From 990c035c3b4cdf115aa2cf0873906354346a32e9 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:18:58 +0200 Subject: [PATCH] services: use subdomain for ACME cert Avoids conflicts now that I have multiple servers sharing the config --- services/fava.nix | 8 +++++++- services/gitea/default.nix | 6 +++++- services/jellyfin.nix | 6 +++++- services/lohr.nix | 8 +++++++- services/matrix.nix | 13 +++++++++---- services/miniflux.nix | 6 +++++- services/monitoring.nix | 8 ++++++-- services/navidrome.nix | 6 +++++- services/nextcloud.nix | 6 +++++- services/nginx.nix | 5 +++-- services/paperless.nix | 6 +++++- services/transmission.nix | 6 +++++- services/vaultwarden.nix | 6 +++++- 13 files changed, 72 insertions(+), 18 deletions(-) diff --git a/services/fava.nix b/services/fava.nix index 59494ad..8e796f5 100644 --- a/services/fava.nix +++ b/services/fava.nix @@ -13,7 +13,11 @@ cfg = config.my.services.fava; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; in { options.my.services.fava = let @@ -65,7 +69,7 @@ in { services.nginx.virtualHosts = { "fava.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -86,5 +90,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"]; }; } diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 6796d88..c6472fb 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.gitea = let inherit (lib) types; @@ -101,7 +103,7 @@ in { virtualHosts = { "git.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -110,6 +112,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"]; + systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates"; }; } diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 4a4ceea..3160770 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -14,6 +14,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; # hardcoded in NixOS module :( jellyfinPort = 8096; @@ -31,12 +33,14 @@ in { # Proxy to Jellyfin services.nginx.virtualHosts."jellyfin.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"]; }; } diff --git a/services/lohr.nix b/services/lohr.nix index c7a5acf..a86a0b3 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -13,7 +13,11 @@ cfg = config.my.services.lohr; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; lohrPkg = let flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd"; @@ -73,12 +77,14 @@ in { services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"]; }; } diff --git a/services/matrix.nix b/services/matrix.nix index 82cfb88..eab7e37 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -32,7 +32,10 @@ public = 443; private = 11339; }; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.matrix = let inherit (lib) types; @@ -147,7 +150,7 @@ in { virtualHosts = { "matrix.${domain}" = { onlySSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations = let proxyToClientPort = { @@ -181,7 +184,7 @@ in { "matrix.${domain}_federation" = rec { onlySSL = true; serverName = "matrix.${domain}"; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".return = "404"; @@ -205,7 +208,7 @@ in { "${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."= /.well-known/matrix/server".extraConfig = let server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";}; @@ -230,7 +233,7 @@ in { # Element Web app deployment # "chat.${domain}" = { - useACMEHost = domain; + useACMEHost = fqdn; forceSSL = true; root = pkgs.element-web.override { @@ -259,6 +262,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain]; + # For administration tools. environment.systemPackages = [pkgs.matrix-synapse]; diff --git a/services/miniflux.nix b/services/miniflux.nix index 5738d8e..b4cf78e 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.miniflux = let inherit (lib) types; @@ -60,7 +62,7 @@ in { virtualHosts = { "reader.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -68,5 +70,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"]; }; } diff --git a/services/monitoring.nix b/services/monitoring.nix index 57731ff..a648578 100644 --- a/services/monitoring.nix +++ b/services/monitoring.nix @@ -13,6 +13,8 @@ cfg = config.my.services.monitoring; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.monitoring = let inherit (lib) types; @@ -103,15 +105,17 @@ in { }; services.nginx = { - virtualHosts.${config.services.grafana.domain} = { + virtualHosts.${cfg.domain} = { locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; }; forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain]; }; } diff --git a/services/navidrome.nix b/services/navidrome.nix index 75e6d53..c901495 100644 --- a/services/navidrome.nix +++ b/services/navidrome.nix @@ -14,6 +14,8 @@ cfg = config.my.services.navidrome; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.navidrome = let inherit (lib) types; @@ -46,7 +48,7 @@ in { services.nginx.virtualHosts."music.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -67,5 +69,7 @@ in { proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"]; }; } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 330548e..7349970 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -16,6 +16,8 @@ let cfg = config.my.services.nextcloud; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; dbName = "nextcloud"; in { options.my.services.nextcloud = let @@ -85,11 +87,13 @@ in { virtualHosts = { "cloud.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"]; + my.services.restic-backup = let nextcloudHome = config.services.nextcloud.home; in diff --git a/services/nginx.nix b/services/nginx.nix index a69d1ac..d84425c 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -54,10 +54,11 @@ in { certs = let domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; gandiKey = config.my.secrets.gandiKey; in { - "${domain}" = { - extraDomainNames = ["*.${domain}"]; + "${fqdn}" = { dnsProvider = "gandiv5"; credentialsFile = config.age.secrets."gandi/api-key".path; group = "nginx"; diff --git a/services/paperless.nix b/services/paperless.nix index 3c1aee7..415d35e 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -14,6 +14,8 @@ cfg = config.my.services.paperless; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; paperlessDomain = "paperless.${domain}"; in { options.my.services.paperless = let @@ -99,7 +101,7 @@ in { services.nginx.virtualHosts = { "${paperlessDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -122,6 +124,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain]; + my.services.restic-backup = mkIf cfg.enable { paths = [ config.services.paperless.dataDir diff --git a/services/transmission.nix b/services/transmission.nix index 822070c..c2f4944 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -14,6 +14,8 @@ cfg = config.my.services.transmission; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; webuiDomain = "transmission.${domain}"; transmissionRpcPort = 9091; @@ -73,7 +75,7 @@ in { services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; @@ -91,5 +93,7 @@ in { } ]; }; + + security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain]; }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 2d8d370..43ffc85 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.vaultwarden = let inherit (lib) types; @@ -68,7 +70,7 @@ in { virtualHosts = { "pass.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -86,6 +88,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"]; + # FIXME: should be renamed to vaultwarden eventually my.services.restic-backup = mkIf cfg.enable { paths = ["/var/lib/bitwarden_rs"];