server-names = [ "paste.krebsco.de" ];
+          server-names = [ ext-dom ];
+          ssl = {
+            enable = true;
+            certificate = "${acmepath}/${ext-dom}/fullchain.pem";
+            certificate_key = "${acmepath}/${ext-dom}/key.pem";
+            # these certs will be needed if acme has not yet created certificates:
+            #certificate =   "${sec}/wildcard.krebsco.de.crt";
+            #certificate_key = "${sec}/wildcard.krebsco.de.key";
+            ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+          };
+          locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '');
           extraConfig = ''
           ssl_session_cache    shared:SSL:1m;
           ssl_session_timeout  10m;
-          ssl_certificate     ${sec}/wildcard.krebsco.de.crt;
-          ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
-          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
-          ssl_prefer_server_ciphers on;
+
           if ($scheme = http){
             return 301 https://$server_name$request_uri;
           }'';
@@ -53,4 +64,12 @@ in {
       };
     };
   };
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
 }
-- 
cgit v1.2.3