ops/nixos: migrate everything to vault-agent-acme
This commit is contained in:
parent
0c7f785107
commit
daccfa5717
14 changed files with 126 additions and 123 deletions
|
@ -69,7 +69,6 @@ in {
|
|||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
virtualHosts."objdump.zxcvbnm.ninja" = {
|
||||
useACMEHost = "objdump.zxcvbnm.ninja";
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
|
@ -82,11 +81,9 @@ in {
|
|||
};
|
||||
};
|
||||
};
|
||||
security.acme.certs."objdump.zxcvbnm.ninja" = {
|
||||
group = config.services.nginx.group;
|
||||
extraDomainNames = [
|
||||
"*.objdump.zxcvbnm.ninja"
|
||||
];
|
||||
my.vault.acmeCertificates."objdump.zxcvbnm.ninja" = {
|
||||
extraNames = [ "*.objdump.zxcvbnm.ninja" ];
|
||||
nginxVirtualHosts = [ "objdump.zxcvbnm.ninja" ];
|
||||
};
|
||||
my.fup.listen = [
|
||||
"0.0.0.0" "[::]"
|
||||
|
|
|
@ -58,8 +58,8 @@ in {
|
|||
use-auth-secret = true;
|
||||
realm = "matrix.zxcvbnm.ninja";
|
||||
static-auth-secret = machineSecrets.turnSecret;
|
||||
cert = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/fullchain.pem";
|
||||
pkey = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/key.pem";
|
||||
cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem";
|
||||
pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem";
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -71,7 +71,6 @@ in {
|
|||
virtualHosts = {
|
||||
"zxcvbnm.ninja" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "matrix.zxcvbnm.ninja";
|
||||
locations = let
|
||||
inherit (lib) mapAttrs' nameValuePair;
|
||||
wellKnown = {
|
||||
|
@ -90,13 +89,11 @@ in {
|
|||
};
|
||||
"matrix.zxcvbnm.ninja" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "matrix.zxcvbnm.ninja";
|
||||
locations."/".return = "301 https://element.zxcvbnm.ninja$request_uri";
|
||||
locations."/_matrix".proxyPass = "http://[::1]:8008";
|
||||
};
|
||||
"element.zxcvbnm.ninja" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "matrix.zxcvbnm.ninja";
|
||||
extraConfig = ''
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
@ -168,9 +165,10 @@ in {
|
|||
members = [ "turnserver" "nginx" ];
|
||||
};
|
||||
|
||||
security.acme.certs."matrix.zxcvbnm.ninja" = {
|
||||
my.vault.acmeCertificates."matrix.zxcvbnm.ninja" = {
|
||||
group = "matrixcert";
|
||||
extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
|
||||
extraNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ];
|
||||
nginxVirtualHosts = [ "zxcvbnm.ninja" "element.zxcvbnm.ninja" "matrix.zxcvbnm.ninja" ];
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
|
|
|
@ -36,8 +36,8 @@ in {
|
|||
use-auth-secret = true;
|
||||
realm = "turn.lukegb.com";
|
||||
static-auth-secret = machineSecrets.turnSecret;
|
||||
cert = "${config.security.acme.certs."turn.lukegb.com".directory}/fullchain.pem";
|
||||
pkey = "${config.security.acme.certs."turn.lukegb.com".directory}/key.pem";
|
||||
cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
|
||||
pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
|
||||
};
|
||||
|
||||
services.prosody = {
|
||||
|
@ -50,8 +50,8 @@ in {
|
|||
virtualHosts."lukegb.com" = {
|
||||
enabled = true;
|
||||
domain = "lukegb.com";
|
||||
ssl.cert = "${config.security.acme.certs."xmpp.lukegb.com".directory}/fullchain.pem";
|
||||
ssl.key = "${config.security.acme.certs."xmpp.lukegb.com".directory}/key.pem";
|
||||
ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem";
|
||||
ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem";
|
||||
};
|
||||
muc = [{
|
||||
domain = "muc.xmpp.lukegb.com";
|
||||
|
@ -86,12 +86,12 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
certs."xmpp.lukegb.com" = {
|
||||
my.vault.acmeCertificates = {
|
||||
"xmpp.lukegb.com" = {
|
||||
group = "prosody";
|
||||
extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
|
||||
extraNames = [ "*.xmpp.lukegb.com" "lukegb.com" ];
|
||||
};
|
||||
certs."turn.lukegb.com" = {
|
||||
"turn.lukegb.com" = {
|
||||
group = "turnserver";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -54,14 +54,9 @@ in {
|
|||
};
|
||||
my.ip.tailscale = "100.120.98.116";
|
||||
|
||||
security.acme.certs."as205479.net" = {
|
||||
extraDomainNames = [ "www.as205479.net" ];
|
||||
dnsProvider = "gcloud";
|
||||
credentialsFile = secrets.gcpDNSCredentials;
|
||||
dnsPropagationCheck = false;
|
||||
postRun = ''
|
||||
systemctl restart freeradius
|
||||
'';
|
||||
my.vault.acmeCertificates."as205479.net" = {
|
||||
group = "acme";
|
||||
reloadOrRestartUnits = [ "freeradius.service" ];
|
||||
};
|
||||
users.users.nginx.extraGroups = lib.mkAfter [ "acme" ];
|
||||
|
||||
|
|
|
@ -110,7 +110,7 @@ eap {
|
|||
#
|
||||
tls-config tls-common {
|
||||
#private_key_password = whatever
|
||||
private_key_file = /var/lib/acme/as205479.net/key.pem
|
||||
private_key_file = /var/lib/acme/as205479.net/privkey.pem
|
||||
|
||||
# If Private key & Certificate are located in
|
||||
# the same file, then private_key_file &
|
||||
|
|
|
@ -192,11 +192,9 @@ in {
|
|||
dataDir = "/persist/etc/znc";
|
||||
useLegacyConfig = false;
|
||||
};
|
||||
security.acme.certs."znc.lukegb.com" = {
|
||||
dnsProvider = null;
|
||||
webroot = "/var/lib/acme/.challenges";
|
||||
my.vault.acmeCertificates."znc.lukegb.com" = {
|
||||
extraNames = [ "akiichiro.lukegb.com" ];
|
||||
group = "znc-acme";
|
||||
extraDomainNames = ["akiichiro.lukegb.com"];
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
|
|
@ -251,7 +251,6 @@ in {
|
|||
services.pomerium = {
|
||||
enable = true;
|
||||
secretsFile = machineSecrets.pomeriumSecrets;
|
||||
useACMEHost = "int.lukegb.com";
|
||||
|
||||
settings = {
|
||||
address = ":443";
|
||||
|
@ -280,6 +279,10 @@ in {
|
|||
authenticate_service_url = "https://auth.int.lukegb.com";
|
||||
signout_redirect_url = "https://logged-out.int.lukegb.com";
|
||||
|
||||
certificates = [
|
||||
{ cert = "/var/lib/acme/lukegb.com/fullchain.pem"; key = "/var/lib/acme/lukegb.com/privkey.pem"; }
|
||||
];
|
||||
|
||||
policy = let
|
||||
baseConfig = {
|
||||
allowed_domains = [ "lukegb.com" ];
|
||||
|
@ -344,18 +347,18 @@ in {
|
|||
systemd.services.pomerium = {
|
||||
wants = lib.mkAfter [ "redis.service" ];
|
||||
after = lib.mkAfter [ "redis.service" ];
|
||||
serviceConfig = {
|
||||
SupplementaryGroups = [ "acme" ];
|
||||
ReadOnlyPaths = [ "/var/lib/acme" ];
|
||||
};
|
||||
};
|
||||
security.acme.certs."int.lukegb.com" = {
|
||||
domain = "*.int.lukegb.com";
|
||||
extraDomainNames = [
|
||||
# "int.lukegb.com" # redundant with *.lukegb.com
|
||||
my.vault.acmeCertificates."lukegb.com" = {
|
||||
extraNames = [
|
||||
"lukegb.com"
|
||||
"*.lukegb.com"
|
||||
"objdump.zxcvbnm.ninja"
|
||||
];
|
||||
postRun = ''
|
||||
systemctl restart pomerium
|
||||
'';
|
||||
reloadOrRestartUnits = [ "pomerium.service" ];
|
||||
};
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
|
|
|
@ -1,17 +1,16 @@
|
|||
{ config, depot, lib, ... }:
|
||||
|
||||
{
|
||||
security.acme.certs."as205479.net" = {
|
||||
dnsProvider = "gcloud";
|
||||
credentialsFile = depot.ops.secrets.gcpDNSCredentials;
|
||||
dnsPropagationCheck = false;
|
||||
};
|
||||
services.nginx = {
|
||||
enable = lib.mkDefault true;
|
||||
virtualHosts."as205479.net" = {
|
||||
useACMEHost = "as205479.net";
|
||||
forceSSL = true;
|
||||
locations."/".root = depot.web.as205479 config.networking.hostName;
|
||||
};
|
||||
};
|
||||
my.vault.acmeCertificates."as205479.net" = {
|
||||
role = "letsencrypt-gcloud-as205479";
|
||||
extraNames = [ "www.as205479.net" ];
|
||||
nginxVirtualHosts = [ "as205479.net" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -148,7 +148,6 @@ in
|
|||
services.nginx.recommendedTlsSettings = true;
|
||||
services.nginx.virtualHosts = {
|
||||
"baserow.lukegb.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 1800s;
|
||||
|
@ -160,7 +159,6 @@ in
|
|||
};
|
||||
};
|
||||
"api.baserow.lukegb.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
proxy_read_timeout 1800s;
|
||||
|
@ -173,9 +171,7 @@ in
|
|||
};
|
||||
};
|
||||
"baserow-media.zxcvbnm.ninja" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
root = "/var/lib/baserow/media";
|
||||
locations."/user_files" = {
|
||||
root = "/var/lib/baserow/media";
|
||||
|
@ -191,6 +187,12 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
my.vault.acmeCertificates = {
|
||||
"baserow.lukegb.com" = {
|
||||
extraNames = [ "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
|
||||
nginxVirtualHosts = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
|
||||
};
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
|
|
|
@ -27,14 +27,13 @@ in
|
|||
ssl = true;
|
||||
}) config.my.fup.listen);
|
||||
in {
|
||||
security.acme.certs."p.lukegb.com" = {
|
||||
group = config.services.nginx.group;
|
||||
my.vault.acmeCertificates."p.lukegb.com" = {
|
||||
nginxVirtualHosts = [ "p.lukegb.com" ];
|
||||
};
|
||||
services.nginx = {
|
||||
enable = lib.mkDefault true;
|
||||
virtualHosts."p.lukegb.com" = {
|
||||
listen = nginxListen;
|
||||
useACMEHost = "p.lukegb.com";
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://unix:${sock}";
|
||||
|
|
|
@ -25,21 +25,19 @@ in
|
|||
ssl = true;
|
||||
}) config.my.quotesdb.listen);
|
||||
in {
|
||||
security.acme.certs."bfob.gg" = {
|
||||
group = config.services.nginx.group;
|
||||
extraDomainNames = ["*.bfob.gg"];
|
||||
my.vault.acmeCertificates."bfob.gg" = {
|
||||
extraNames = [ "*.bfob.gg" ];
|
||||
nginxVirtualHosts = [ "qdb.bfob.gg" "quotes.bfob.gg" "dev-quotes.bfob.gg" ];
|
||||
};
|
||||
services.nginx = {
|
||||
enable = lib.mkDefault true;
|
||||
virtualHosts."qdb.bfob.gg" = {
|
||||
listen = nginxListen;
|
||||
useACMEHost = "bfob.gg";
|
||||
globalRedirect = "quotes.bfob.gg";
|
||||
forceSSL = true;
|
||||
};
|
||||
virtualHosts."quotes.bfob.gg" = {
|
||||
listen = nginxListen;
|
||||
useACMEHost = "bfob.gg";
|
||||
forceSSL = true;
|
||||
locations."/static" = {
|
||||
root = "${pkg}/share";
|
||||
|
@ -50,7 +48,6 @@ in
|
|||
};
|
||||
virtualHosts."dev-quotes.bfob.gg" = {
|
||||
listen = nginxListen;
|
||||
useACMEHost = "bfob.gg";
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8000";
|
||||
|
|
|
@ -4,7 +4,9 @@
|
|||
|
||||
{ pkgs, config, depot, lib, ... }:
|
||||
let
|
||||
inherit (lib) mkOption types mkBefore optionalAttrs;
|
||||
inherit (lib) mkOption types mkBefore optionalAttrs mkDefault;
|
||||
|
||||
acmeCertificates = lib.mapAttrsToList (name: cOrig: cOrig // { inherit name; }) config.my.vault.acmeCertificates;
|
||||
|
||||
# Work out where we're being asked to write things, and which groups, so we can correctly get permissions.
|
||||
fullchainPath = c: pathFor c.fullchain c "fullchain.pem";
|
||||
|
@ -12,7 +14,17 @@ let
|
|||
keyPath = c: pathFor c.key c "privkey.pem";
|
||||
pathFor = p: c: suffix: if isNull p.path then "/var/lib/acme/${c.name}/${suffix}" else p.path;
|
||||
|
||||
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [ c.fullchain.group c.chain.group c.key.group ]) config.my.vault.acmeCertificates));
|
||||
isNginx = c: builtins.length c.nginxVirtualHosts > 0;
|
||||
defaultGroup = c: if isNull c.group then if isNginx c then "nginx" else "acme" else c.group;
|
||||
groupOrDefault = p: c: if isNull p then defaultGroup c else p;
|
||||
|
||||
reloadOrRestartUnits = c: (lib.optional (isNginx c) "nginx.service") ++ c.reloadOrRestartUnits;
|
||||
|
||||
acmeCertificatesGroups = lib.unique (lib.filter (x: x != "") (builtins.concatMap (c: [
|
||||
(groupOrDefault c.fullchain.group c)
|
||||
(groupOrDefault c.chain.group c)
|
||||
(groupOrDefault c.key.group c)
|
||||
]) acmeCertificates));
|
||||
|
||||
acmeCertificatesTemplate = builtins.concatMap (c: let
|
||||
secretStanza = ''
|
||||
|
@ -27,14 +39,16 @@ let
|
|||
'';
|
||||
destination = fullchainPath c;
|
||||
perms = c.fullchain.mode;
|
||||
command = pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||
command = let
|
||||
grp = groupOrDefault c.fullchain.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-crt" ''
|
||||
sleep 1s # Cheap hack...
|
||||
${lib.optionalString (c.fullchain.group != "") ''
|
||||
chgrp "${c.fullchain.group}" "${fullchainPath c}"
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${fullchainPath c}"
|
||||
''}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
|
||||
'') c.reloadOrRestartUnits}
|
||||
'') (reloadOrRestartUnits c)}
|
||||
${lib.concatMapStringsSep "\n" (x: ''
|
||||
/run/current-system/sw/bin/systemctl restart ${x}
|
||||
'') c.restartUnits}
|
||||
|
@ -48,9 +62,11 @@ let
|
|||
'';
|
||||
destination = chainPath c;
|
||||
perms = c.chain.mode;
|
||||
command = pkgs.writeShellScript "post-${c.name}-chain" ''
|
||||
${lib.optionalString (c.chain.group != "") ''
|
||||
chgrp "${c.chain.group}" "${chainPath c}"
|
||||
command = let
|
||||
grp = groupOrDefault c.chain.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-chain" ''
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${chainPath c}"
|
||||
''}
|
||||
'';
|
||||
} {
|
||||
|
@ -61,13 +77,15 @@ let
|
|||
'';
|
||||
destination = keyPath c;
|
||||
perms = c.key.mode;
|
||||
command = pkgs.writeShellScript "post-${c.name}-key" ''
|
||||
${lib.optionalString (c.key.group != "") ''
|
||||
chgrp "${c.key.group}" "${keyPath c}"
|
||||
command = let
|
||||
grp = groupOrDefault c.key.group c;
|
||||
in pkgs.writeShellScript "post-${c.name}-key" ''
|
||||
${lib.optionalString (grp != "") ''
|
||||
chgrp "${grp}" "${keyPath c}"
|
||||
''}
|
||||
'';
|
||||
}
|
||||
]) config.my.vault.acmeCertificates;
|
||||
]) acmeCertificates;
|
||||
|
||||
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
|
||||
let
|
||||
|
@ -75,21 +93,25 @@ let
|
|||
chainDir = dirOf (chainPath c);
|
||||
keyDir = dirOf (keyPath c);
|
||||
|
||||
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if c.fullchain.group == c.key.group && c.fullchain.group == c.chain.group then c.fullchain.group else "-" else null;
|
||||
fullchainGroup = groupOrDefault c.fullchain.group c;
|
||||
chainGroup = groupOrDefault c.chain.group c;
|
||||
keyGroup = groupOrDefault c.key.group c;
|
||||
|
||||
fullchainDirGroup = if isNull dirGroup then c.fullchain.group else dirGroup;
|
||||
chainDirGroup = if isNull dirGroup then c.chain.group else dirGroup;
|
||||
keyDirGroup = if isNull dirGroup then c.key.group else dirGroup;
|
||||
dirGroup = if fullchainDir == keyDir && chainDir == keyDir && c.fullchain.makeDir && c.chain.makeDir && c.key.makeDir then if fullchainGroup == keyGroup && fullchainGroup == chainGroup then fullchainGroup else "-" else null;
|
||||
|
||||
fullchainDirGroup = if isNull dirGroup then fullchainGroup else dirGroup;
|
||||
chainDirGroup = if isNull dirGroup then chainGroup else dirGroup;
|
||||
keyDirGroup = if isNull dirGroup then keyGroup else dirGroup;
|
||||
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
|
||||
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
|
||||
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
|
||||
) config.my.vault.acmeCertificates);
|
||||
) acmeCertificates);
|
||||
|
||||
allRestartableUnits = lib.unique (builtins.concatMap (c: c.reloadOrRestartUnits ++ c.restartUnits) config.my.vault.acmeCertificates);
|
||||
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
|
||||
in
|
||||
{
|
||||
options.my.vault.acmeCertificates = mkOption {
|
||||
type = with types; listOf (submodule {
|
||||
type = with types; attrsOf (submodule {
|
||||
options = let
|
||||
fileType = what: defaultMode: submodule {
|
||||
options = {
|
||||
|
@ -105,9 +127,9 @@ in
|
|||
};
|
||||
|
||||
group = mkOption {
|
||||
type = str;
|
||||
default = "acme";
|
||||
description = "Owner group to set for the ${what}.";
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = "Owner group to set for the ${what}. If null, taken from parent.";
|
||||
};
|
||||
|
||||
makeDir = mkOption {
|
||||
|
@ -123,10 +145,6 @@ in
|
|||
default = "letsencrypt-cloudflare";
|
||||
description = "Which role to use for certificate issuance.";
|
||||
};
|
||||
name = mkOption {
|
||||
type = str;
|
||||
description = "First hostname for the certificate.";
|
||||
};
|
||||
extraNames = mkOption {
|
||||
type = listOf str;
|
||||
default = [];
|
||||
|
@ -149,6 +167,18 @@ in
|
|||
description = "List of systemd units to restart after obtaining a new certificate.";
|
||||
};
|
||||
|
||||
nginxVirtualHosts = mkOption {
|
||||
type = listOf str;
|
||||
default = [];
|
||||
description = "List of nginx virtual hosts to apply SSL to.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = "Owner group to set for the generated files. Defaults to 'acme' unless nginxVirtualHosts is set, in which case it defaults to 'nginx'.";
|
||||
};
|
||||
|
||||
fullchain = mkOption {
|
||||
type = fileType "certificate's full chain" "0644";
|
||||
default = {};
|
||||
|
@ -163,7 +193,7 @@ in
|
|||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
default = {};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
@ -181,6 +211,18 @@ in
|
|||
tmpfiles.rules = acmeCertificatesTmpdirs;
|
||||
};
|
||||
|
||||
services.nginx = optionalAttrs config.my.vault.enable {
|
||||
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let
|
||||
fullchain = fullchainPath certData;
|
||||
chain = chainPath certData;
|
||||
key = keyPath certData;
|
||||
in map (hostName: lib.nameValuePair hostName {
|
||||
sslCertificate = mkDefault (fullchainPath certData);
|
||||
sslCertificateKey = mkDefault (keyPath certData);
|
||||
sslTrustedCertificate = mkDefault (chainPath certData);
|
||||
}) certData.nginxVirtualHosts) acmeCertificates);
|
||||
};
|
||||
|
||||
security.polkit.extraConfig = lib.mkAfter ''
|
||||
// NixOS module: depot/lib/vault-agent-acme.nix
|
||||
polkit.addRule(function(action, subject) {
|
||||
|
|
|
@ -186,7 +186,6 @@ in {
|
|||
};
|
||||
in {
|
||||
root = "/srv/pancake/public_html";
|
||||
useACMEHost = "invoices.lukegb.com";
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
tryFiles = "$uri $uri/ @router";
|
||||
|
@ -201,7 +200,6 @@ in {
|
|||
};
|
||||
|
||||
"plex-totoro.lukegb.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:32400/";
|
||||
|
@ -241,18 +239,6 @@ in {
|
|||
}];
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
certs."invoices.lukegb.com" = {
|
||||
domain = "invoices.lukegb.com";
|
||||
postRun = ''
|
||||
systemctl reload nginx
|
||||
'';
|
||||
};
|
||||
certs."trains.lukegb.com" = {
|
||||
domain = "trains.lukegb.com";
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
stateDir = "export/monitoring/prometheus";
|
||||
|
@ -557,17 +543,10 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
my.vault.acmeCertificates = [
|
||||
{
|
||||
name = "lukegb.com";
|
||||
role = "lukegb.com-staging";
|
||||
extraNames = [ "*.lukegb.com" "*.int.lukegb.com" ];
|
||||
restartUnits = [ "nginx.service" ];
|
||||
#certificate.path = "/tmp/lukegb.com.crt";
|
||||
#key.path = "/tmp/lukegb.com.key";
|
||||
key.group = "acme";
|
||||
}
|
||||
];
|
||||
my.vault.acmeCertificates = {
|
||||
"plex-totoro.lukegb.com" = { nginxVirtualHosts = [ "plex-totoro.lukegb.com" ]; };
|
||||
"invoices.lukegb.com" = { nginxVirtualHosts = [ "invoices.lukegb.com" ]; };
|
||||
};
|
||||
|
||||
system.stateVersion = "20.03";
|
||||
}
|
||||
|
|
|
@ -133,20 +133,14 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
security.acme.certs."ha.lukegb.com" = {
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = secrets.cloudflareCredentials;
|
||||
domain = "ha.lukegb.com";
|
||||
postRun = ''
|
||||
systemctl reload nginx
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."ha.lukegb.com" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "ha.lukegb.com";
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:8123/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
my.vault.acmeCertificates."ha.lukegb.com" = {
|
||||
nginxVirtualHosts = [ "ha.lukegb.com" ];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue