propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit 6338736d20fb121bf03fc4a66fbd674fbdd90182
parent c4bb8be97ba62695bab3097f9ab523ba6f5c72d3
Author: rsiddharth <s@ricketyspace.net>
Date:   Mon, 20 Jan 2020 15:42:24 -0500

Add nginx snafu for nsfw.dingy.space

Diffstat:
config.hs | 66++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+), 0 deletions(-)

diff --git a/config.hs b/config.hs @@ -247,6 +247,7 @@ lyra = host "lyra.ricketyspace.net" $props & Nginx.siteEnabled "ricketyspace.net" ricketyspaceNetNginx & Nginx.siteEnabled "git.ricketyspace.net" ricketyspaceNetGitNginx & Nginx.siteEnabled "dingy.space" dingySpaceNginx + & Nginx.siteEnabled "nfsw.dingy.space" nfswDingySpaceNginx & ricketyspaceNetDhparamPem & ricketyspaceNetCert `onChange` Nginx.restarted & ricketyspaceNetCertKey @@ -256,6 +257,8 @@ lyra = host "lyra.ricketyspace.net" $props & ricketyspaceNetLyraCertKey & dingySpaceCert & dingySpaceCertKey + & nfswDingySpaceCert + & nfswDingySpaceCertKey -- git-daemon & rsGitDaemonDefaults `onChange` Service.restarted "git-daemon" -- opendkim @@ -549,6 +552,59 @@ dingySpaceNginx = [ ] +nfswDingySpaceNginx :: [String] +nfswDingySpaceNginx = [ + "# Adapted from https://gist.github.com/konklone/6532544" + , "" + , "server {" + , " listen 80;" + , " listen [::]:80;" + , " server_name dingy.space;" + , " return 301 https://$host$request_uri;" + , "}" + , "" + , "server {" + , " listen 443 ssl http2;" + , " listen [::]:443 ssl http2;" + , " server_name nfsw.dingy.space;" + , "" + , " access_log /var/log/nginx/nfsw.dingy.space.log;" + , " error_log /var/log/nginx/nfsw.dingy.space.log;" + , "" + , "" + , " root /var/www/nfsw.dingy.space;" + , " error_page 404 /404.html;" + , " error_page 403 /403.html;" + , " default_type text/plain;" + , "" + , " # Path to certificate and private key." + , " # The .crt may omit the root CA cert, if it's a standard CA that ships with clients." + , " ssl_certificate /etc/ssl/certs/nfsw.ds.chained.le.pem;" + , " ssl_certificate_key /etc/ssl/private/nfsw.ds.d.le.key;" + , "" + , " add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';" + , "" + , " ssl_prefer_server_ciphers on;" + , " ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';" + , "" + , " ssl_protocols TLSv1.2 TLSv1.1 TLSv1;" + , "" + , " # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html" + , " ssl_session_cache shared:SSL:10m;" + , " ssl_session_timeout 10m;" + , " keepalive_timeout 70;" + , "" + , " # nginx 1.5.9+ ONLY" + , " ssl_buffer_size 1400;" + , "" + , " #" + , " # Generated by OpenSSL with the following command:" + , " # openssl dhparam -outform pem -out dhparam2048.pem 2048" + , " ssl_dhparam /etc/ssl/certs/dhparam4096.pem;" + , "}" + ] + + --- certs ricketyspaceNetDhparamPem :: Property (HasInfo + UnixLike) ricketyspaceNetDhparamPem = File.hasPrivContent @@ -592,6 +648,16 @@ dingySpaceCertKey :: Property (HasInfo + UnixLike) dingySpaceCertKey = File.hasPrivContent "/etc/ssl/private/ds.d.le.key" (Context "dingy.space") +nfswDingySpaceCert :: Property (HasInfo + UnixLike) +nfswDingySpaceCert = File.hasPrivContent + cert (Context "nfsw.dingy.space") + `onChange` File.mode cert 0O0644 + where cert = "/etc/ssl/certs/nfsw.ds.chained.le.pem" + +nfswDingySpaceCertKey :: Property (HasInfo + UnixLike) +nfswDingySpaceCertKey = File.hasPrivContent + "/etc/ssl/private/nfsw.ds.d.le.key" (Context "nfsw.dingy.space") + --- dkim ricketyspaceNetOpenDkimConf :: [File.Line]