services: use subdomain for ACME cert
Avoids conflicts now that I have multiple servers sharing the config
This commit is contained in:
parent
baa239dc72
commit
990c035c3b
|
@ -13,7 +13,11 @@
|
||||||
|
|
||||||
cfg = config.my.services.fava;
|
cfg = config.my.services.fava;
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
|
|
||||||
secrets = config.my.secrets;
|
secrets = config.my.secrets;
|
||||||
in {
|
in {
|
||||||
options.my.services.fava = let
|
options.my.services.fava = let
|
||||||
|
@ -65,7 +69,7 @@ in {
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"fava.${domain}" = {
|
"fava.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
# FIXME: hardcoded tailscale IP
|
# FIXME: hardcoded tailscale IP
|
||||||
|
@ -86,5 +90,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,8 @@
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.gitea = let
|
options.my.services.gitea = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -101,7 +103,7 @@ in {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"git.${domain}" = {
|
"git.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||||
|
@ -110,6 +112,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"];
|
||||||
|
|
||||||
systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates";
|
systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
|
|
||||||
# hardcoded in NixOS module :(
|
# hardcoded in NixOS module :(
|
||||||
jellyfinPort = 8096;
|
jellyfinPort = 8096;
|
||||||
|
@ -31,12 +33,14 @@ in {
|
||||||
# Proxy to Jellyfin
|
# Proxy to Jellyfin
|
||||||
services.nginx.virtualHosts."jellyfin.${domain}" = {
|
services.nginx.virtualHosts."jellyfin.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://localhost:${toString jellyfinPort}/";
|
proxyPass = "http://localhost:${toString jellyfinPort}/";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,11 @@
|
||||||
|
|
||||||
cfg = config.my.services.lohr;
|
cfg = config.my.services.lohr;
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
|
|
||||||
secrets = config.my.secrets;
|
secrets = config.my.secrets;
|
||||||
lohrPkg = let
|
lohrPkg = let
|
||||||
flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd";
|
flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd";
|
||||||
|
@ -73,12 +77,14 @@ in {
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"lohr.${domain}" = {
|
"lohr.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,10 @@
|
||||||
public = 443;
|
public = 443;
|
||||||
private = 11339;
|
private = 11339;
|
||||||
};
|
};
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.matrix = let
|
options.my.services.matrix = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -147,7 +150,7 @@ in {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"matrix.${domain}" = {
|
"matrix.${domain}" = {
|
||||||
onlySSL = true;
|
onlySSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations = let
|
locations = let
|
||||||
proxyToClientPort = {
|
proxyToClientPort = {
|
||||||
|
@ -181,7 +184,7 @@ in {
|
||||||
"matrix.${domain}_federation" = rec {
|
"matrix.${domain}_federation" = rec {
|
||||||
onlySSL = true;
|
onlySSL = true;
|
||||||
serverName = "matrix.${domain}";
|
serverName = "matrix.${domain}";
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/".return = "404";
|
locations."/".return = "404";
|
||||||
|
|
||||||
|
@ -205,7 +208,7 @@ in {
|
||||||
|
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."= /.well-known/matrix/server".extraConfig = let
|
locations."= /.well-known/matrix/server".extraConfig = let
|
||||||
server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";};
|
server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";};
|
||||||
|
@ -230,7 +233,7 @@ in {
|
||||||
# Element Web app deployment
|
# Element Web app deployment
|
||||||
#
|
#
|
||||||
"chat.${domain}" = {
|
"chat.${domain}" = {
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
|
@ -259,6 +262,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain];
|
||||||
|
|
||||||
# For administration tools.
|
# For administration tools.
|
||||||
environment.systemPackages = [pkgs.matrix-synapse];
|
environment.systemPackages = [pkgs.matrix-synapse];
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,8 @@
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.miniflux = let
|
options.my.services.miniflux = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -60,7 +62,7 @@ in {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"reader.${domain}" = {
|
"reader.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||||
|
@ -68,5 +70,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,6 +13,8 @@
|
||||||
|
|
||||||
cfg = config.my.services.monitoring;
|
cfg = config.my.services.monitoring;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.monitoring = let
|
options.my.services.monitoring = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -103,15 +105,17 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
virtualHosts.${config.services.grafana.domain} = {
|
virtualHosts.${cfg.domain} = {
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
|
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
|
|
||||||
cfg = config.my.services.navidrome;
|
cfg = config.my.services.navidrome;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.navidrome = let
|
options.my.services.navidrome = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -46,7 +48,7 @@ in {
|
||||||
|
|
||||||
services.nginx.virtualHosts."music.${domain}" = {
|
services.nginx.virtualHosts."music.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
# FIXME: hardcoded tailscale IP
|
# FIXME: hardcoded tailscale IP
|
||||||
|
@ -67,5 +69,7 @@ in {
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,8 @@ let
|
||||||
cfg = config.my.services.nextcloud;
|
cfg = config.my.services.nextcloud;
|
||||||
my = config.my;
|
my = config.my;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
dbName = "nextcloud";
|
dbName = "nextcloud";
|
||||||
in {
|
in {
|
||||||
options.my.services.nextcloud = let
|
options.my.services.nextcloud = let
|
||||||
|
@ -85,11 +87,13 @@ in {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"cloud.${domain}" = {
|
"cloud.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"];
|
||||||
|
|
||||||
my.services.restic-backup = let
|
my.services.restic-backup = let
|
||||||
nextcloudHome = config.services.nextcloud.home;
|
nextcloudHome = config.services.nextcloud.home;
|
||||||
in
|
in
|
||||||
|
|
|
@ -54,10 +54,11 @@ in {
|
||||||
|
|
||||||
certs = let
|
certs = let
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
gandiKey = config.my.secrets.gandiKey;
|
gandiKey = config.my.secrets.gandiKey;
|
||||||
in {
|
in {
|
||||||
"${domain}" = {
|
"${fqdn}" = {
|
||||||
extraDomainNames = ["*.${domain}"];
|
|
||||||
dnsProvider = "gandiv5";
|
dnsProvider = "gandiv5";
|
||||||
credentialsFile = config.age.secrets."gandi/api-key".path;
|
credentialsFile = config.age.secrets."gandi/api-key".path;
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
cfg = config.my.services.paperless;
|
cfg = config.my.services.paperless;
|
||||||
my = config.my;
|
my = config.my;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
paperlessDomain = "paperless.${domain}";
|
paperlessDomain = "paperless.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.paperless = let
|
options.my.services.paperless = let
|
||||||
|
@ -99,7 +101,7 @@ in {
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${paperlessDomain}" = {
|
"${paperlessDomain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
# FIXME: hardcoded tailscale IP
|
# FIXME: hardcoded tailscale IP
|
||||||
|
@ -122,6 +124,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain];
|
||||||
|
|
||||||
my.services.restic-backup = mkIf cfg.enable {
|
my.services.restic-backup = mkIf cfg.enable {
|
||||||
paths = [
|
paths = [
|
||||||
config.services.paperless.dataDir
|
config.services.paperless.dataDir
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
cfg = config.my.services.transmission;
|
cfg = config.my.services.transmission;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
webuiDomain = "transmission.${domain}";
|
webuiDomain = "transmission.${domain}";
|
||||||
|
|
||||||
transmissionRpcPort = 9091;
|
transmissionRpcPort = 9091;
|
||||||
|
@ -73,7 +75,7 @@ in {
|
||||||
|
|
||||||
services.nginx.virtualHosts."${webuiDomain}" = {
|
services.nginx.virtualHosts."${webuiDomain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
|
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
|
||||||
|
|
||||||
|
@ -91,5 +93,7 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,8 @@
|
||||||
my = config.my;
|
my = config.my;
|
||||||
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
hostname = config.networking.hostName;
|
||||||
|
fqdn = "${hostname}.${domain}";
|
||||||
in {
|
in {
|
||||||
options.my.services.vaultwarden = let
|
options.my.services.vaultwarden = let
|
||||||
inherit (lib) types;
|
inherit (lib) types;
|
||||||
|
@ -68,7 +70,7 @@ in {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"pass.${domain}" = {
|
"pass.${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = fqdn;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||||
|
@ -86,6 +88,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"];
|
||||||
|
|
||||||
# FIXME: should be renamed to vaultwarden eventually
|
# FIXME: should be renamed to vaultwarden eventually
|
||||||
my.services.restic-backup = mkIf cfg.enable {
|
my.services.restic-backup = mkIf cfg.enable {
|
||||||
paths = ["/var/lib/bitwarden_rs"];
|
paths = ["/var/lib/bitwarden_rs"];
|
||||||
|
|
Loading…
Reference in a new issue