rnhmjoj/maxwell
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix ACME validation

Browse Source
This commit is contained in:
Michele Guerini Rocco 2023-09-11 15:09:10 +02:00
parent b6818d156c
commit bdbfca3642
Signed by: rnhmjoj
GPG Key ID: BFBAF4C975F76450
4 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
configuration.nix
View File

@ -341,6 +341,8 @@
enableSTS = '' enableSTS = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
''; '';
listenTLS = [ { addr = "localhost"; port = 443; ssl = true; } ];
listenPlain = [ { addr = "[::]"; port = 80; } { addr = "0.0.0.0"; port = 80; } ];
in in
rec { rec {
enable = true; enable = true;
@ -356,10 +358,10 @@
# Maxwell # Maxwell
virtualHosts."${hostname}" = { virtualHosts."${hostname}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
default = true; default = true;
listen = listenTLS ++ listenPlain;
extraConfig = disableLog + enableSTS; extraConfig = disableLog + enableSTS;
# Returns IP address # Returns IP address
@ -402,6 +404,7 @@
# Breve URL shortner # Breve URL shortner
virtualHosts."brve.bit" = with config.secrets; { virtualHosts."brve.bit" = with config.secrets; {
forceSSL = true; forceSSL = true;
listen = listenTLS ++ listenPlain;
sslCertificate = certs.breve.crt; sslCertificate = certs.breve.crt;
sslCertificateKey = certs.breve.key; sslCertificateKey = certs.breve.key;
@ -415,6 +418,7 @@
# The Cactalogue # The Cactalogue
virtualHosts."cacta.bit" = { virtualHosts."cacta.bit" = {
root = "/run/nginx/static/cactalogue"; root = "/run/nginx/static/cactalogue";
listen = listenPlain;
extraConfig = disableLog; extraConfig = disableLog;
}; };
virtualHosts."cacta.eurofusion.eu" = virtualHosts."cacta.bit"; virtualHosts."cacta.eurofusion.eu" = virtualHosts."cacta.bit";

7
email.nix
View File

@ -58,6 +58,13 @@
# Keep the key stable across renewals (for DANE) # Keep the key stable across renewals (for DANE)
security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ]; security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];
# Listen on localhost:443 for sslh
services.nginx.virtualHosts.${config.mailserver.fqdn}.listen =
[ { addr = "localhost"; port = 443; ssl = true; }
{ addr = "[::]"; port = 80; }
{ addr = "0.0.0.0"; port = 80; }
];
# Utilities # Utilities
environment.systemPackages = [ environment.systemPackages = [
# computes the DANE records # computes the DANE records

6
matrix.nix
View File

@ -58,7 +58,11 @@ in
services.nginx.virtualHosts."riot.${config.var.hostname}" = services.nginx.virtualHosts."riot.${config.var.hostname}" =
{ enableACME = true; { enableACME = true;
forceSSL = true; forceSSL = true;
listen =
[ { addr = "localhost"; port = 443; ssl = true; }
{ addr = "[::]"; port = 80; }
{ addr = "0.0.0.0"; port = 80; }
];
locations."/" = locations."/" =
{ index = "index.html"; { index = "index.html";
alias = (pkgs.element-web.override { inherit conf; }) + "/"; alias = (pkgs.element-web.override { inherit conf; }) + "/";

8
nameserver.nix
View File

@ -46,14 +46,6 @@
]; ];
}; };
# Prevent collision between sslh and nginx
services.nginx.virtualHosts = with config.var;
{ "brve.bit" .listenAddresses = [ "localhost" ];
"mail.eurofusion.eu".listenAddresses = [ "localhost" ];
${hostname} .listenAddresses = [ "localhost" ];
"riot.${hostname}" .listenAddresses = [ "localhost" ];
};
# This is needed for the rotation of DNSCrypt keys # This is needed for the rotation of DNSCrypt keys
security.polkit.enable = true; security.polkit.enable = true;