aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--TODOs.org5
-rwxr-xr-xnixos-switch.sh10
-rw-r--r--secrets/secret-envrc.shbin3585 -> 3617 bytes
-rw-r--r--vps-configuration.env.nix25
4 files changed, 24 insertions, 16 deletions
diff --git a/TODOs.org b/TODOs.org
index 8e8bdc7..03d0a22 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -31,7 +31,8 @@ server {
}
#+END_SRC
Use Prosody as a server itself
-** TODO Prosody TLS
+** DONE Prosody TLS
+CLOSED: [2020-08-16 dim. 18:52]
** TODO matterbridge
#+BEGIN_SRC nix
matterbridge = {
@@ -40,6 +41,7 @@ matterbridge = {
'';
};
#+END_SRC
+** TODO Converse
** DONE cgit
CLOSED: [2020-08-14 ven. 09:29]
** TODO Terraform restore from backup when provisioning
@@ -73,6 +75,7 @@ resource "vultr_block_storage" "vps_storage" {
live = "yes"
}
#+END_SRC
+** TODO Stop doing chmod to share certificates
* Tasks - v5
** TODO Run cgit from nginx instead of using lighttpd
** TODO EteSync?
diff --git a/nixos-switch.sh b/nixos-switch.sh
index 6a75a69..c972ea4 100755
--- a/nixos-switch.sh
+++ b/nixos-switch.sh
@@ -7,3 +7,13 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix'
echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos
echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade
+
+# Ugly hack to change TLS certificates permissions
+echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\
+sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/key.pem; \
+sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \
+sudo chmod 770 /var/lib/acme/chat.arrobaponto.org/; \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/key.pem; \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/; \
+sudo systemctl restart prosody.service"
diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh
index e6ae330..c4fcf1c 100644
--- a/secrets/secret-envrc.sh
+++ b/secrets/secret-envrc.sh
Binary files differ
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index d72d7f8..dad3a9c 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -22,7 +22,7 @@ let
prosodyAdminUser = "$PROSODY_ADMIN_USER";
prosodyMUCTLD = "$PROSODY_MUC_TLD";
prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD";
- prosodyPort = "$PROSODY_PORT";
+ prosodyHTTPPort = "$PROSODY_HTTP_PORT";
};
boneco = pkgs.stdenv.mkDerivation {
name = "boneco";
@@ -73,17 +73,6 @@ in {
security.acme = {
acceptTerms = true;
email = envsubstConfiguration.letsencryptEmail;
- certs = {
- "${envsubstConfiguration.prosodyTLD}" = {
- webroot = "/var/lib/acme/.challenges";
- user = "prosody";
- group = "prosody";
- extraDomains = {
- "${envsubstConfiguration.prosodyMUCTLD}" = null;
- "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null;
- };
- };
- };
};
services = {
@@ -117,11 +106,13 @@ in {
root = boneco;
};
"${envsubstConfiguration.prosodyTLD}" = {
+ forceSSL = true;
+ enableACME = true;
locations = {
- "/.well-known/acme-challenge" = {
- root = "/var/lib/acme/.challenges";
+ "/" = {
+ proxyPass =
+ "http://localhost:${envsubstConfiguration.prosodyHTTPPort}/";
};
- "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; };
};
};
};
@@ -165,6 +156,10 @@ in {
enable = true;
admins = [ envsubstConfiguration.prosodyAdminUser ];
allowRegistration = true;
+ package = pkgs.prosody.override {
+ withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ];
+ };
+ extraModules = [ "http_upload" "conversejs" "bookmarks" ];
ssl = {
cert = fullchainPEM;
key = keyPEM;