diff options
| -rw-r--r-- | TODOs.org | 5 | ||||
| -rwxr-xr-x | nixos-switch.sh | 10 | ||||
| -rw-r--r-- | secrets/secret-envrc.sh | bin | 3585 -> 3617 bytes | |||
| -rw-r--r-- | vps-configuration.env.nix | 25 |
4 files changed, 24 insertions, 16 deletions
@@ -31,7 +31,8 @@ server { } #+END_SRC Use Prosody as a server itself -** TODO Prosody TLS +** DONE Prosody TLS +CLOSED: [2020-08-16 dim. 18:52] ** TODO matterbridge #+BEGIN_SRC nix matterbridge = { @@ -40,6 +41,7 @@ matterbridge = { ''; }; #+END_SRC +** TODO Converse ** DONE cgit CLOSED: [2020-08-14 ven. 09:29] ** TODO Terraform restore from backup when provisioning @@ -73,6 +75,7 @@ resource "vultr_block_storage" "vps_storage" { live = "yes" } #+END_SRC +** TODO Stop doing chmod to share certificates * Tasks - v5 ** TODO Run cgit from nginx instead of using lighttpd ** TODO EteSync? diff --git a/nixos-switch.sh b/nixos-switch.sh index 6a75a69..c972ea4 100755 --- a/nixos-switch.sh +++ b/nixos-switch.sh @@ -7,3 +7,13 @@ cd "$(dirname "${BASH_SOURCE[0]}")" envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix' echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade + +# Ugly hack to change TLS certificates permissions +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ +sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/key.pem; \ +sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ +sudo chmod 770 /var/lib/acme/chat.arrobaponto.org/; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/key.pem; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/; \ +sudo systemctl restart prosody.service" diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh Binary files differindex e6ae330..c4fcf1c 100644 --- a/secrets/secret-envrc.sh +++ b/secrets/secret-envrc.sh diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index d72d7f8..dad3a9c 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -22,7 +22,7 @@ let prosodyAdminUser = "$PROSODY_ADMIN_USER"; prosodyMUCTLD = "$PROSODY_MUC_TLD"; prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD"; - prosodyPort = "$PROSODY_PORT"; + prosodyHTTPPort = "$PROSODY_HTTP_PORT"; }; boneco = pkgs.stdenv.mkDerivation { name = "boneco"; @@ -73,17 +73,6 @@ in { security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; - certs = { - "${envsubstConfiguration.prosodyTLD}" = { - webroot = "/var/lib/acme/.challenges"; - user = "prosody"; - group = "prosody"; - extraDomains = { - "${envsubstConfiguration.prosodyMUCTLD}" = null; - "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; - }; - }; - }; }; services = { @@ -117,11 +106,13 @@ in { root = boneco; }; "${envsubstConfiguration.prosodyTLD}" = { + forceSSL = true; + enableACME = true; locations = { - "/.well-known/acme-challenge" = { - root = "/var/lib/acme/.challenges"; + "/" = { + proxyPass = + "http://localhost:${envsubstConfiguration.prosodyHTTPPort}/"; }; - "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; }; }; }; }; @@ -165,6 +156,10 @@ in { enable = true; admins = [ envsubstConfiguration.prosodyAdminUser ]; allowRegistration = true; + package = pkgs.prosody.override { + withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; + }; + extraModules = [ "http_upload" "conversejs" "bookmarks" ]; ssl = { cert = fullchainPEM; key = keyPEM; |