Fixes SSL issues.

Adds nixos configuration.
2023-09-30 13:31:19 -04:00 · 2023-09-30 13:30:54 -04:00
5 changed files with 45 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -23,7 +23,8 @@
          devShells.default = import ./shell.nix { inherit pkgs; };
          packages.frontend = pkgs.mmelodies.frontend;
        }
-      ) // {
+        ) // {
+          nixosModules.default = import ./nixos;
          overlay = 
          (final: super: {
            napalm = import inputs.napalm { pkgs = super; };
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -0,0 +1,13 @@
+{pkgs, config, ...}:
+{
+  services.nginx.enable = true;
+
+  services.nginx.virtualHosts."${config.networking.hostName}" = {
+    addSSL = true;
+    sslCertificate = "/etc/ssl/snakeoil.crt";
+    sslCertificateKey = "/etc/ssl/snakeoil.key";
+    root = pkgs.mmelodies.frontend;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/nixos/ssl/README.md
+++ b/nixos/ssl/README.md
@ -0,0 +1,28 @@
+## Using a local CA for a PWA on Android
+
+Generate selfsigned ssl keys with:
+```
+openssl genrsa -out ca.key
+openssl x509 -new -key ca.key -out ca.crt -subj '/CN=Motion Melodies Dummy CA' -extfile ca-options.txt
+
+openssl genrsa -out ssl/melodypond.key
+
+openssl req -new -sha256 -noenc -key melodypond.key -subj '/CN=melodypond' -out melodypond.csr
+openssl x509 -req -in melodypond.csr -CA ca.crt -CAkey ca.key -out melodypond.crt -extfile options.txt 
+
+cat melodypond.crt ca.crt > melodypond.chain.crt
+
+# Then manually copy melodypond.key and melodypond.chain.crt to /etc/ssl on the server.
+#   and onto the Android device used as the controller.
+```
+
+These keys can then be added to the Android device used as the controller by going to
+`Settings >> Security >> Credentials >> Install >> CA` then selecting the certificate
+and rebooting the device.
+
+If you are using a Firefox-based browser on the phone, you will also need to enable third party certificates
+in the Firefox app's developer settings.
+This can be accessed by tapping the logo on the about screen many times, then going to
+`Settings >> Secret Settings >> Use Third Party CAs`
+
+Firefox should now show the site as secure and allow installing the PWA.
--- a/nixos/ssl/ca-options.txt
+++ b/nixos/ssl/ca-options.txt
@ -0,0 +1 @@
+basicConstraints = CA:true
--- a/nixos/ssl/options.txt
+++ b/nixos/ssl/options.txt
@ -0,0 +1 @@
+subjectAltName = DNS:melodypond, DNS:melodypond.lan
Author	SHA1	Message	Date
Bailey Stevens	ac81a158b5	Fixes SSL issues.	2023-09-30 13:31:19 -04:00
Bailey Stevens	0bfad19f08	Adds nixos configuration.	2023-09-30 13:30:54 -04:00
				`@ -0,0 +1 @@`
				`subjectAltName = DNS:melodypond, DNS:melodypond.lan`