diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index 059126c..40d6562 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -108,7 +108,6 @@ in monitoring = { enable = true; - useACME = true; domain = "monitoring.${config.networking.domain}"; }; @@ -157,9 +156,6 @@ in }; }; - security.acme.acceptTerms = true; - security.acme.email = "antoine97.martin@gmail.com"; - # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.permitRootLogin = "no"; diff --git a/secrets/default.nix b/secrets/default.nix index 6a0a042..9df6f72 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -14,6 +14,7 @@ with lib; nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret; nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret; lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret; + gandiKey = lib.fileContents ./gandi-api-key.secret; borg-backup = import ./borg-backup { inherit lib; }; diff --git a/secrets/gandi-api-key.secret b/secrets/gandi-api-key.secret new file mode 100644 index 0000000..06a9eda Binary files /dev/null and b/secrets/gandi-api-key.secret differ diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix index 0dd8eff..65e3025 100644 --- a/services/bitwarden_rs.nix +++ b/services/bitwarden_rs.nix @@ -60,7 +60,7 @@ in { virtualHosts = { "pass.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 641c85c..8997664 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -91,7 +91,7 @@ in { virtualHosts = { "git.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 09382ee..8a4df98 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -24,7 +24,7 @@ in { # Proxy to Jellyfin services.nginx.virtualHosts."jellyfin.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://localhost:${toString jellyfinPort}/"; diff --git a/services/lohr.nix b/services/lohr.nix index 03d1d53..45b9ecb 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -65,7 +65,7 @@ in services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; diff --git a/services/matrix.nix b/services/matrix.nix index 05dc395..7cf1807 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -171,7 +171,7 @@ in { virtualHosts = { "matrix.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations = let @@ -199,7 +199,7 @@ in { "matrix.${domain}_federation" = rec { forceSSL = true; serverName = "matrix.${domain}"; - useACMEHost = serverName; + useACMEHost = domain; locations."/".return = "404"; @@ -216,7 +216,7 @@ in { "${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."= /.well-known/matrix/server".extraConfig = let @@ -243,7 +243,7 @@ in { # Element Web app deployment # "chat.${domain}" = { - enableACME = true; + useACMEHost = domain; forceSSL = true; root = pkgs.element-web.override { diff --git a/services/miniflux.nix b/services/miniflux.nix index 297eba7..43e51ca 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -50,7 +50,7 @@ in { virtualHosts = { "reader.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; diff --git a/services/monitoring.nix b/services/monitoring.nix index 2aa66a5..23b1309 100644 --- a/services/monitoring.nix +++ b/services/monitoring.nix @@ -2,11 +2,12 @@ with lib; -let cfg = config.my.services.monitoring; +let + cfg = config.my.services.monitoring; + domain = config.networking.domain; in { options.my.services.monitoring = { enable = mkEnableOption "Enable monitoring"; - useACME = mkEnableOption "Get HTTPS certs"; domain = mkOption { type = types.str; @@ -76,8 +77,8 @@ in { proxyWebsockets = true; }; - forceSSL = cfg.useACME; - enableACME = cfg.useACME; + forceSSL = true; + useACMEHost = domain; }; }; }; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index bf85aef..8cbd3cd 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -66,7 +66,7 @@ in virtualHosts = { "cloud.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; }; }; }; diff --git a/services/nginx.nix b/services/nginx.nix index a9f092f..134615e 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,7 +1,7 @@ # Part of config shamelessly stolen from: # # https://github.com/delroth/infra.delroth.net -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { # Whenever something defines an nginx vhost, ensure that nginx defaults are # properly set. @@ -17,5 +17,23 @@ }; networking.firewall.allowedTCPPorts = [ 80 443 ]; + + security.acme = { + acceptTerms = true; + email = "antoine97.martin@gmail.com"; + + certs = + let + domain = config.networking.domain; + gandiKey = config.my.secrets.gandiKey; + in { + "${domain}" = { + extraDomainNames = [ "*.${domain}" ]; + dnsProvider = "gandiv5"; + credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey; + group = "nginx"; + }; + }; + }; }; } diff --git a/services/paperless.nix b/services/paperless.nix index a315251..132a617 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -23,7 +23,7 @@ in services.nginx.virtualHosts = { "paperless.${domain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; diff --git a/services/transmission.nix b/services/transmission.nix index b642c56..b55e0b8 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -56,7 +56,7 @@ in services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true; - enableACME = true; + useACMEHost = domain; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; };