diff options
| author | EuAndreh <eu@euandre.org> | 2020-08-23 21:27:02 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2020-08-23 21:27:02 -0300 |
| commit | d733066fc6cc09f10c6c456bf2d3e1705c40307d (patch) | |
| tree | 9f6b83485d14a7906e6cffe8177293412de9021f | |
| parent | Chage DNS record of prosody (diff) | |
| download | server-d733066fc6cc09f10c6c456bf2d3e1705c40307d.tar.gz server-d733066fc6cc09f10c6c456bf2d3e1705c40307d.tar.xz | |
WIP Fix Converse.js setup
| -rwxr-xr-x | nixos-switch.sh | 24 | ||||
| -rw-r--r-- | secrets/secret-envrc.sh | bin | 4365 -> 4407 bytes | |||
| -rw-r--r-- | vps-configuration.env.nix | 41 |
3 files changed, 46 insertions, 19 deletions
diff --git a/nixos-switch.sh b/nixos-switch.sh index 404cba4..cd05c5b 100755 --- a/nixos-switch.sh +++ b/nixos-switch.sh @@ -9,14 +9,20 @@ echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.or echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade rsync -avzP favicons/ "${TLD}:${DATA_ROOT}/favicons/" -# Ugly hack to change TLS certificates permissions +echo Ugly hack to change TLS certificates permissions echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ -sudo chown -R nginx:prosody /var/lib/acme/; \ -sudo chmod 755 /var/lib/acme/; \ -sudo chmod 640 /var/lib/acme/${PROSODY_TLD}/key.pem; \ -sudo chmod 640 /var/lib/acme/${PROSODY_TLD}/fullchain.pem; \ -sudo chmod 770 /var/lib/acme/${PROSODY_TLD}/; \ -sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/fullchain.pem; \ -sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/key.pem; \ -sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/; \ +sudo chown -R nginx:prosody /var/lib/acme/; \ +sudo chmod 755 /var/lib/acme/; \ +sudo chmod 640 /var/lib/acme/${PROSODY_TLD}/key.pem; \ +sudo chmod 640 /var/lib/acme/${PROSODY_TLD}/fullchain.pem; \ +sudo chmod 770 /var/lib/acme/${PROSODY_TLD}/; \ +sudo chmod 640 /var/lib/acme/${PROSODY_CONVERSE_TLD}/key.pem; \ +sudo chmod 640 /var/lib/acme/${PROSODY_CONVERSE_TLD}/fullchain.pem; \ +sudo chmod 770 /var/lib/acme/${PROSODY_CONVERSE_TLD}/; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/fullchain.pem; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/key.pem; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_TLD}/; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_CONVERSE_TLD}/fullchain.pem; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_CONVERSE_TLD}/key.pem; \ +sudo chown nginx:prosody /var/lib/acme/${PROSODY_CONVERSE_TLD}/; \ sudo systemctl restart prosody.service" diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex d46dc54..b0288e9 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index 1ef5eb2..4a4e743 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -24,6 +24,7 @@ let gitPort = "$GIT_PORT"; gitRoot = "$GIT_ROOT"; systemStateVersion = "$SYSTEM_STATE_VERSION"; + prosodyConverseTLD = "$PROSODY_CONVERSE_TLD"; prosodyAdminUser = "$PROSODY_ADMIN_USER"; prosodyMUCTLD = "$PROSODY_MUC_TLD"; prosodyPort = "$PROSODY_PORT"; @@ -143,15 +144,24 @@ in { root ${envsubstConfiguration.staticRoot}/songbooks/; ''; }; + # Generate and maintain TLS certificate with NGINX + # to be used by Prosody "${envsubstConfiguration.prosodyTLD}" = { forceSSL = true; enableACME = true; + }; + "${envsubstConfiguration.prosodyConverseTLD}" = { + forceSSL = true; + enableACME = true; extraConfig = '' location = /favicon.ico { alias ${envsubstConfiguration.dataRoot}/favicons/conversejs.ico; } + location = / { + return 301 conversejs; + } location / { - proxy_pass http://localhost:${envsubstConfiguration.prosodyHTTPPort}/conversejs; + proxy_pass http://localhost:${envsubstConfiguration.prosodyHTTPPort}/; } ''; }; @@ -189,9 +199,16 @@ in { }; prosody = let - fullchainPEM = - "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; - keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + XMPP = { + fullchainPEM = + "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + }; + ConverseJS = { + fullchainPEM = + "/var/lib/acme/${envsubstConfiguration.prosodyConverseTLD}/fullchain.pem"; + keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyConverseTLD}/key.pem"; + }; in { enable = true; admins = [ envsubstConfiguration.prosodyAdminUser ]; @@ -201,17 +218,21 @@ in { withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; }; extraModules = [ "http_upload" "conversejs" "bookmarks" ]; - ssl = { - cert = fullchainPEM; - key = keyPEM; - }; virtualHosts = { "${envsubstConfiguration.prosodyTLD}" = { enabled = true; domain = "${envsubstConfiguration.prosodyTLD}"; ssl = { - cert = fullchainPEM; - key = keyPEM; + cert = XMPP.fullchainPEM; + key = XMPP.keyPEM; + }; + }; + "${envsubstConfiguration.prosodyConverseTLD}" = { + enabled = true; + domain = "${envsubstConfiguration.prosodyConverseTLD}"; + ssl = { + cert = ConverseJS.fullchainPEM; + key = ConverseJS.keyPEM; }; }; }; |