From c26cf3f0dfa9df08201f344f625257daf7cb3a9c Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Sun, 16 Aug 2020 18:21:03 -0300 Subject: Checkpoint: Working Prosody server Use NGINX to create TLS certificate and then share it with prosody. --- TODOs.org | 5 ++++- nixos-switch.sh | 10 ++++++++++ secrets/secret-envrc.sh | Bin 3585 -> 3617 bytes vps-configuration.env.nix | 25 ++++++++++--------------- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/TODOs.org b/TODOs.org index 8e8bdc7..03d0a22 100644 --- a/TODOs.org +++ b/TODOs.org @@ -31,7 +31,8 @@ server { } #+END_SRC Use Prosody as a server itself -** TODO Prosody TLS +** DONE Prosody TLS +CLOSED: [2020-08-16 dim. 18:52] ** TODO matterbridge #+BEGIN_SRC nix matterbridge = { @@ -40,6 +41,7 @@ matterbridge = { ''; }; #+END_SRC +** TODO Converse ** DONE cgit CLOSED: [2020-08-14 ven. 09:29] ** TODO Terraform restore from backup when provisioning @@ -73,6 +75,7 @@ resource "vultr_block_storage" "vps_storage" { live = "yes" } #+END_SRC +** TODO Stop doing chmod to share certificates * Tasks - v5 ** TODO Run cgit from nginx instead of using lighttpd ** TODO EteSync? diff --git a/nixos-switch.sh b/nixos-switch.sh index 6a75a69..c972ea4 100755 --- a/nixos-switch.sh +++ b/nixos-switch.sh @@ -7,3 +7,13 @@ cd "$(dirname "${BASH_SOURCE[0]}")" envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix' echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade + +# Ugly hack to change TLS certificates permissions +echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\ +sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/key.pem; \ +sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ +sudo chmod 770 /var/lib/acme/chat.arrobaponto.org/; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/key.pem; \ +sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/; \ +sudo systemctl restart prosody.service" diff --git a/secrets/secret-envrc.sh b/secrets/secret-envrc.sh index e6ae330..c4fcf1c 100644 Binary files a/secrets/secret-envrc.sh and b/secrets/secret-envrc.sh differ diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index d72d7f8..dad3a9c 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -22,7 +22,7 @@ let prosodyAdminUser = "$PROSODY_ADMIN_USER"; prosodyMUCTLD = "$PROSODY_MUC_TLD"; prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD"; - prosodyPort = "$PROSODY_PORT"; + prosodyHTTPPort = "$PROSODY_HTTP_PORT"; }; boneco = pkgs.stdenv.mkDerivation { name = "boneco"; @@ -73,17 +73,6 @@ in { security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; - certs = { - "${envsubstConfiguration.prosodyTLD}" = { - webroot = "/var/lib/acme/.challenges"; - user = "prosody"; - group = "prosody"; - extraDomains = { - "${envsubstConfiguration.prosodyMUCTLD}" = null; - "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; - }; - }; - }; }; services = { @@ -117,11 +106,13 @@ in { root = boneco; }; "${envsubstConfiguration.prosodyTLD}" = { + forceSSL = true; + enableACME = true; locations = { - "/.well-known/acme-challenge" = { - root = "/var/lib/acme/.challenges"; + "/" = { + proxyPass = + "http://localhost:${envsubstConfiguration.prosodyHTTPPort}/"; }; - "/" = { return = "301 https://${DOLLAR}host${DOLLAR}request_uri"; }; }; }; }; @@ -165,6 +156,10 @@ in { enable = true; admins = [ envsubstConfiguration.prosodyAdminUser ]; allowRegistration = true; + package = pkgs.prosody.override { + withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ]; + }; + extraModules = [ "http_upload" "conversejs" "bookmarks" ]; ssl = { cert = fullchainPEM; key = keyPEM; -- cgit v1.2.3