New Server Checklist

doas.conf

	# see doas.conf(5) for configuration details

	# Uncomment to allow group "admin" to become root
	# permit :admin
	permit nopass :admin
	permit nopass deploy cmd apk args upgrade -U
	permit nopass deploy cmd service args SERVICE restart
	permit nopass acme cmd nginx args -s reload
	

acme setup

TODO: a package could be made to automate many of these steps

#!/bin/sh -eu
	exec >>/var/log/acme.log 2>&1
	date

	stats() {
		cert="/etc/ssl/uacme/$1/cert.pem"
		if ! [ -e "$cert" ]
		then
			return
		fi
		expiration=$(date -d"$(openssl x509 -enddate -noout -in "$cert" \
			| cut -d= -f2)" -D'%b %d %H:%M:%S %Y GMT' +'%s')
		printf '# TYPE certificate_expiration gauge\n'
		printf '# HELP certificate_expiration Timestamp when SSL certificate will expire\n'
		printf 'certificate_expiration{instance="%s"} %s\n' "$1" "$expiration"
	}

	acme() {
		site=$1
		shift
		/usr/bin/uacme -v -h /usr/share/uacme/uacme.sh issue $site $* || true
		stats $site | curl --data-binary @- https://push.metrics.sr.ht/metrics/job/$site
	}

	acme DOMAIN SUBDOMAIN...
	doas nginx -s reload

MAILTO=sir@cmpwn.com
	0 0 * * * chronic /usr/local/bin/acme-update-certs

nginx config

	server {
		listen 80;
		listen [::]:80;
		server_name DOMAIN;

		location / {
			return 302 https://$server_name$request_uri;
		}

		location ^~ /.well-known {
			root /var/www;
		}
	}

	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
		server_name DOMAIN;
		ssl_certificate /etc/ssl/uacme/DOMAIN/cert.pem;
		ssl_certificate_key /etc/ssl/uacme/private/DOMAIN/key.pem;

		gzip on;
		gzip_types text/css text/html;

		# ...
	}