New Server Checklist

doas.conf

# see doas.conf(5) for configuration details

# Uncomment to allow group "admin" to become root
# permit :admin
permit nopass :admin
permit nopass deploy cmd apk args upgrade -U
permit nopass deploy cmd service args SERVICE restart
permit nopass acme cmd nginx args -s reload

acme setup

TODO: a package could be made to automate many of these steps

#!/bin/sh -eu
exec >>/var/log/acme.log 2>&1
date

stats() {
	cert="/etc/ssl/uacme/$1/cert.pem"
	if ! [ -e "$cert" ]
	then
		return
	fi
	expiration=$(date -d"$(openssl x509 -enddate -noout -in "$cert" \
		| cut -d= -f2)" -D'%b %d %H:%M:%S %Y GMT' +'%s')
	printf '# TYPE certificate_expiration gauge\n'
	printf '# HELP certificate_expiration Timestamp when SSL certificate will expire\n'
	printf 'certificate_expiration{instance="%s"} %s\n' "$1" "$expiration"
}

acme() {
	site=$1
	shift
	/usr/bin/uacme -v -h /usr/share/uacme/uacme.sh issue $site $* || true
	stats $site | curl --data-binary @- https://push.metrics.sr.ht/metrics/job/$site
}

acme DOMAIN SUBDOMAIN...
doas nginx -s reload

MAILTO=sir@cmpwn.com
0 0 * * * chronic /usr/local/bin/acme-update-certs

nginx config

server {
	listen 80;
	listen [::]:80;
	server_name DOMAIN;

	location / {
		return 302 https://$server_name$request_uri;
	}

	location ^~ /.well-known {
		root /var/www;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name DOMAIN;
	ssl_certificate /etc/ssl/uacme/DOMAIN/cert.pem;
	ssl_certificate_key /etc/ssl/uacme/private/DOMAIN/key.pem;

	gzip on;
	gzip_types text/css text/html;

	# ...
}