aymericb/cron-update.sh

## cron-update.sh
#!/bin/sh
/srv/letsencrypt/letsencrypt-auto certonly --webroot -w /srv/blog.barthe.ph/www -d blog.barthe.ph --renew-by-default  --agree-tos
service nginx reload

## nginx-site-blog.barthe.ph
# Redirect other domains to blog.barthe.ph
server {
	server_name www.blog.barthe.ph barthe.ph www.barthe.ph;
	return 302 https://blog.barthe.ph;
}

# Redirect HTTP -> HTTPS
server {
	server_name blog.barthe.ph;
	listen 80;
	# Exception needed for ACME / Let's Encrypt certificate update
	location /.well-known/ {
		root /srv/blog.barthe.ph/www;
		try_files $uri $uri/ =404;
	}
	location / {
		return 301 https://$server_name$request_uri;
	}
}

# Serve HTTPS
server {
	server_name blog.barthe.ph;
	listen 443 ssl;

	# Basic TLS setup
	ssl_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/blog.barthe.ph/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Stronger Diffie-Hellman key for forward secrecy
	ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

	# Optimizations
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 20m;

	# Cipher suite
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:AES128-SHA';

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;

	# HSTS (1 yr)
	add_header Strict-Transport-Security max-age=31536000;

        # Static file setup
	root /srv/blog.barthe.ph/www;
	index index.html index.htm;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

}
	#!/bin/sh
	/srv/letsencrypt/letsencrypt-auto certonly --webroot -w /srv/blog.barthe.ph/www -d blog.barthe.ph --renew-by-default --agree-tos
	service nginx reload
	# Redirect other domains to blog.barthe.ph
	server {
	server_name www.blog.barthe.ph barthe.ph www.barthe.ph;
	return 302 https://blog.barthe.ph;
	}

	# Redirect HTTP -> HTTPS
	server {
	server_name blog.barthe.ph;
	listen 80;
	# Exception needed for ACME / Let's Encrypt certificate update
	location /.well-known/ {
	root /srv/blog.barthe.ph/www;
	try_files $uri $uri/ =404;
	}
	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	# Serve HTTPS
	server {
	server_name blog.barthe.ph;
	listen 443 ssl;

	# Basic TLS setup
	ssl_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/blog.barthe.ph/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Stronger Diffie-Hellman key for forward secrecy
	ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

	# Optimizations
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 20m;

	# Cipher suite
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:AES128-SHA';

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;

	# HSTS (1 yr)
	add_header Strict-Transport-Security max-age=31536000;

	# Static file setup
	root /srv/blog.barthe.ph/www;
	index index.html index.htm;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to index.html
	try_files $uri $uri/ /index.html;
	}

	}