From d79265ddad70adbfde3b171faed21ee94880c1c4 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Tue, 4 Jan 2022 14:00:45 +0000 Subject: [PATCH] ops/nixos: tidy up security.acme --- ops/nixos/blade-tuvok/default.nix | 16 +++++---------- ops/nixos/bvm-matrix/default.nix | 12 +++--------- ops/nixos/bvm-prosody/default.nix | 6 ------ ops/nixos/bvm-radius/default.nix | 20 ++++++++----------- ops/nixos/clouvider-lon01/default.nix | 13 +++++-------- ops/nixos/etheroute-lon01/default.nix | 28 +++++++++++---------------- ops/nixos/lib/as205479-web.nix | 12 ++++-------- ops/nixos/lib/common.nix | 10 ++++++++++ ops/nixos/lib/fup.nix | 10 ++-------- ops/nixos/lib/quotes.bfob.gg.nix | 12 +++--------- ops/nixos/marukuru/default.nix | 5 ----- ops/nixos/totoro/default.nix | 6 ------ 12 files changed, 51 insertions(+), 99 deletions(-) diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 6f413dbc23..fb3e091529 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -77,17 +77,11 @@ in { }; }; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."objdump.zxcvbnm.ninja" = { - group = config.services.nginx.group; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = [ - "*.objdump.zxcvbnm.ninja" - ]; - }; + security.acme.certs."objdump.zxcvbnm.ninja" = { + group = config.services.nginx.group; + extraDomainNames = [ + "*.objdump.zxcvbnm.ninja" + ]; }; my.fup.listen = [ "0.0.0.0" "[::]" diff --git a/ops/nixos/bvm-matrix/default.nix b/ops/nixos/bvm-matrix/default.nix index 4b52b3cb0a..fb9af4ad4d 100644 --- a/ops/nixos/bvm-matrix/default.nix +++ b/ops/nixos/bvm-matrix/default.nix @@ -168,15 +168,9 @@ in { members = [ "turnserver" "nginx" ]; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."matrix.zxcvbnm.ninja" = { - group = "matrixcert"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; - }; + security.acme.certs."matrix.zxcvbnm.ninja" = { + group = "matrixcert"; + extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; }; system.stateVersion = "21.05"; diff --git a/ops/nixos/bvm-prosody/default.nix b/ops/nixos/bvm-prosody/default.nix index cfc11728f5..112bbe51a7 100644 --- a/ops/nixos/bvm-prosody/default.nix +++ b/ops/nixos/bvm-prosody/default.nix @@ -87,18 +87,12 @@ in { }; security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; certs."xmpp.lukegb.com" = { group = "prosody"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; }; certs."turn.lukegb.com" = { group = "turnserver"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; }; }; diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index 17c3f65f03..d58331d260 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -51,18 +51,14 @@ in { }; my.ip.tailscale = "100.120.98.116"; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."as205479.net" = { - extraDomainNames = [ "www.as205479.net" ]; - dnsProvider = "gcloud"; - credentialsFile = secrets.gcpDNSCredentials; - dnsPropagationCheck = false; - postRun = '' - systemctl restart freeradius - ''; - }; + security.acme.certs."as205479.net" = { + extraDomainNames = [ "www.as205479.net" ]; + dnsProvider = "gcloud"; + credentialsFile = secrets.gcpDNSCredentials; + dnsPropagationCheck = false; + postRun = '' + systemctl restart freeradius + ''; }; users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 2fc34905c3..7aa6777c30 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -193,14 +193,11 @@ in { dataDir = "/persist/etc/znc"; useLegacyConfig = false; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."znc.lukegb.com" = { - webroot = "/var/lib/acme/.challenges"; - group = "znc-acme"; - extraDomainNames = ["akiichiro.lukegb.com"]; - }; + security.acme.certs."znc.lukegb.com" = { + dnsProvider = null; + webroot = "/var/lib/acme/.challenges"; + group = "znc-acme"; + extraDomainNames = ["akiichiro.lukegb.com"]; }; services.nginx = { enable = true; diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 06501650d8..bb735617b0 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -343,23 +343,17 @@ in { wants = lib.mkAfter [ "redis.service" ]; after = lib.mkAfter [ "redis.service" ]; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - certs."int.lukegb.com" = { - domain = "*.int.lukegb.com"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = [ - # "int.lukegb.com" # redundant with *.lukegb.com - "lukegb.com" - "*.lukegb.com" - "objdump.zxcvbnm.ninja" - ]; - postRun = '' - systemctl restart pomerium - ''; - }; + security.acme.certs."int.lukegb.com" = { + domain = "*.int.lukegb.com"; + extraDomainNames = [ + # "int.lukegb.com" # redundant with *.lukegb.com + "lukegb.com" + "*.lukegb.com" + "objdump.zxcvbnm.ninja" + ]; + postRun = '' + systemctl restart pomerium + ''; }; system.stateVersion = "20.09"; diff --git a/ops/nixos/lib/as205479-web.nix b/ops/nixos/lib/as205479-web.nix index 9ebd5bb339..930c05d204 100644 --- a/ops/nixos/lib/as205479-web.nix +++ b/ops/nixos/lib/as205479-web.nix @@ -1,14 +1,10 @@ { config, depot, lib, ... }: { - security.acme = { - acceptTerms = true; - email = lib.mkDefault "letsencrypt@lukegb.com"; - certs."as205479.net" = { - dnsProvider = "gcloud"; - credentialsFile = depot.ops.secrets.gcpDNSCredentials; - dnsPropagationCheck = false; - }; + security.acme.certs."as205479.net" = { + dnsProvider = "gcloud"; + credentialsFile = depot.ops.secrets.gcpDNSCredentials; + dnsPropagationCheck = false; }; services.nginx = { enable = lib.mkDefault true; diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 8ed75176aa..23b990e719 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -5,6 +5,7 @@ { pkgs, config, depot, lib, rebuilder, ... }@args: let inherit (lib) mkDefault; + inherit (depot.ops) secrets; switch-prebuilt = import ./switch-prebuilt.nix args; in @@ -268,5 +269,14 @@ in ListenStream = [ "" "${config.my.ip.tailscale}:19531" ]; FreeBind = true; }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "letsencrypt@lukegb.com"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + }; + }; }; } diff --git a/ops/nixos/lib/fup.nix b/ops/nixos/lib/fup.nix index 44d4fa0b88..0b4ec71f42 100644 --- a/ops/nixos/lib/fup.nix +++ b/ops/nixos/lib/fup.nix @@ -27,14 +27,8 @@ in ssl = true; }) config.my.fup.listen); in { - security.acme = { - acceptTerms = true; - email = lib.mkDefault "letsencrypt@lukegb.com"; - certs."p.lukegb.com" = { - group = config.services.nginx.group; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - }; + security.acme.certs."p.lukegb.com" = { + group = config.services.nginx.group; }; services.nginx = { enable = lib.mkDefault true; diff --git a/ops/nixos/lib/quotes.bfob.gg.nix b/ops/nixos/lib/quotes.bfob.gg.nix index c89fecf2e4..f13ebed236 100644 --- a/ops/nixos/lib/quotes.bfob.gg.nix +++ b/ops/nixos/lib/quotes.bfob.gg.nix @@ -25,15 +25,9 @@ in ssl = true; }) config.my.quotesdb.listen); in { - security.acme = { - acceptTerms = true; - email = lib.mkDefault "letsencrypt@lukegb.com"; - certs."bfob.gg" = { - group = config.services.nginx.group; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; - extraDomainNames = ["*.bfob.gg"]; - }; + security.acme.certs."bfob.gg" = { + group = config.services.nginx.group; + extraDomainNames = ["*.bfob.gg"]; }; services.nginx = { enable = lib.mkDefault true; diff --git a/ops/nixos/marukuru/default.nix b/ops/nixos/marukuru/default.nix index 7896d737c7..3d4a37ee6a 100644 --- a/ops/nixos/marukuru/default.nix +++ b/ops/nixos/marukuru/default.nix @@ -109,11 +109,6 @@ in { selector = "marukuru"; }; - security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; - }; - virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68"; # Container networking. diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix index cdee4af9b0..106cd2f48f 100644 --- a/ops/nixos/totoro/default.nix +++ b/ops/nixos/totoro/default.nix @@ -201,20 +201,14 @@ in { }; security.acme = { - acceptTerms = true; - email = "letsencrypt@lukegb.com"; certs."invoices.lukegb.com" = { domain = "invoices.lukegb.com"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; postRun = '' systemctl reload nginx ''; }; certs."trains.lukegb.com" = { domain = "trains.lukegb.com"; - dnsProvider = "cloudflare"; - credentialsFile = secrets.cloudflareCredentials; }; };