jabber: remove default ssl options, use dhparams

2023-10-11 19:40:44 +02:00 · 2023-10-11 19:40:44 +02:00 · 808509cece
parent 91c1d8623c
commit 808509cece
1 changed files with 18 additions and 22 deletions
--- a/hosts/jabber/default.nix
+++ b/hosts/jabber/default.nix
@ -38,17 +38,23 @@ in
    };
  };

-  security.acme.certs."${domain}" = {
-    extraDomainNames = [
-      "chat.c3d2.de"
-      "*.${domain}"
-    ];
-    # DynDNS method
-    dnsProvider = "rfc2136";
-    credentialsFile = config.sops.secrets."acme/credentials-file".path;
-    reloadServices = [ "prosody" ];
-    # Make keys accessible by putting them in prosody's group
-    inherit (config.services.prosody) group;
+  security = {
+    acme.certs."${domain}" = {
+      extraDomainNames = [
+        "chat.c3d2.de"
+        "*.${domain}"
+      ];
+      # DynDNS method
+      dnsProvider = "rfc2136";
+      credentialsFile = config.sops.secrets."acme/credentials-file".path;
+      reloadServices = [ "prosody" ];
+      # Make keys accessible by putting them in prosody's group
+      inherit (config.services.prosody) group;
+    };
+    dhparams = {
+      enable = true;
+      params.prosody = { };
+    };
  };

  services = {
@ -111,17 +117,7 @@ in
      ssl = {
        key = "/var/lib/acme/${domain}/key.pem";
        cert = "/var/lib/acme/${domain}/fullchain.pem";
-        # Some TLS hardening we've had on the old setup, probably to
-        # defend against downgrading attacks.
-        extraOptions.options = [
-          "no_sslv2"
-          "no_sslv3"
-          "no_ticket"
-          "no_compression"
-          "cipher_server_preference"
-          "single_dh_use"
-          "single_ecdh_use"
-        ];
+        dhparam = config.security.dhparams.params.nginx.path;
      };

      c2sRequireEncryption = true;