diff options
| author | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
| commit | 0f841977cfa1f2b934f433ac4239e612b44e5dcf (patch) | |
| tree | 9d2abd0b69275e3fd368da6b3a84049921541caa /frontends/etc | |
| parent | 251e0cb9f2b5442405a87a71e018f50b73a09995 (diff) | |
Use ACME
Diffstat (limited to 'frontends/etc')
| -rw-r--r-- | frontends/etc/acme-client.conf.tpl | 37 | ||||
| -rw-r--r-- | frontends/etc/httpd.conf.tpl (renamed from frontends/etc/httpd.conf) | 158 | ||||
| -rw-r--r-- | frontends/etc/relayd.conf.tpl | 11 |
3 files changed, 108 insertions, 98 deletions
diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl new file mode 100644 index 0000000..681f357 --- /dev/null +++ b/frontends/etc/acme-client.conf.tpl @@ -0,0 +1,37 @@ +# +# $OpenBSD: acme-client.conf,v 1.4 2020/09/17 09:13:06 florian Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +authority buypass { + api url "https://api.buypass.com/acme/directory" + account key "/etc/acme/buypass-privkey.pem" + contact "mailto:me@example.com" +} + +authority buypass-test { + api url "https://api.test4.buypass.no/acme/directory" + account key "/etc/acme/buypass-test-privkey.pem" + contact "mailto:me@example.com" +} + +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +<% for my $host (@$acme_hosts) { %> +domain <%= $prefix.$host %> { + domain key "/etc/ssl/private/<%= $prefix.$host %>.key" + domain full chain certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + sign with letsencrypt +} +<% } %> diff --git a/frontends/etc/httpd.conf b/frontends/etc/httpd.conf.tpl index 044849e..c536766 100644 --- a/frontends/etc/httpd.conf +++ b/frontends/etc/httpd.conf.tpl @@ -1,76 +1,94 @@ -server "foo.zone" { +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + +# Plain HTTP for ACME and HTTPS redirect +<% for my $host (@$acme_hosts) { %> +server "<%= $prefix.$host %>" { listen on * port 80 - block return 302 "https://foo.zone" -} - -server "www.foo.zone" { - listen on * port 80 - block return 302 "https://www.foo.zone" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 302 "https://$HTTP_HOST$REQUEST_URI" + } } +<% } %> -server "foo.zone" { - alias "www.foo.zone" +# Gemtexter hosts +<% for my $host (qw/foo.zone snonux.land/) { %> +server "<%= $prefix.$host %>" { listen on * tls port 443 tls { - certificate "/etc/ssl/foo.zone.fullchain.pem" - key "/etc/ssl/private/foo.zone.key" + certificate "/etc/ssl/<%= $prefix.$host %>.fullchain.pem" + key "/etc/ssl/private/<%= $prefix.$host %>.key" } - location "/*" { - root "/htdocs/gemtexter/foo.zone" + location * { + root "/htdocs/gemtexter/<%= $host %>" directory auto index } } +<% } %> -server "snonux.land" { - listen on * port 80 - block return 302 "https://snonux.land" -} - -server "www.snonux.land" { - listen on * port 80 - block return 302 "https://www.snonux.land" +# DTail special host +server "<%= $prefix %>dtail.dev" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/<%= $prefix %>dtail.dev.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>dtail.dev.key" + } + location * { + block return 302 "https://github.dtail.dev$REQUEST_URI" + } } -server "snonux.land" { - alias "www.snonux.land" +# Irregular Ninja special host +server "<%= $prefix %>irregular.ninja" { listen on * tls port 443 tls { - certificate "/etc/ssl/foo.zone.fullchain.pem" - key "/etc/ssl/private/foo.zone.key" + certificate "/etc/ssl/<%= $prefix %>irregular.ninja.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>irregular.ninja.key" } - location "/*" { - root "/htdocs/gemtexter/foo.zone/notes" + location * { + root "/htdocs/irregular.ninja" directory auto index } } -server "irregular.ninja" { - listen on * port 80 - block return 302 "https://irregular.ninja" -} - -server "www.irregular.ninja" { - listen on * port 80 - block return 302 "https://www.irregular.ninja" -} - -server "irregular.ninja" { - alias "www.irregular.ninja" +# buetow.org special host. +server "<%= $prefix %>buetow.org" { listen on * tls port 443 tls { - certificate "/etc/ssl/irregular.ninja.fullchain.pem" - key "/etc/ssl/private/irregular.ninja.key" + certificate "/etc/ssl/<%= $prefix %>buetow.org.fullchain.pem" + key "/etc/ssl/private/<%= $prefix %>buetow.org.key" } - location "/*" { - root "/htdocs/irregular.ninja" + root "/htdocs/buetow.org" + location match "/tmp/.*" { directory auto index } + location match "/.*" { + block return 302 "https://paul.buetow.org" + } +} + +<% if ($primary) { %> +server "paul.buetow.org" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paul.buetow.org.fullchain.pem" + key "/etc/ssl/private/paul.buetow.org.key" + } + block return 302 "https://foo.zone/contact-information.html" } +<% } %> +# Legacy hosts server "snonux.de" { alias "www.snonux.de" listen on * port 80 - block return 302 "https://foo.zone$REQUEST_URI" + block return 302 "https://foo.zone$REQUEST_URI" } server "snonux.de" { @@ -115,57 +133,7 @@ server "sidewalk.ninja" { block return 302 "https://irregular.ninja$REQUEST_URI" } -server "buetow.org" { - alias "www.buetow.org" - listen on * port 80 - block return 302 "https://foo.zone$REQUEST_URI" -} - -server "paul.buetow.org" { - alias "contact.buetow.org" - listen on * port 80 - block return 302 "https://foo.zone/contact-information.html" -} - -server "tmp.buetow.org" { - listen on * port 80 - block return 302 "https://buetow.org/tmp/" -} - -server "buetow.org" { - alias "www.buetow.org" - listen on * tls port 443 - tls { - certificate "/etc/ssl/buetow.org.fullchain.pem" - key "/etc/ssl/private/buetow.org.key" - } - root "/htdocs/buetow.org" - location match "/tmp/.*" { - directory auto index - } - location match "/.*" { - block return 302 "https://foo.zone$REQUEST_URI" - } -} - -server "dtail.dev" { - alias "www.dtail.dev" - listen on * port 80 - block return 302 "https://dail.dev" -} - -server "dtail.dev" { - alias "www.dtail.dev" - listen on * tls port 443 - tls { - certificate "/etc/ssl/dtail.dev.fullchain.pem" - key "/etc/ssl/private/dtail.dev.key" - } - location * { - block return 302 "https://github.dtail.dev" - } -} - +# Defaults server "default" { listen on * port 80 block return 302 "https://foo.zone$REQUEST_URI" diff --git a/frontends/etc/relayd.conf.tpl b/frontends/etc/relayd.conf.tpl index d8553b2..4d702be 100644 --- a/frontends/etc/relayd.conf.tpl +++ b/frontends/etc/relayd.conf.tpl @@ -1,10 +1,15 @@ +<% + our $primary = $is_primary->($vio0_ip); + our $prefix = $primary ? '' : 'www.'; +%> + log connection tcp protocol "gemini" { - tls keypair buetow.org + tls keypair <%= $prefix %>foo.zone + tls keypair <%= $prefix %>buetow.org + tls keypair <%= $prefix %>snonux.land tls keypair snonux.de - tls keypair foo.zone - tls keypair irregular.ninja } relay "gemini4" { |