summaryrefslogtreecommitdiffstats
path: root/lass/1systems/prism.nix
diff options
context:
space:
mode:
Diffstat (limited to 'lass/1systems/prism.nix')
-rw-r--r--lass/1systems/prism.nix36
1 files changed, 36 insertions, 0 deletions
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index e69fc545f..406acda5b 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -2,6 +2,10 @@
let
ip = config.krebs.build.host.nets.internet.ip4.addr;
+
+ inherit (import ../../4lib { inherit lib pkgs; })
+ manageCerts;
+
in {
imports = [
../.
@@ -159,6 +163,38 @@ in {
enable = true;
};
}
+ {
+ security.acme = {
+ certs."lassul.us" = {
+ email = "lass@lassul.us";
+ webroot = "/var/lib/acme/challenges/lassul.us";
+ plugins = [
+ "account_key.json"
+ "key.pem"
+ "fullchain.pem"
+ "full.pem"
+ ];
+ user = "ejabberd";
+ };
+ };
+ krebs.nginx.servers."lassul.us" = {
+ server-names = [ "lassul.us" ];
+ locations = [
+ (lib.nameValuePair "/.well-known/acme-challenge" ''
+ root /var/lib/acme/challenges/lassul.us/;
+ '')
+ ];
+ };
+ lass.ejabberd = {
+ enable = true;
+ hosts = [ "lassul.us" ];
+ certfile = "/var/lib/acme/lassul.us/full.pem";
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
+ ];
+ }
];
krebs.build.host = config.krebs.hosts.prism;