ops/nixos: tidy up security.acme

This commit is contained in:
Luke Granger-Brown 2022-01-04 14:00:45 +00:00
parent de71fd5c9a
commit d79265ddad
12 changed files with 51 additions and 99 deletions

View file

@ -77,17 +77,11 @@ in {
}; };
}; };
}; };
security.acme = { security.acme.certs."objdump.zxcvbnm.ninja" = {
acceptTerms = true; group = config.services.nginx.group;
email = "letsencrypt@lukegb.com"; extraDomainNames = [
certs."objdump.zxcvbnm.ninja" = { "*.objdump.zxcvbnm.ninja"
group = config.services.nginx.group; ];
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [
"*.objdump.zxcvbnm.ninja"
];
};
}; };
my.fup.listen = [ my.fup.listen = [
"0.0.0.0" "[::]" "0.0.0.0" "[::]"

View file

@ -168,15 +168,9 @@ in {
members = [ "turnserver" "nginx" ]; members = [ "turnserver" "nginx" ];
}; };
security.acme = { security.acme.certs."matrix.zxcvbnm.ninja" = {
acceptTerms = true; group = "matrixcert";
email = "letsencrypt@lukegb.com"; extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
certs."matrix.zxcvbnm.ninja" = {
group = "matrixcert";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
};
}; };
system.stateVersion = "21.05"; system.stateVersion = "21.05";

View file

@ -87,18 +87,12 @@ in {
}; };
security.acme = { security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."xmpp.lukegb.com" = { certs."xmpp.lukegb.com" = {
group = "prosody"; group = "prosody";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
}; };
certs."turn.lukegb.com" = { certs."turn.lukegb.com" = {
group = "turnserver"; group = "turnserver";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
}; };
}; };

View file

@ -51,18 +51,14 @@ in {
}; };
my.ip.tailscale = "100.120.98.116"; my.ip.tailscale = "100.120.98.116";
security.acme = { security.acme.certs."as205479.net" = {
acceptTerms = true; extraDomainNames = [ "www.as205479.net" ];
email = "letsencrypt@lukegb.com"; dnsProvider = "gcloud";
certs."as205479.net" = { credentialsFile = secrets.gcpDNSCredentials;
extraDomainNames = [ "www.as205479.net" ]; dnsPropagationCheck = false;
dnsProvider = "gcloud"; postRun = ''
credentialsFile = secrets.gcpDNSCredentials; systemctl restart freeradius
dnsPropagationCheck = false; '';
postRun = ''
systemctl restart freeradius
'';
};
}; };
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];

View file

@ -193,14 +193,11 @@ in {
dataDir = "/persist/etc/znc"; dataDir = "/persist/etc/znc";
useLegacyConfig = false; useLegacyConfig = false;
}; };
security.acme = { security.acme.certs."znc.lukegb.com" = {
acceptTerms = true; dnsProvider = null;
email = "letsencrypt@lukegb.com"; webroot = "/var/lib/acme/.challenges";
certs."znc.lukegb.com" = { group = "znc-acme";
webroot = "/var/lib/acme/.challenges"; extraDomainNames = ["akiichiro.lukegb.com"];
group = "znc-acme";
extraDomainNames = ["akiichiro.lukegb.com"];
};
}; };
services.nginx = { services.nginx = {
enable = true; enable = true;

View file

@ -343,23 +343,17 @@ in {
wants = lib.mkAfter [ "redis.service" ]; wants = lib.mkAfter [ "redis.service" ];
after = lib.mkAfter [ "redis.service" ]; after = lib.mkAfter [ "redis.service" ];
}; };
security.acme = { security.acme.certs."int.lukegb.com" = {
acceptTerms = true; domain = "*.int.lukegb.com";
email = "letsencrypt@lukegb.com"; extraDomainNames = [
certs."int.lukegb.com" = { # "int.lukegb.com" # redundant with *.lukegb.com
domain = "*.int.lukegb.com"; "lukegb.com"
dnsProvider = "cloudflare"; "*.lukegb.com"
credentialsFile = secrets.cloudflareCredentials; "objdump.zxcvbnm.ninja"
extraDomainNames = [ ];
# "int.lukegb.com" # redundant with *.lukegb.com postRun = ''
"lukegb.com" systemctl restart pomerium
"*.lukegb.com" '';
"objdump.zxcvbnm.ninja"
];
postRun = ''
systemctl restart pomerium
'';
};
}; };
system.stateVersion = "20.09"; system.stateVersion = "20.09";

View file

@ -1,14 +1,10 @@
{ config, depot, lib, ... }: { config, depot, lib, ... }:
{ {
security.acme = { security.acme.certs."as205479.net" = {
acceptTerms = true; dnsProvider = "gcloud";
email = lib.mkDefault "letsencrypt@lukegb.com"; credentialsFile = depot.ops.secrets.gcpDNSCredentials;
certs."as205479.net" = { dnsPropagationCheck = false;
dnsProvider = "gcloud";
credentialsFile = depot.ops.secrets.gcpDNSCredentials;
dnsPropagationCheck = false;
};
}; };
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

View file

@ -5,6 +5,7 @@
{ pkgs, config, depot, lib, rebuilder, ... }@args: { pkgs, config, depot, lib, rebuilder, ... }@args:
let let
inherit (lib) mkDefault; inherit (lib) mkDefault;
inherit (depot.ops) secrets;
switch-prebuilt = import ./switch-prebuilt.nix args; switch-prebuilt = import ./switch-prebuilt.nix args;
in in
@ -268,5 +269,14 @@ in
ListenStream = [ "" "${config.my.ip.tailscale}:19531" ]; ListenStream = [ "" "${config.my.ip.tailscale}:19531" ];
FreeBind = true; FreeBind = true;
}; };
security.acme = {
acceptTerms = true;
defaults = {
email = "letsencrypt@lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
};
};
}; };
} }

View file

@ -27,14 +27,8 @@ in
ssl = true; ssl = true;
}) config.my.fup.listen); }) config.my.fup.listen);
in { in {
security.acme = { security.acme.certs."p.lukegb.com" = {
acceptTerms = true; group = config.services.nginx.group;
email = lib.mkDefault "letsencrypt@lukegb.com";
certs."p.lukegb.com" = {
group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
};
}; };
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

View file

@ -25,15 +25,9 @@ in
ssl = true; ssl = true;
}) config.my.quotesdb.listen); }) config.my.quotesdb.listen);
in { in {
security.acme = { security.acme.certs."bfob.gg" = {
acceptTerms = true; group = config.services.nginx.group;
email = lib.mkDefault "letsencrypt@lukegb.com"; extraDomainNames = ["*.bfob.gg"];
certs."bfob.gg" = {
group = config.services.nginx.group;
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
extraDomainNames = ["*.bfob.gg"];
};
}; };
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;

View file

@ -109,11 +109,6 @@ in {
selector = "marukuru"; selector = "marukuru";
}; };
security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
};
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68"; virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2402:28c0:4:104e:d000::/68";
# Container networking. # Container networking.

View file

@ -201,20 +201,14 @@ in {
}; };
security.acme = { security.acme = {
acceptTerms = true;
email = "letsencrypt@lukegb.com";
certs."invoices.lukegb.com" = { certs."invoices.lukegb.com" = {
domain = "invoices.lukegb.com"; domain = "invoices.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
postRun = '' postRun = ''
systemctl reload nginx systemctl reload nginx
''; '';
}; };
certs."trains.lukegb.com" = { certs."trains.lukegb.com" = {
domain = "trains.lukegb.com"; domain = "trains.lukegb.com";
dnsProvider = "cloudflare";
credentialsFile = secrets.cloudflareCredentials;
}; };
}; };