lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/nixos: tidy up security.acme

Browse source
This commit is contained in:
Luke Granger-Brown 2022-01-04 14:00:45 +00:00
parent de71fd5c9a
commit d79265ddad
12 changed files with 51 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ops/nixos/blade-tuvok/default.nix
View file

@ -77,18 +77,12 @@ in {
}; };
}; };
}; };
security.acme = { security.acme.certs."objdump.zxcvbnm.ninja" = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."objdump.zxcvbnm.ninja" = {
group = config.services.nginx.group; group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ extraDomainNames = [
"*.objdump.zxcvbnm.ninja" "*.objdump.zxcvbnm.ninja"
]; ];
}; };
};
my.fup.listen = [ my.fup.listen = [
"0.0.0.0" "[::]" "0.0.0.0" "[::]"
]; ];

8
ops/nixos/bvm-matrix/default.nix
View file

@ -168,16 +168,10 @@ in {
members = [ "turnserver" "nginx" ]; members = [ "turnserver" "nginx" ];
}; };
security.acme = { security.acme.certs."matrix.zxcvbnm.ninja" = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."matrix.zxcvbnm.ninja" = {
group = "matrixcert"; group = "matrixcert";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
}; };
};
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

6
ops/nixos/bvm-prosody/default.nix
View file

@ -87,18 +87,12 @@ in {
}; };
security.acme = { security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."xmpp.lukegb.com" = { certs."xmpp.lukegb.com" = {
group = "prosody"; group = "prosody";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
}; };
certs."turn.lukegb.com" = { certs."turn.lukegb.com" = {
group = "turnserver"; group = "turnserver";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
}; };
}; };

6
ops/nixos/bvm-radius/default.nix
View file

@ -51,10 +51,7 @@ in {
}; };
my.ip.tailscale = "100.120.98.116"; my.ip.tailscale = "100.120.98.116";
security.acme = { security.acme.certs."as205479.net" = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."as205479.net" = {
extraDomainNames = [ "www.as205479.net" ]; extraDomainNames = [ "www.as205479.net" ];
dnsProvider = "gcloud"; dnsProvider = "gcloud";
credentialsFile = secrets.gcpDNSCredentials; credentialsFile = secrets.gcpDNSCredentials;
@ -63,7 +60,6 @@ in {
systemctl restart freeradius systemctl restart freeradius
''; '';
}; };
};
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
system.stateVersion = "21.05"; system.stateVersion = "21.05";

7
ops/nixos/clouvider-lon01/default.nix
View file

@ -193,15 +193,12 @@ in {
dataDir = "/persist/etc/znc"; dataDir = "/persist/etc/znc";
useLegacyConfig = false; useLegacyConfig = false;
}; };
security.acme = { security.acme.certs."znc.lukegb.com" = {
acceptTerms = true; dnsProvider = null;
email = "letsencrypt@lukegb.com";
certs."znc.lukegb.com" = {
webroot = "/var/lib/acme/.challenges"; webroot = "/var/lib/acme/.challenges";
group = "znc-acme"; group = "znc-acme";
extraDomainNames = ["akiichiro.lukegb.com"]; extraDomainNames = ["akiichiro.lukegb.com"];
}; };
};
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {

8
ops/nixos/etheroute-lon01/default.nix
View file

@ -343,13 +343,8 @@ in {
wants = lib.mkAfter [ "redis.service" ]; wants = lib.mkAfter [ "redis.service" ];
after = lib.mkAfter [ "redis.service" ]; after = lib.mkAfter [ "redis.service" ];
}; };
security.acme = { security.acme.certs."int.lukegb.com" = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."int.lukegb.com" = {
domain = "*.int.lukegb.com"; domain = "*.int.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ extraDomainNames = [
# "int.lukegb.com" # redundant with *.lukegb.com # "int.lukegb.com" # redundant with *.lukegb.com
"lukegb.com" "lukegb.com"
@ -360,7 +355,6 @@ in {
systemctl restart pomerium systemctl restart pomerium
''; '';
}; };
};
system.stateVersion = "20.09"; system.stateVersion = "20.09";
} }

6
ops/nixos/lib/as205479-web.nix
View file

@ -1,15 +1,11 @@
{ config, depot, lib, ... }: { config, depot, lib, ... }:
{ {
security.acme = { security.acme.certs."as205479.net" = {
acceptTerms = true;
email = lib.mkDefault "letsencrypt@lukegb.com";
certs."as205479.net" = {
dnsProvider = "gcloud"; dnsProvider = "gcloud";
credentialsFile = depot.ops.secrets.gcpDNSCredentials; credentialsFile = depot.ops.secrets.gcpDNSCredentials;
dnsPropagationCheck = false; dnsPropagationCheck = false;
}; };
};
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
virtualHosts."as205479.net" = { virtualHosts."as205479.net" = {

10
ops/nixos/lib/common.nix
View file

@ -5,6 +5,7 @@
{ pkgs, config, depot, lib, rebuilder, ... }@args: { pkgs, config, depot, lib, rebuilder, ... }@args:
let let
inherit (lib) mkDefault; inherit (lib) mkDefault;
inherit (depot.ops) secrets;
switch-prebuilt = import ./switch-prebuilt.nix args; switch-prebuilt = import ./switch-prebuilt.nix args;
in in
@ -268,5 +269,14 @@ in
ListenStream = [ "" "${config.my.ip.tailscale}:19531" ]; ListenStream = [ "" "${config.my.ip.tailscale}:19531" ];
FreeBind = true; FreeBind = true;
}; };
security.acme = {
acceptTerms = true;
defaults = {
email = "letsencrypt@lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
};
};
}; };
} }

8
ops/nixos/lib/fup.nix
View file

@ -27,14 +27,8 @@ in
ssl = true; ssl = true;
}) config.my.fup.listen); }) config.my.fup.listen);
in { in {
security.acme = { security.acme.certs."p.lukegb.com" = {
acceptTerms = true;
email = lib.mkDefault "letsencrypt@lukegb.com";
certs."p.lukegb.com" = {
group = config.services.nginx.group; group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
};
}; };
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

8
ops/nixos/lib/quotes.bfob.gg.nix
View file

@ -25,16 +25,10 @@ in
ssl = true; ssl = true;
}) config.my.quotesdb.listen); }) config.my.quotesdb.listen);
in { in {
security.acme = { security.acme.certs."bfob.gg" = {
acceptTerms = true;
email = lib.mkDefault "letsencrypt@lukegb.com";
certs."bfob.gg" = {
group = config.services.nginx.group; group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = ["*.bfob.gg"]; extraDomainNames = ["*.bfob.gg"];
}; };
};
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
virtualHosts."qdb.bfob.gg" = { virtualHosts."qdb.bfob.gg" = {

5
ops/nixos/marukuru/default.nix
View file

@ -109,11 +109,6 @@ in {
selector = "marukuru"; selector = "marukuru";
}; };
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
};
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68"; virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68";
# Container networking. # Container networking.

6
ops/nixos/totoro/default.nix
View file

@ -201,20 +201,14 @@ in {
}; };
security.acme = { security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."invoices.lukegb.com" = { certs."invoices.lukegb.com" = {
domain = "invoices.lukegb.com"; domain = "invoices.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
postRun = '' postRun = ''
systemctl reload nginx systemctl reload nginx
''; '';
}; };
certs."trains.lukegb.com" = { certs."trains.lukegb.com" = {
domain = "trains.lukegb.com"; domain = "trains.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
}; };
}; };