jabber: remove default ssl options, use dhparams
This commit is contained in:
parent
91c1d8623c
commit
808509cece
|
@ -38,17 +38,23 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
security.acme.certs."${domain}" = {
|
||||
extraDomainNames = [
|
||||
"chat.c3d2.de"
|
||||
"*.${domain}"
|
||||
];
|
||||
# DynDNS method
|
||||
dnsProvider = "rfc2136";
|
||||
credentialsFile = config.sops.secrets."acme/credentials-file".path;
|
||||
reloadServices = [ "prosody" ];
|
||||
# Make keys accessible by putting them in prosody's group
|
||||
inherit (config.services.prosody) group;
|
||||
security = {
|
||||
acme.certs."${domain}" = {
|
||||
extraDomainNames = [
|
||||
"chat.c3d2.de"
|
||||
"*.${domain}"
|
||||
];
|
||||
# DynDNS method
|
||||
dnsProvider = "rfc2136";
|
||||
credentialsFile = config.sops.secrets."acme/credentials-file".path;
|
||||
reloadServices = [ "prosody" ];
|
||||
# Make keys accessible by putting them in prosody's group
|
||||
inherit (config.services.prosody) group;
|
||||
};
|
||||
dhparams = {
|
||||
enable = true;
|
||||
params.prosody = { };
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
|
@ -111,17 +117,7 @@ in
|
|||
ssl = {
|
||||
key = "/var/lib/acme/${domain}/key.pem";
|
||||
cert = "/var/lib/acme/${domain}/fullchain.pem";
|
||||
# Some TLS hardening we've had on the old setup, probably to
|
||||
# defend against downgrading attacks.
|
||||
extraOptions.options = [
|
||||
"no_sslv2"
|
||||
"no_sslv3"
|
||||
"no_ticket"
|
||||
"no_compression"
|
||||
"cipher_server_preference"
|
||||
"single_dh_use"
|
||||
"single_ecdh_use"
|
||||
];
|
||||
dhparam = config.security.dhparams.params.nginx.path;
|
||||
};
|
||||
|
||||
c2sRequireEncryption = true;
|
||||
|
|
Loading…
Reference in New Issue