From e8318269d15a5b5f603079fa5ad045087374cb13 Mon Sep 17 00:00:00 2001
From: maddaat <git@maddaat.org>
Date: Mon, 13 Apr 2026 18:08:28 +0400
Subject: Configure SSL certificates

---
 README.md                 | 12 +++++++-----
 etc/acme-client.conf      | 21 ++++++++++++++++++++
 etc/httpd.conf            | 37 +++++++++++++++++++++++++++++++++--
 etc/httpd/_acme.conf      |  4 ++++
 etc/httpd/_listen443.conf |  8 ++++++++
 etc/httpd/_listen80.conf  |  1 +
 files.sh                  | 50 +++++++++++++++++++++++++++--------------------
 var/cron/tabs/root        | 24 +++++++++++++++++++++++
 8 files changed, 129 insertions(+), 28 deletions(-)
 create mode 100644 etc/acme-client.conf
 create mode 100644 etc/httpd/_acme.conf
 create mode 100644 etc/httpd/_listen443.conf
 create mode 100644 etc/httpd/_listen80.conf
 create mode 100644 var/cron/tabs/root

diff --git a/README.md b/README.md
index f424437..180eb49 100644
--- a/README.md
+++ b/README.md
@@ -6,11 +6,13 @@
 
 **Domain**: `maddaat.org`
 
-| Record  | Type    | Points to       |
-|---------|---------|-----------------|
-| `@`     | `A`     | `159.65.207.26` |
-| `git`   | `CNAME` | `maddaat.org.`  |
-| `www`   | `CNAME` | `maddaat.org.`  |
+| Record  | Type    | Points to                   |
+|---------|---------|-----------------------------|
+| `@`     | `CAA`   | `0 issue "letsencrypt.org"` |
+| `@`     | `CAA`   | `0 issuewild ";"`           |
+| `@`     | `A`     | `159.65.207.26`             |
+| `git`   | `CNAME` | `maddaat.org.`              |
+| `www`   | `CNAME` | `maddaat.org.`              |
 
 
 
diff --git a/etc/acme-client.conf b/etc/acme-client.conf
new file mode 100644
index 0000000..f97d12a
--- /dev/null
+++ b/etc/acme-client.conf
@@ -0,0 +1,21 @@
+#
+# $OpenBSD: acme-client.conf,v 1.6 2025/08/18 15:51:57 job Exp $
+#
+authority letsencrypt {
+	api url "https://acme-v02.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+authority letsencrypt-staging {
+	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+	account key "/etc/acme/letsencrypt-staging-privkey.pem"
+}
+
+domain maddaat.org {
+	alternative names { www.maddaat.org git.maddaat.org }
+	domain key "/etc/ssl/private/maddaat.org.key"
+	domain full chain certificate "/etc/ssl/maddaat.org.fullchain.pem"
+	# Test with the staging server to avoid aggressive rate-limiting.
+	#sign with letsencrypt-staging
+	sign with letsencrypt
+}
diff --git a/etc/httpd.conf b/etc/httpd.conf
index 3defb8c..a8d1527 100644
--- a/etc/httpd.conf
+++ b/etc/httpd.conf
@@ -3,15 +3,48 @@ types {
 }
 
 server "maddaat.org" {
-	listen on * port 80
+	include "/etc/httpd/_listen80.conf"
+	include "/etc/httpd/_acme.conf"
+
+	location "*" {
+		# HTTP 301 Moved Permanently - enforce HTTPS
+		block return 301 "https://maddaat.org$REQUEST_URI"
+	}
+}
+
+server "maddaat.org" {
+	include "/etc/httpd/_listen443.conf"
+	include "/etc/httpd/_acme.conf"
 
 	location "*" {
 		block return 307 "http://git.maddaat.org"
 	}
 }
 
+server "www.maddaat.org" {
+	include "/etc/httpd/_listen80.conf"
+	include "/etc/httpd/_listen443.conf"
+	include "/etc/httpd/_acme.conf"
+
+	location "*" {
+		# HTTP 301 Moved Permanently - enforce non-www site
+		block return 301 "https://maddaat.org$REQUEST_URI"
+	}
+}
+
+server "git.maddaat.org" {
+	include "/etc/httpd/_listen80.conf"
+	include "/etc/httpd/_acme.conf"
+
+	location "*" {
+		# HTTP 301 Moved Permanently - enforce HTTPS
+		block return 301 "https://git.maddaat.org$REQUEST_URI"
+	}
+}
+
 server "git.maddaat.org" {
-	listen on * port 80
+	include "/etc/httpd/_listen443.conf"
+	include "/etc/httpd/_acme.conf"
 
 	location "/cgit.*" {
 		root "/cgit"
diff --git a/etc/httpd/_acme.conf b/etc/httpd/_acme.conf
new file mode 100644
index 0000000..3c1a0ec
--- /dev/null
+++ b/etc/httpd/_acme.conf
@@ -0,0 +1,4 @@
+location "/.well-known/acme-challenge/*" {
+	root "/acme"
+	request strip 2
+}
diff --git a/etc/httpd/_listen443.conf b/etc/httpd/_listen443.conf
new file mode 100644
index 0000000..92f270e
--- /dev/null
+++ b/etc/httpd/_listen443.conf
@@ -0,0 +1,8 @@
+listen on * tls port 443
+
+tls {
+	certificate "/etc/ssl/maddaat.org.fullchain.pem"
+	key "/etc/ssl/private/maddaat.org.key"
+}
+
+hsts preload
diff --git a/etc/httpd/_listen80.conf b/etc/httpd/_listen80.conf
new file mode 100644
index 0000000..8e0f854
--- /dev/null
+++ b/etc/httpd/_listen80.conf
@@ -0,0 +1 @@
+listen on * port 80
diff --git a/files.sh b/files.sh
index 8314822..88f080e 100644
--- a/files.sh
+++ b/files.sh
@@ -1,23 +1,31 @@
-install_dir  0755 root wheel  '/etc'
-install_file 0600 root wheel  '/etc/doas.conf'
-install_file 0644 root wheel  '/etc/exports'
-install_file 0644 root wheel  '/etc/fstab'
-install_file 0644 root wheel  '/etc/hosts'
-install_file 0644 root wheel  '/etc/httpd.conf'
-install_file 0600 root wheel  '/etc/pf.conf'
-install_file 0644 root wheel  '/etc/rc.conf.local'
-install_file 0644 root wheel  '/etc/shells'
-install_dir  0755 root wheel  '/etc/ssh'
-install_file 0644 root wheel  '/etc/ssh/sshd_config'
+install_dir  0755 root wheel   '/etc'
+install_file 0644 root wheel   '/etc/acme-client.conf'
+install_file 0600 root wheel   '/etc/doas.conf'
+install_file 0644 root wheel   '/etc/exports'
+install_file 0644 root wheel   '/etc/fstab'
+install_file 0644 root wheel   '/etc/hosts'
+install_file 0644 root wheel   '/etc/httpd.conf'
+install_dir  0755 root wheel   '/etc/httpd'
+install_file 0644 root wheel   '/etc/httpd/_acme.conf'
+install_file 0644 root wheel   '/etc/httpd/_listen80.conf'
+install_file 0644 root wheel   '/etc/httpd/_listen443.conf'
+install_file 0600 root wheel   '/etc/pf.conf'
+install_file 0644 root wheel   '/etc/rc.conf.local'
+install_file 0644 root wheel   '/etc/shells'
+install_dir  0755 root wheel   '/etc/ssh'
+install_file 0644 root wheel   '/etc/ssh/sshd_config'
 
-install_dir  0755 root wheel  '/home'
-install_dir  0755 git  git    '/home/git'
-install_file 0644 git  git    '/home/git/.gitconfig'
-install_file 0600 git  git    '/home/git/.gitolite.rc'
+install_dir  0755 root wheel   '/home'
+install_dir  0755 git  git     '/home/git'
+install_file 0644 git  git     '/home/git/.gitconfig'
+install_file 0600 git  git     '/home/git/.gitolite.rc'
 
-install_dir  0755 root daemon '/var'
-install_dir  0755 root daemon '/var/www'
-install_dir  0755 root daemon '/var/www/conf'
-install_file 0644 root wheel  '/var/www/conf/cgitrc'
-install_dir  0755 git  git    '/var/www/git'
-install_dir  0755 git  git    '/var/www/git/repositories'
+install_dir  0755 root daemon  '/var'
+install_dir  0555 root wheel   '/var/cron'
+install_dir  1730 root crontab '/var/cron/tabs'
+install_file 0600 root crontab '/var/cron/tabs/root'
+install_dir  0755 root daemon  '/var/www'
+install_dir  0755 root daemon  '/var/www/conf'
+install_file 0644 root wheel   '/var/www/conf/cgitrc'
+install_dir  0755 git  git     '/var/www/git'
+install_dir  0755 git  git     '/var/www/git/repositories'
diff --git a/var/cron/tabs/root b/var/cron/tabs/root
new file mode 100644
index 0000000..f26a9bc
--- /dev/null
+++ b/var/cron/tabs/root
@@ -0,0 +1,24 @@
+#	$OpenBSD: crontab,v 1.28 2020/04/18 17:22:43 jmc Exp $
+#
+# /var/cron/tabs/root - root's crontab
+#
+SHELL=/bin/sh
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+HOME=/var/log
+#
+#minute	hour	mday	month	wday	[flags] command
+#
+# rotate log files every hour, if necessary
+0	*	*	*	*	/usr/bin/newsyslog
+# send log file notifications, if necessary
+#1-59	*	*	*	*	/usr/bin/newsyslog -m
+#
+# do daily/weekly/monthly maintenance
+30	1	*	*	*	/bin/sh /etc/daily
+30	3	*	*	6	/bin/sh /etc/weekly
+30	5	1	*	*	/bin/sh /etc/monthly
+#~	*	*	*	*	/usr/libexec/spamd-setup
+
+#~	*	*	*	*	-ns rpki-client -v && bgpctl reload
+
+0	0	*	*	*	(acme-client maddaat.org || true) && rcctl reload httpd
-- 
cgit v1.2.3