services: use wildcard certificate
Should have done this a long time ago
This commit is contained in:
parent
64d479e2ce
commit
f0e5e90c10
|
@ -108,7 +108,6 @@ in
|
|||
|
||||
monitoring = {
|
||||
enable = true;
|
||||
useACME = true;
|
||||
domain = "monitoring.${config.networking.domain}";
|
||||
};
|
||||
|
||||
|
@ -157,9 +156,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = "antoine97.martin@gmail.com";
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "no";
|
||||
|
|
|
@ -14,6 +14,7 @@ with lib;
|
|||
nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
|
||||
nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
|
||||
lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
|
||||
gandiKey = lib.fileContents ./gandi-api-key.secret;
|
||||
|
||||
borg-backup = import ./borg-backup { inherit lib; };
|
||||
|
||||
|
|
BIN
secrets/gandi-api-key.secret
Normal file
BIN
secrets/gandi-api-key.secret
Normal file
Binary file not shown.
|
@ -60,7 +60,7 @@ in {
|
|||
virtualHosts = {
|
||||
"pass.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||
|
|
|
@ -91,7 +91,7 @@ in {
|
|||
virtualHosts = {
|
||||
"git.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||
|
|
|
@ -24,7 +24,7 @@ in {
|
|||
# Proxy to Jellyfin
|
||||
services.nginx.virtualHosts."jellyfin.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString jellyfinPort}/";
|
||||
|
|
|
@ -65,7 +65,7 @@ in
|
|||
services.nginx.virtualHosts = {
|
||||
"lohr.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
|
|
|
@ -171,7 +171,7 @@ in {
|
|||
virtualHosts = {
|
||||
"matrix.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations =
|
||||
let
|
||||
|
@ -199,7 +199,7 @@ in {
|
|||
"matrix.${domain}_federation" = rec {
|
||||
forceSSL = true;
|
||||
serverName = "matrix.${domain}";
|
||||
useACMEHost = serverName;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/".return = "404";
|
||||
|
||||
|
@ -216,7 +216,7 @@ in {
|
|||
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."= /.well-known/matrix/server".extraConfig =
|
||||
let
|
||||
|
@ -243,7 +243,7 @@ in {
|
|||
# Element Web app deployment
|
||||
#
|
||||
"chat.${domain}" = {
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
forceSSL = true;
|
||||
|
||||
root = pkgs.element-web.override {
|
||||
|
|
|
@ -50,7 +50,7 @@ in {
|
|||
virtualHosts = {
|
||||
"reader.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
||||
|
|
|
@ -2,11 +2,12 @@
|
|||
|
||||
with lib;
|
||||
|
||||
let cfg = config.my.services.monitoring;
|
||||
let
|
||||
cfg = config.my.services.monitoring;
|
||||
domain = config.networking.domain;
|
||||
in {
|
||||
options.my.services.monitoring = {
|
||||
enable = mkEnableOption "Enable monitoring";
|
||||
useACME = mkEnableOption "Get HTTPS certs";
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
|
@ -76,8 +77,8 @@ in {
|
|||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
forceSSL = cfg.useACME;
|
||||
enableACME = cfg.useACME;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -66,7 +66,7 @@ in
|
|||
virtualHosts = {
|
||||
"cloud.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Part of config shamelessly stolen from:
|
||||
#
|
||||
# https://github.com/delroth/infra.delroth.net
|
||||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
# Whenever something defines an nginx vhost, ensure that nginx defaults are
|
||||
# properly set.
|
||||
|
@ -17,5 +17,23 @@
|
|||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = "antoine97.martin@gmail.com";
|
||||
|
||||
certs =
|
||||
let
|
||||
domain = config.networking.domain;
|
||||
gandiKey = config.my.secrets.gandiKey;
|
||||
in {
|
||||
"${domain}" = {
|
||||
extraDomainNames = [ "*.${domain}" ];
|
||||
dnsProvider = "gandiv5";
|
||||
credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
|
||||
group = "nginx";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ in
|
|||
services.nginx.virtualHosts = {
|
||||
"paperless.${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
|
|
|
@ -56,7 +56,7 @@ in
|
|||
|
||||
services.nginx.virtualHosts."${webuiDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
useACMEHost = domain;
|
||||
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue