diff options
| author | EuAndreh <eu@euandre.org> | 2020-08-15 20:07:53 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2020-08-16 06:13:21 -0300 |
| commit | ceccb9946e2487468135ce673235aa079780a943 (patch) | |
| tree | a969c63e7fd0f555a88b13328251602ae9bded72 | |
| parent | Use letsencrypt to generate the TLS certificate (diff) | |
| download | server-ceccb9946e2487468135ce673235aa079780a943.tar.gz server-ceccb9946e2487468135ce673235aa079780a943.tar.xz | |
Use NGINX to handle the creation of certificates for prosody
After a terraform state rm '...' of the server and domain configuration, and
recreating the instance again while leaving the dettached one running.
I had to do this because I was experimenting too much with the domain and I hit
the Let's Encrypt rate limit[0].
Because of that I'll recreate certificates less often so that doesn't happen in
the new domain during development of the VPS.
I'm not shure if this solution works, but I'll commit just as a checkpoint. I
had to change the custom DNS nameservers from Digital Ocean to Vultr and that
may take a while, so it's worth having this as a checkpoint in time while I'm
off to other things.
[0]: https://letsencrypt.org/docs/rate-limits/
| -rw-r--r-- | TODOs.org | 2 | ||||
| -rw-r--r-- | secrets/secret-envrc.sh | bin | 3582 -> 3585 bytes | |||
| -rw-r--r-- | secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan | bin | 0 -> 2065 bytes | |||
| -rw-r--r-- | secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan | bin | 0 -> 2064 bytes | |||
| -rw-r--r-- | secrets/terraform/terraform.tfstate | bin | 3048 -> 3055 bytes | |||
| -rw-r--r-- | secrets/terraform/terraform.tfstate.backup | bin | 180 -> 181 bytes | |||
| -rw-r--r-- | secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup | bin | 0 -> 3055 bytes | |||
| -rw-r--r-- | secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup | bin | 0 -> 742 bytes | |||
| -rw-r--r-- | vps-configuration.env.nix | 35 |
9 files changed, 28 insertions, 9 deletions
@@ -158,4 +158,6 @@ This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. * Questions ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? +** Enable 2FA for Nextcloud? +Do XMPP support that too? * Scrath diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex 905a2d7..e6ae330 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan b/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan Binary files differnew file mode 100644 index 0000000..810e6f2 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan diff --git a/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan b/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan Binary files differnew file mode 100644 index 0000000..6c2f3d6 --- /dev/null +++ b/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate Binary files differindex d90cfa2..67797c8 100644 --- a/secrets/terraform/terraform.tfstate +++ b/secrets/terraform/terraform.tfstate diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup Binary files differindex 9db7c42..bddf8b1 100644 --- a/secrets/terraform/terraform.tfstate.backup +++ b/secrets/terraform/terraform.tfstate.backup diff --git a/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup Binary files differnew file mode 100644 index 0000000..9e06acc --- /dev/null +++ b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup diff --git a/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup Binary files differnew file mode 100644 index 0000000..9f94c6a --- /dev/null +++ b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index a521bc7..d72d7f8 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -73,6 +73,17 @@ in { security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; + certs = { + "${envsubstConfiguration.prosodyTLD}" = { + webroot = "/var/lib/acme/.challenges"; + user = "prosody"; + group = "prosody"; + extraDomains = { + "${envsubstConfiguration.prosodyMUCTLD}" = null; + "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; + }; + }; + }; }; services = { @@ -106,8 +117,12 @@ in { root = boneco; }; "${envsubstConfiguration.prosodyTLD}" = { - forceSSL = true; - enableACME = true; + locations = { + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/.challenges"; + }; + "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; }; + }; }; }; }; @@ -142,23 +157,25 @@ in { }; }; - prosody = { + prosody = let + fullchainPEM = + "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + in { enable = true; admins = [ envsubstConfiguration.prosodyAdminUser ]; allowRegistration = true; ssl = { - cert = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + cert = fullchainPEM; + key = keyPEM; }; virtualHosts = { "${envsubstConfiguration.prosodyTLD}" = { enabled = true; domain = "${envsubstConfiguration.prosodyTLD}"; ssl = { - cert = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + cert = fullchainPEM; + key = keyPEM; }; }; }; |