alarsyo/nixos-config
alarsyo/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

services: use subdomain for ACME cert

Browse source 
Avoids conflicts now that I have multiple servers sharing the config
This commit is contained in:
Antoine Martin 2022-06-12 17:18:58 +02:00
parent baa239dc72
commit 990c035c3b
13 changed files with 72 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
services/fava.nix
View file

@ -13,7 +13,11 @@
cfg = config.my.services.fava; cfg = config.my.services.fava;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
secrets = config.my.secrets; secrets = config.my.secrets;
in { in {
options.my.services.fava = let options.my.services.fava = let
@ -65,7 +69,7 @@ in {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"fava.${domain}" = { "fava.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
listen = [ listen = [
# FIXME: hardcoded tailscale IP # FIXME: hardcoded tailscale IP
@ -86,5 +90,7 @@ in {
}; };
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"];
}; };
} }

6
services/gitea/default.nix
View file

@ -15,6 +15,8 @@
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.gitea = let options.my.services.gitea = let
inherit (lib) types; inherit (lib) types;
@ -101,7 +103,7 @@ in {
virtualHosts = { virtualHosts = {
"git.${domain}" = { "git.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -110,6 +112,8 @@ in {
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"];
systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates"; systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates";
}; };
} }

6
services/jellyfin.nix
View file

@ -14,6 +14,8 @@
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
# hardcoded in NixOS module :( # hardcoded in NixOS module :(
jellyfinPort = 8096; jellyfinPort = 8096;
@ -31,12 +33,14 @@ in {
# Proxy to Jellyfin # Proxy to Jellyfin
services.nginx.virtualHosts."jellyfin.${domain}" = { services.nginx.virtualHosts."jellyfin.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyPass = "http://localhost:${toString jellyfinPort}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"];
}; };
} }

8
services/lohr.nix
View file

@ -13,7 +13,11 @@
cfg = config.my.services.lohr; cfg = config.my.services.lohr;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
secrets = config.my.secrets; secrets = config.my.secrets;
lohrPkg = let lohrPkg = let
flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd"; flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd";
@ -73,12 +77,14 @@ in {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"lohr.${domain}" = { "lohr.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"];
}; };
} }

13
services/matrix.nix
View file

@ -32,7 +32,10 @@
public = 443; public = 443;
private = 11339; private = 11339;
}; };
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.matrix = let options.my.services.matrix = let
inherit (lib) types; inherit (lib) types;
@ -147,7 +150,7 @@ in {
virtualHosts = { virtualHosts = {
"matrix.${domain}" = { "matrix.${domain}" = {
onlySSL = true; onlySSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations = let locations = let
proxyToClientPort = { proxyToClientPort = {
@ -181,7 +184,7 @@ in {
"matrix.${domain}_federation" = rec { "matrix.${domain}_federation" = rec {
onlySSL = true; onlySSL = true;
serverName = "matrix.${domain}"; serverName = "matrix.${domain}";
useACMEHost = domain; useACMEHost = fqdn;
locations."/".return = "404"; locations."/".return = "404";
@ -205,7 +208,7 @@ in {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."= /.well-known/matrix/server".extraConfig = let locations."= /.well-known/matrix/server".extraConfig = let
server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";}; server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";};
@ -230,7 +233,7 @@ in {
# Element Web app deployment # Element Web app deployment
# #
"chat.${domain}" = { "chat.${domain}" = {
useACMEHost = domain; useACMEHost = fqdn;
forceSSL = true; forceSSL = true;
root = pkgs.element-web.override { root = pkgs.element-web.override {
@ -259,6 +262,8 @@ in {
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain];
# For administration tools. # For administration tools.
environment.systemPackages = [pkgs.matrix-synapse]; environment.systemPackages = [pkgs.matrix-synapse];

6
services/miniflux.nix
View file

@ -15,6 +15,8 @@
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.miniflux = let options.my.services.miniflux = let
inherit (lib) types; inherit (lib) types;
@ -60,7 +62,7 @@ in {
virtualHosts = { virtualHosts = {
"reader.${domain}" = { "reader.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -68,5 +70,7 @@ in {
}; };
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"];
}; };
} }

8
services/monitoring.nix
View file

@ -13,6 +13,8 @@
cfg = config.my.services.monitoring; cfg = config.my.services.monitoring;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.monitoring = let options.my.services.monitoring = let
inherit (lib) types; inherit (lib) types;
@ -103,15 +105,17 @@ in {
}; };
services.nginx = { services.nginx = {
virtualHosts.${config.services.grafana.domain} = { virtualHosts.${cfg.domain} = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain];
}; };
} }

6
services/navidrome.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.navidrome; cfg = config.my.services.navidrome;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.navidrome = let options.my.services.navidrome = let
inherit (lib) types; inherit (lib) types;
@ -46,7 +48,7 @@ in {
services.nginx.virtualHosts."music.${domain}" = { services.nginx.virtualHosts."music.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
listen = [ listen = [
# FIXME: hardcoded tailscale IP # FIXME: hardcoded tailscale IP
@ -67,5 +69,7 @@ in {
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"];
}; };
} }

6
services/nextcloud.nix
View file

@ -16,6 +16,8 @@ let
cfg = config.my.services.nextcloud; cfg = config.my.services.nextcloud;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
dbName = "nextcloud"; dbName = "nextcloud";
in { in {
options.my.services.nextcloud = let options.my.services.nextcloud = let
@ -85,11 +87,13 @@ in {
virtualHosts = { virtualHosts = {
"cloud.${domain}" = { "cloud.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
}; };
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"];
my.services.restic-backup = let my.services.restic-backup = let
nextcloudHome = config.services.nextcloud.home; nextcloudHome = config.services.nextcloud.home;
in in

5
services/nginx.nix
View file

@ -54,10 +54,11 @@ in {
certs = let certs = let
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
gandiKey = config.my.secrets.gandiKey; gandiKey = config.my.secrets.gandiKey;
in { in {
"${domain}" = { "${fqdn}" = {
extraDomainNames = ["*.${domain}"];
dnsProvider = "gandiv5"; dnsProvider = "gandiv5";
credentialsFile = config.age.secrets."gandi/api-key".path; credentialsFile = config.age.secrets."gandi/api-key".path;
group = "nginx"; group = "nginx";

6
services/paperless.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.paperless; cfg = config.my.services.paperless;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
paperlessDomain = "paperless.${domain}"; paperlessDomain = "paperless.${domain}";
in { in {
options.my.services.paperless = let options.my.services.paperless = let
@ -99,7 +101,7 @@ in {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${paperlessDomain}" = { "${paperlessDomain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
listen = [ listen = [
# FIXME: hardcoded tailscale IP # FIXME: hardcoded tailscale IP
@ -122,6 +124,8 @@ in {
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain];
my.services.restic-backup = mkIf cfg.enable { my.services.restic-backup = mkIf cfg.enable {
paths = [ paths = [
config.services.paperless.dataDir config.services.paperless.dataDir

6
services/transmission.nix
View file

@ -14,6 +14,8 @@
cfg = config.my.services.transmission; cfg = config.my.services.transmission;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
webuiDomain = "transmission.${domain}"; webuiDomain = "transmission.${domain}";
transmissionRpcPort = 9091; transmissionRpcPort = 9091;
@ -73,7 +75,7 @@ in {
services.nginx.virtualHosts."${webuiDomain}" = { services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
@ -91,5 +93,7 @@ in {
} }
]; ];
}; };
security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain];
}; };
} }

6
services/vaultwarden.nix
View file

@ -15,6 +15,8 @@
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in { in {
options.my.services.vaultwarden = let options.my.services.vaultwarden = let
inherit (lib) types; inherit (lib) types;
@ -68,7 +70,7 @@ in {
virtualHosts = { virtualHosts = {
"pass.${domain}" = { "pass.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = fqdn;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
@ -86,6 +88,8 @@ in {
}; };
}; };
security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"];
# FIXME: should be renamed to vaultwarden eventually # FIXME: should be renamed to vaultwarden eventually
my.services.restic-backup = mkIf cfg.enable { my.services.restic-backup = mkIf cfg.enable {
paths = ["/var/lib/bitwarden_rs"]; paths = ["/var/lib/bitwarden_rs"];