ops/nixos: tidy up security.acme
This commit is contained in:
parent
de71fd5c9a
commit
d79265ddad
12 changed files with 51 additions and 99 deletions
|
@ -77,17 +77,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme.certs."objdump.zxcvbnm.ninja" = {
|
||||||
acceptTerms = true;
|
group = config.services.nginx.group;
|
||||||
email = "letsencrypt@lukegb.com";
|
extraDomainNames = [
|
||||||
certs."objdump.zxcvbnm.ninja" = {
|
"*.objdump.zxcvbnm.ninja"
|
||||||
group = config.services.nginx.group;
|
];
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
extraDomainNames = [
|
|
||||||
"*.objdump.zxcvbnm.ninja"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
my.fup.listen = [
|
my.fup.listen = [
|
||||||
"0.0.0.0" "[::]"
|
"0.0.0.0" "[::]"
|
||||||
|
|
|
@ -168,15 +168,9 @@ in {
|
||||||
members = [ "turnserver" "nginx" ];
|
members = [ "turnserver" "nginx" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme.certs."matrix.zxcvbnm.ninja" = {
|
||||||
acceptTerms = true;
|
group = "matrixcert";
|
||||||
email = "letsencrypt@lukegb.com";
|
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
|
||||||
certs."matrix.zxcvbnm.ninja" = {
|
|
||||||
group = "matrixcert";
|
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
|
|
|
@ -87,18 +87,12 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
|
||||||
email = "letsencrypt@lukegb.com";
|
|
||||||
certs."xmpp.lukegb.com" = {
|
certs."xmpp.lukegb.com" = {
|
||||||
group = "prosody";
|
group = "prosody";
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
|
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
|
||||||
};
|
};
|
||||||
certs."turn.lukegb.com" = {
|
certs."turn.lukegb.com" = {
|
||||||
group = "turnserver";
|
group = "turnserver";
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -51,18 +51,14 @@ in {
|
||||||
};
|
};
|
||||||
my.ip.tailscale = "100.120.98.116";
|
my.ip.tailscale = "100.120.98.116";
|
||||||
|
|
||||||
security.acme = {
|
security.acme.certs."as205479.net" = {
|
||||||
acceptTerms = true;
|
extraDomainNames = [ "www.as205479.net" ];
|
||||||
email = "letsencrypt@lukegb.com";
|
dnsProvider = "gcloud";
|
||||||
certs."as205479.net" = {
|
credentialsFile = secrets.gcpDNSCredentials;
|
||||||
extraDomainNames = [ "www.as205479.net" ];
|
dnsPropagationCheck = false;
|
||||||
dnsProvider = "gcloud";
|
postRun = ''
|
||||||
credentialsFile = secrets.gcpDNSCredentials;
|
systemctl restart freeradius
|
||||||
dnsPropagationCheck = false;
|
'';
|
||||||
postRun = ''
|
|
||||||
systemctl restart freeradius
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
||||||
|
|
||||||
|
|
|
@ -193,14 +193,11 @@ in {
|
||||||
dataDir = "/persist/etc/znc";
|
dataDir = "/persist/etc/znc";
|
||||||
useLegacyConfig = false;
|
useLegacyConfig = false;
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme.certs."znc.lukegb.com" = {
|
||||||
acceptTerms = true;
|
dnsProvider = null;
|
||||||
email = "letsencrypt@lukegb.com";
|
webroot = "/var/lib/acme/.challenges";
|
||||||
certs."znc.lukegb.com" = {
|
group = "znc-acme";
|
||||||
webroot = "/var/lib/acme/.challenges";
|
extraDomainNames = ["akiichiro.lukegb.com"];
|
||||||
group = "znc-acme";
|
|
||||||
extraDomainNames = ["akiichiro.lukegb.com"];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -343,23 +343,17 @@ in {
|
||||||
wants = lib.mkAfter [ "redis.service" ];
|
wants = lib.mkAfter [ "redis.service" ];
|
||||||
after = lib.mkAfter [ "redis.service" ];
|
after = lib.mkAfter [ "redis.service" ];
|
||||||
};
|
};
|
||||||
security.acme = {
|
security.acme.certs."int.lukegb.com" = {
|
||||||
acceptTerms = true;
|
domain = "*.int.lukegb.com";
|
||||||
email = "letsencrypt@lukegb.com";
|
extraDomainNames = [
|
||||||
certs."int.lukegb.com" = {
|
# "int.lukegb.com" # redundant with *.lukegb.com
|
||||||
domain = "*.int.lukegb.com";
|
"lukegb.com"
|
||||||
dnsProvider = "cloudflare";
|
"*.lukegb.com"
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
"objdump.zxcvbnm.ninja"
|
||||||
extraDomainNames = [
|
];
|
||||||
# "int.lukegb.com" # redundant with *.lukegb.com
|
postRun = ''
|
||||||
"lukegb.com"
|
systemctl restart pomerium
|
||||||
"*.lukegb.com"
|
'';
|
||||||
"objdump.zxcvbnm.ninja"
|
|
||||||
];
|
|
||||||
postRun = ''
|
|
||||||
systemctl restart pomerium
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "20.09";
|
system.stateVersion = "20.09";
|
||||||
|
|
|
@ -1,14 +1,10 @@
|
||||||
{ config, depot, lib, ... }:
|
{ config, depot, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
security.acme = {
|
security.acme.certs."as205479.net" = {
|
||||||
acceptTerms = true;
|
dnsProvider = "gcloud";
|
||||||
email = lib.mkDefault "letsencrypt@lukegb.com";
|
credentialsFile = depot.ops.secrets.gcpDNSCredentials;
|
||||||
certs."as205479.net" = {
|
dnsPropagationCheck = false;
|
||||||
dnsProvider = "gcloud";
|
|
||||||
credentialsFile = depot.ops.secrets.gcpDNSCredentials;
|
|
||||||
dnsPropagationCheck = false;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
{ pkgs, config, depot, lib, rebuilder, ... }@args:
|
{ pkgs, config, depot, lib, rebuilder, ... }@args:
|
||||||
let
|
let
|
||||||
inherit (lib) mkDefault;
|
inherit (lib) mkDefault;
|
||||||
|
inherit (depot.ops) secrets;
|
||||||
|
|
||||||
switch-prebuilt = import ./switch-prebuilt.nix args;
|
switch-prebuilt = import ./switch-prebuilt.nix args;
|
||||||
in
|
in
|
||||||
|
@ -268,5 +269,14 @@ in
|
||||||
ListenStream = [ "" "${config.my.ip.tailscale}:19531" ];
|
ListenStream = [ "" "${config.my.ip.tailscale}:19531" ];
|
||||||
FreeBind = true;
|
FreeBind = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
email = "letsencrypt@lukegb.com";
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = secrets.cloudflareCredentials;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,14 +27,8 @@ in
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}) config.my.fup.listen);
|
}) config.my.fup.listen);
|
||||||
in {
|
in {
|
||||||
security.acme = {
|
security.acme.certs."p.lukegb.com" = {
|
||||||
acceptTerms = true;
|
group = config.services.nginx.group;
|
||||||
email = lib.mkDefault "letsencrypt@lukegb.com";
|
|
||||||
certs."p.lukegb.com" = {
|
|
||||||
group = config.services.nginx.group;
|
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
|
|
|
@ -25,15 +25,9 @@ in
|
||||||
ssl = true;
|
ssl = true;
|
||||||
}) config.my.quotesdb.listen);
|
}) config.my.quotesdb.listen);
|
||||||
in {
|
in {
|
||||||
security.acme = {
|
security.acme.certs."bfob.gg" = {
|
||||||
acceptTerms = true;
|
group = config.services.nginx.group;
|
||||||
email = lib.mkDefault "letsencrypt@lukegb.com";
|
extraDomainNames = ["*.bfob.gg"];
|
||||||
certs."bfob.gg" = {
|
|
||||||
group = config.services.nginx.group;
|
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
extraDomainNames = ["*.bfob.gg"];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = lib.mkDefault true;
|
enable = lib.mkDefault true;
|
||||||
|
|
|
@ -109,11 +109,6 @@ in {
|
||||||
selector = "marukuru";
|
selector = "marukuru";
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
email = "letsencrypt@lukegb.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68";
|
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68";
|
||||||
|
|
||||||
# Container networking.
|
# Container networking.
|
||||||
|
|
|
@ -201,20 +201,14 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
|
||||||
email = "letsencrypt@lukegb.com";
|
|
||||||
certs."invoices.lukegb.com" = {
|
certs."invoices.lukegb.com" = {
|
||||||
domain = "invoices.lukegb.com";
|
domain = "invoices.lukegb.com";
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
postRun = ''
|
postRun = ''
|
||||||
systemctl reload nginx
|
systemctl reload nginx
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
certs."trains.lukegb.com" = {
|
certs."trains.lukegb.com" = {
|
||||||
domain = "trains.lukegb.com";
|
domain = "trains.lukegb.com";
|
||||||
dnsProvider = "cloudflare";
|
|
||||||
credentialsFile = secrets.cloudflareCredentials;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue