aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--TODOs.org2
-rw-r--r--secrets/secret-envrc.shbin3582 -> 3585 bytes
-rw-r--r--secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplanbin0 -> 2065 bytes
-rw-r--r--secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplanbin0 -> 2064 bytes
-rw-r--r--secrets/terraform/terraform.tfstatebin3048 -> 3055 bytes
-rw-r--r--secrets/terraform/terraform.tfstate.backupbin180 -> 181 bytes
-rw-r--r--secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backupbin0 -> 3055 bytes
-rw-r--r--secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backupbin0 -> 742 bytes
-rw-r--r--vps-configuration.env.nix35
9 files changed, 28 insertions, 9 deletions
diff --git a/TODOs.org b/TODOs.org
index 5708fe0..8e8bdc7 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -158,4 +158,6 @@ This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do
We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution.
* Questions
** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation?
+** Enable 2FA for Nextcloud?
+Do XMPP support that too?
* Scrath
diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh
index 905a2d7..e6ae330 100644
--- a/secrets/secret-envrc.sh
+++ b/secrets/secret-envrc.sh
Binary files differ
diff --git a/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan b/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan
new file mode 100644
index 0000000..810e6f2
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-15T20:13:55-03:00.tfplan
Binary files differ
diff --git a/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan b/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan
new file mode 100644
index 0000000..6c2f3d6
--- /dev/null
+++ b/secrets/terraform/plan-files/2020-08-15T20:28:52-03:00.tfplan
Binary files differ
diff --git a/secrets/terraform/terraform.tfstate b/secrets/terraform/terraform.tfstate
index d90cfa2..67797c8 100644
--- a/secrets/terraform/terraform.tfstate
+++ b/secrets/terraform/terraform.tfstate
Binary files differ
diff --git a/secrets/terraform/terraform.tfstate.backup b/secrets/terraform/terraform.tfstate.backup
index 9db7c42..bddf8b1 100644
--- a/secrets/terraform/terraform.tfstate.backup
+++ b/secrets/terraform/terraform.tfstate.backup
Binary files differ
diff --git a/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup
new file mode 100644
index 0000000..9e06acc
--- /dev/null
+++ b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534052.backup
Binary files differ
diff --git a/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup
new file mode 100644
index 0000000..9f94c6a
--- /dev/null
+++ b/secrets/terraform/tfstate-backups/terraform.tfstate.1597534076.backup
Binary files differ
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index a521bc7..d72d7f8 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -73,6 +73,17 @@ in {
security.acme = {
acceptTerms = true;
email = envsubstConfiguration.letsencryptEmail;
+ certs = {
+ "${envsubstConfiguration.prosodyTLD}" = {
+ webroot = "/var/lib/acme/.challenges";
+ user = "prosody";
+ group = "prosody";
+ extraDomains = {
+ "${envsubstConfiguration.prosodyMUCTLD}" = null;
+ "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null;
+ };
+ };
+ };
};
services = {
@@ -106,8 +117,12 @@ in {
root = boneco;
};
"${envsubstConfiguration.prosodyTLD}" = {
- forceSSL = true;
- enableACME = true;
+ locations = {
+ "/.well-known/acme-challenge" = {
+ root = "/var/lib/acme/.challenges";
+ };
+ "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; };
+ };
};
};
};
@@ -142,23 +157,25 @@ in {
};
};
- prosody = {
+ prosody = let
+ fullchainPEM =
+ "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
+ keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+ in {
enable = true;
admins = [ envsubstConfiguration.prosodyAdminUser ];
allowRegistration = true;
ssl = {
- cert =
- "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
- key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+ cert = fullchainPEM;
+ key = keyPEM;
};
virtualHosts = {
"${envsubstConfiguration.prosodyTLD}" = {
enabled = true;
domain = "${envsubstConfiguration.prosodyTLD}";
ssl = {
- cert =
- "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
- key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+ cert = fullchainPEM;
+ key = keyPEM;
};
};
};
generated by cgit v1.2.3 (git 2.49.0) at 2025-07-23 15:11:45 +0000