serverAliases = [ "*" ];
enableSSL = false;
logFormat = "combinedVhost";
- documentRoot = "${config.security.acme.directory}/acme-challenge";
+ documentRoot = "/var/lib/acme/acme-challenge";
extraConfig = ''
RewriteEngine on
RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
};
toVhost = ips: vhostConf: {
enableSSL = true;
- sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
- sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
- sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+ sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";
+ sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";
+ sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";
logFormat = "combinedVhost";
listen = map (ip: { inherit ip; port = 443; }) ips;
hostName = builtins.head vhostConf.hosts;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
+ # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+ sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+ sslCiphers = builtins.concatStringsSep ":" [
+ "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+ "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+ ];
inherit (icfg) adminAddr;
logFormat = "combinedVhost";
extraModules = lists.unique icfg.modules;
}
) cfg.env;
- config.security.acme.certs = let
+ config.security.acme2.certs = let
typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
attrValues v.vhostConfs
projects / perso / Immae / Config / Nix.git / blobdiff