services: use wildcard certificate

Should have done this a long time ago
This commit is contained in:
Antoine Martin 2021-07-13 00:57:33 +02:00
parent 64d479e2ce
commit f0e5e90c10
14 changed files with 37 additions and 21 deletions

View file

@ -108,7 +108,6 @@ in
monitoring = {
enable = true;
useACME = true;
domain = "monitoring.${config.networking.domain}";
};
@ -157,9 +156,6 @@ in
};
};
security.acme.acceptTerms = true;
security.acme.email = "antoine97.martin@gmail.com";
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "no";

View file

@ -14,6 +14,7 @@ with lib;
nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
gandiKey = lib.fileContents ./gandi-api-key.secret;
borg-backup = import ./borg-backup { inherit lib; };

Binary file not shown.

View file

@ -60,7 +60,7 @@ in {
virtualHosts = {
"pass.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

View file

@ -91,7 +91,7 @@ in {
virtualHosts = {
"git.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

View file

@ -24,7 +24,7 @@ in {
# Proxy to Jellyfin
services.nginx.virtualHosts."jellyfin.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://localhost:${toString jellyfinPort}/";

View file

@ -65,7 +65,7 @@ in
services.nginx.virtualHosts = {
"lohr.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";

View file

@ -171,7 +171,7 @@ in {
virtualHosts = {
"matrix.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations =
let
@ -199,7 +199,7 @@ in {
"matrix.${domain}_federation" = rec {
forceSSL = true;
serverName = "matrix.${domain}";
useACMEHost = serverName;
useACMEHost = domain;
locations."/".return = "404";
@ -216,7 +216,7 @@ in {
"${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."= /.well-known/matrix/server".extraConfig =
let
@ -243,7 +243,7 @@ in {
# Element Web app deployment
#
"chat.${domain}" = {
enableACME = true;
useACMEHost = domain;
forceSSL = true;
root = pkgs.element-web.override {

View file

@ -50,7 +50,7 @@ in {
virtualHosts = {
"reader.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";

View file

@ -2,11 +2,12 @@
with lib;
let cfg = config.my.services.monitoring;
let
cfg = config.my.services.monitoring;
domain = config.networking.domain;
in {
options.my.services.monitoring = {
enable = mkEnableOption "Enable monitoring";
useACME = mkEnableOption "Get HTTPS certs";
domain = mkOption {
type = types.str;
@ -76,8 +77,8 @@ in {
proxyWebsockets = true;
};
forceSSL = cfg.useACME;
enableACME = cfg.useACME;
forceSSL = true;
useACMEHost = domain;
};
};
};

View file

@ -66,7 +66,7 @@ in
virtualHosts = {
"cloud.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
};
};
};

View file

@ -1,7 +1,7 @@
# Part of config shamelessly stolen from:
#
# https://github.com/delroth/infra.delroth.net
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
{
# Whenever something defines an nginx vhost, ensure that nginx defaults are
# properly set.
@ -17,5 +17,23 @@
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
email = "antoine97.martin@gmail.com";
certs =
let
domain = config.networking.domain;
gandiKey = config.my.secrets.gandiKey;
in {
"${domain}" = {
extraDomainNames = [ "*.${domain}" ];
dnsProvider = "gandiv5";
credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
group = "nginx";
};
};
};
};
}

View file

@ -23,7 +23,7 @@ in
services.nginx.virtualHosts = {
"paperless.${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";

View file

@ -56,7 +56,7 @@ in
services.nginx.virtualHosts."${webuiDomain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = domain;
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
};