From 2725d6664647604ddb65edbd25a3b9ceea2e32a5 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:18:58 +0200 Subject: [PATCH 1/6] services: use subdomain for ACME cert Avoids conflicts now that I have multiple servers sharing the config --- services/fava.nix | 8 +++++++- services/gitea/default.nix | 6 +++++- services/jellyfin.nix | 6 +++++- services/lohr.nix | 8 +++++++- services/matrix.nix | 13 +++++++++---- services/miniflux.nix | 6 +++++- services/monitoring.nix | 8 ++++++-- services/navidrome.nix | 6 +++++- services/nextcloud.nix | 6 +++++- services/nginx.nix | 5 +++-- services/paperless.nix | 6 +++++- services/transmission.nix | 7 ++++++- services/vaultwarden.nix | 6 +++++- 13 files changed, 73 insertions(+), 18 deletions(-) diff --git a/services/fava.nix b/services/fava.nix index 59494ad..8e796f5 100644 --- a/services/fava.nix +++ b/services/fava.nix @@ -13,7 +13,11 @@ cfg = config.my.services.fava; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; in { options.my.services.fava = let @@ -65,7 +69,7 @@ in { services.nginx.virtualHosts = { "fava.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -86,5 +90,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"]; }; } diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 6796d88..c6472fb 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.gitea = let inherit (lib) types; @@ -101,7 +103,7 @@ in { virtualHosts = { "git.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -110,6 +112,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"]; + systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates"; }; } diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 4a4ceea..3160770 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -14,6 +14,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; # hardcoded in NixOS module :( jellyfinPort = 8096; @@ -31,12 +33,14 @@ in { # Proxy to Jellyfin services.nginx.virtualHosts."jellyfin.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"]; }; } diff --git a/services/lohr.nix b/services/lohr.nix index c7a5acf..a86a0b3 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -13,7 +13,11 @@ cfg = config.my.services.lohr; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; lohrPkg = let flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd"; @@ -73,12 +77,14 @@ in { services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"]; }; } diff --git a/services/matrix.nix b/services/matrix.nix index 82cfb88..eab7e37 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -32,7 +32,10 @@ public = 443; private = 11339; }; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.matrix = let inherit (lib) types; @@ -147,7 +150,7 @@ in { virtualHosts = { "matrix.${domain}" = { onlySSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations = let proxyToClientPort = { @@ -181,7 +184,7 @@ in { "matrix.${domain}_federation" = rec { onlySSL = true; serverName = "matrix.${domain}"; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".return = "404"; @@ -205,7 +208,7 @@ in { "${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."= /.well-known/matrix/server".extraConfig = let server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";}; @@ -230,7 +233,7 @@ in { # Element Web app deployment # "chat.${domain}" = { - useACMEHost = domain; + useACMEHost = fqdn; forceSSL = true; root = pkgs.element-web.override { @@ -259,6 +262,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain]; + # For administration tools. environment.systemPackages = [pkgs.matrix-synapse]; diff --git a/services/miniflux.nix b/services/miniflux.nix index 5738d8e..b4cf78e 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.miniflux = let inherit (lib) types; @@ -60,7 +62,7 @@ in { virtualHosts = { "reader.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -68,5 +70,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"]; }; } diff --git a/services/monitoring.nix b/services/monitoring.nix index 57731ff..a648578 100644 --- a/services/monitoring.nix +++ b/services/monitoring.nix @@ -13,6 +13,8 @@ cfg = config.my.services.monitoring; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.monitoring = let inherit (lib) types; @@ -103,15 +105,17 @@ in { }; services.nginx = { - virtualHosts.${config.services.grafana.domain} = { + virtualHosts.${cfg.domain} = { locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; }; forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain]; }; } diff --git a/services/navidrome.nix b/services/navidrome.nix index 75e6d53..c901495 100644 --- a/services/navidrome.nix +++ b/services/navidrome.nix @@ -14,6 +14,8 @@ cfg = config.my.services.navidrome; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.navidrome = let inherit (lib) types; @@ -46,7 +48,7 @@ in { services.nginx.virtualHosts."music.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -67,5 +69,7 @@ in { proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"]; }; } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 330548e..7349970 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -16,6 +16,8 @@ let cfg = config.my.services.nextcloud; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; dbName = "nextcloud"; in { options.my.services.nextcloud = let @@ -85,11 +87,13 @@ in { virtualHosts = { "cloud.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"]; + my.services.restic-backup = let nextcloudHome = config.services.nextcloud.home; in diff --git a/services/nginx.nix b/services/nginx.nix index a69d1ac..d84425c 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -54,10 +54,11 @@ in { certs = let domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; gandiKey = config.my.secrets.gandiKey; in { - "${domain}" = { - extraDomainNames = ["*.${domain}"]; + "${fqdn}" = { dnsProvider = "gandiv5"; credentialsFile = config.age.secrets."gandi/api-key".path; group = "nginx"; diff --git a/services/paperless.nix b/services/paperless.nix index 3c1aee7..415d35e 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -14,6 +14,8 @@ cfg = config.my.services.paperless; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; paperlessDomain = "paperless.${domain}"; in { options.my.services.paperless = let @@ -99,7 +101,7 @@ in { services.nginx.virtualHosts = { "${paperlessDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -122,6 +124,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain]; + my.services.restic-backup = mkIf cfg.enable { paths = [ config.services.paperless.dataDir diff --git a/services/transmission.nix b/services/transmission.nix index 822070c..13ad6fa 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -14,6 +14,8 @@ cfg = config.my.services.transmission; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; webuiDomain = "transmission.${domain}"; transmissionRpcPort = 9091; @@ -73,7 +75,7 @@ in { services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; @@ -91,5 +93,8 @@ in { } ]; }; + + security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain]; + }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 2d8d370..43ffc85 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.vaultwarden = let inherit (lib) types; @@ -68,7 +70,7 @@ in { virtualHosts = { "pass.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -86,6 +88,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"]; + # FIXME: should be renamed to vaultwarden eventually my.services.restic-backup = mkIf cfg.enable { paths = ["/var/lib/bitwarden_rs"]; From e635fec1f97e276d491a7bdd9e9826f3368f7850 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:20:12 +0200 Subject: [PATCH 2/6] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/e0169d7a9d324afebf5679551407756c77af8930' (2022-06-08) → 'github:NixOS/nixpkgs/90cd5459a1fd707819b9a3fb9c852beaaac3b79a' (2022-06-11) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/a58de450c514aa1bc5a4999f92656ab6b600dc59' (2022-06-10) → 'github:NixOS/nixpkgs/d64abb978cc2fa4b88b074a64d1b456183c8db17' (2022-06-12) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index f5e8575..6529b81 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1654819923, - "narHash": "sha256-s3m3dbCVWw7XAFbkIJyPKtlqgbcDD+2BrBOGTRn0fIw=", + "lastModified": 1655000332, + "narHash": "sha256-G4rs6nRox0146D6uI+zLxl8PwKXEO4PngyNXtY82DJI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a58de450c514aa1bc5a4999f92656ab6b600dc59", + "rev": "d64abb978cc2fa4b88b074a64d1b456183c8db17", "type": "github" }, "original": { @@ -125,11 +125,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1654682581, - "narHash": "sha256-Jb1PQCwKgwdNAp907eR5zPzuxV+kRroA3UIxUxCMJ9s=", + "lastModified": 1654953433, + "narHash": "sha256-TwEeh4r50NdWHFAHQSyjCk2cZxgwUfcCCAJOhPdXB28=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e0169d7a9d324afebf5679551407756c77af8930", + "rev": "90cd5459a1fd707819b9a3fb9c852beaaac3b79a", "type": "github" }, "original": { From 4f96a73d49be1153978d2cbe1cbe3d680e409437 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:59:41 +0200 Subject: [PATCH 3/6] hosts: move miniflux from poseidon to hades --- hosts/hades/default.nix | 6 ++++++ hosts/hades/secrets.nix | 2 ++ hosts/poseidon/default.nix | 6 ------ hosts/poseidon/secrets.nix | 2 -- modules/secrets/miniflux/admin-credentials.age | Bin 597 -> 558 bytes modules/secrets/secrets.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index cb47d27..4fd34ee 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -57,6 +57,12 @@ in { my.services = { fail2ban.enable = true; + miniflux = { + enable = true; + adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path; + privatePort = 8080; + }; + restic-backup = { enable = true; repo = "b2:hades-backup-alarsyo"; diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix index f562d22..464bcc1 100644 --- a/hosts/hades/secrets.nix +++ b/hosts/hades/secrets.nix @@ -13,6 +13,8 @@ // attrs; in lib.mapAttrs toSecret { + "miniflux/admin-credentials" = {}; + "restic-backup/hades-credentials" = {}; "restic-backup/hades-password" = {}; diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index 7c3bd67..b05967f 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -96,12 +96,6 @@ in { port = 8083; }; - miniflux = { - enable = true; - adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path; - privatePort = 8080; - }; - matrix = { enable = true; secretConfigFile = config.age.secrets."matrix-synapse/secret-config".path; diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix index 66f6673..719d569 100644 --- a/hosts/poseidon/secrets.nix +++ b/hosts/poseidon/secrets.nix @@ -21,8 +21,6 @@ owner = "matrix-synapse"; }; - "miniflux/admin-credentials" = {}; - "nextcloud/admin-pass" = { owner = "nextcloud"; }; diff --git a/modules/secrets/miniflux/admin-credentials.age b/modules/secrets/miniflux/admin-credentials.age index ee534fb684f738e45a223e393e7f14bed881e097..11c576f36bbbd3c601e6e95c5b89e0947be9a194 100644 GIT binary patch delta 525 zcmcc0vW{hfPJM{0rM7E$YPLmMZfKNWfK!Tpx_*?YNr;g}c70Pj-@%cAklLc1mzbfki+`xMf6Aj+05Tg+ZdFi@8a1T6$zbRz_Z;374*&LUD11 zZfc5=si~o*LP3N@rBS+qnRiBEv3YT7icy+be!hRXQ+=VCb4iv-PN=_6PNYkTrE8F% ziDj9kk&j_ES87PPp^34VL4|>KzOz@NrHNsBaY>F#T2xrBp=WYwqN$&ezF%&nn_*Qt z$U3FsNC(~YqSVCVR0T65B}*5sfV_g>#N-H(YFK7My%90|BP_qzI$B42J6UP$6(kv(QWUj0bpQ;MaDql~N%A6=S!=l0{ zW4EvfkAmFPps?U96K|J@$aIt3FypX_g50R$ykst2U0sFb(vpyTzo_KIa{W|`yi^lE zvw$o&XM@mCr;vPYr_}TypK`OnP{;fTKVPo;@1H+5} delta 564 zcmZ3-a+PI*PJL-^P?BM~X?CD~K)z9sepN<(d48^GPL`K`p?Pplm}zlAPDOY|Mv;$W zB$t<=cVb?7NSTRgRjx_7Sy;NWM^2DMxM`4qesQ{cenF{aNI{xKexhSqIhU@TLUD11 zZfc5=si~o*LY0|osYRfIXOgQ|u(p9mVnCLAd8KPaTD?cHNkwINNV<``zO%EpsZnZB zadNU#uD7cJmt|pINMcn|scE)rad25+K}cpwl#54Ycv7N%u~Aa4kzt@?j$4*#fN7B< z$hzdBJneiH-Snc=#Nt$iBC7&(qg;gy3)>{kT$eh9=y(@}h$59Jw>pywE_ZM9AXAGZ zQ}g`#&`i^kppY;VpX78$_oOI`LRU|-aKk{ya94L@ms}S&_dq9?+{%J{1Lr~`)6@c! zi~=WpUw^LTd{YDGNV6*ce9KI8pNeFY$OsotOYKOn6myS2^F)I{(-JeY@Z>}@?GW=y zvqfvg+8ifSql=2NxU0@!qPiSTJqz z^?gzb)0d0(U-*0W%sqj3uU|I2FDr}domO%6<}5`?Crz1Ltr^@x4b7h2%v-(wY;-a3 zdbmhN*Uv2BBy;XmzB6y@JNGuPe0DeYPx;+BU&EexRxAzEj_-+BSb3>)>X~PIUG~jO F0090>%)bBt diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 455f7b0..58082b8 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -17,7 +17,7 @@ in { "matrix-synapse/secret-config.age".publicKeys = [alarsyo poseidon]; - "miniflux/admin-credentials.age".publicKeys = [alarsyo poseidon]; + "miniflux/admin-credentials.age".publicKeys = [alarsyo hades]; "nextcloud/admin-pass.age".publicKeys = [alarsyo poseidon]; From 990c035c3b4cdf115aa2cf0873906354346a32e9 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:18:58 +0200 Subject: [PATCH 4/6] services: use subdomain for ACME cert Avoids conflicts now that I have multiple servers sharing the config --- services/fava.nix | 8 +++++++- services/gitea/default.nix | 6 +++++- services/jellyfin.nix | 6 +++++- services/lohr.nix | 8 +++++++- services/matrix.nix | 13 +++++++++---- services/miniflux.nix | 6 +++++- services/monitoring.nix | 8 ++++++-- services/navidrome.nix | 6 +++++- services/nextcloud.nix | 6 +++++- services/nginx.nix | 5 +++-- services/paperless.nix | 6 +++++- services/transmission.nix | 6 +++++- services/vaultwarden.nix | 6 +++++- 13 files changed, 72 insertions(+), 18 deletions(-) diff --git a/services/fava.nix b/services/fava.nix index 59494ad..8e796f5 100644 --- a/services/fava.nix +++ b/services/fava.nix @@ -13,7 +13,11 @@ cfg = config.my.services.fava; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; in { options.my.services.fava = let @@ -65,7 +69,7 @@ in { services.nginx.virtualHosts = { "fava.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -86,5 +90,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"]; }; } diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 6796d88..c6472fb 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.gitea = let inherit (lib) types; @@ -101,7 +103,7 @@ in { virtualHosts = { "git.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -110,6 +112,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"]; + systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates"; }; } diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 4a4ceea..3160770 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -14,6 +14,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; # hardcoded in NixOS module :( jellyfinPort = 8096; @@ -31,12 +33,14 @@ in { # Proxy to Jellyfin services.nginx.virtualHosts."jellyfin.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"]; }; } diff --git a/services/lohr.nix b/services/lohr.nix index c7a5acf..a86a0b3 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -13,7 +13,11 @@ cfg = config.my.services.lohr; my = config.my; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; + secrets = config.my.secrets; lohrPkg = let flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd"; @@ -73,12 +77,14 @@ in { services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"]; }; } diff --git a/services/matrix.nix b/services/matrix.nix index 82cfb88..eab7e37 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -32,7 +32,10 @@ public = 443; private = 11339; }; + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.matrix = let inherit (lib) types; @@ -147,7 +150,7 @@ in { virtualHosts = { "matrix.${domain}" = { onlySSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations = let proxyToClientPort = { @@ -181,7 +184,7 @@ in { "matrix.${domain}_federation" = rec { onlySSL = true; serverName = "matrix.${domain}"; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".return = "404"; @@ -205,7 +208,7 @@ in { "${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."= /.well-known/matrix/server".extraConfig = let server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";}; @@ -230,7 +233,7 @@ in { # Element Web app deployment # "chat.${domain}" = { - useACMEHost = domain; + useACMEHost = fqdn; forceSSL = true; root = pkgs.element-web.override { @@ -259,6 +262,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain]; + # For administration tools. environment.systemPackages = [pkgs.matrix-synapse]; diff --git a/services/miniflux.nix b/services/miniflux.nix index 5738d8e..b4cf78e 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.miniflux = let inherit (lib) types; @@ -60,7 +62,7 @@ in { virtualHosts = { "reader.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -68,5 +70,7 @@ in { }; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"]; }; } diff --git a/services/monitoring.nix b/services/monitoring.nix index 57731ff..a648578 100644 --- a/services/monitoring.nix +++ b/services/monitoring.nix @@ -13,6 +13,8 @@ cfg = config.my.services.monitoring; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.monitoring = let inherit (lib) types; @@ -103,15 +105,17 @@ in { }; services.nginx = { - virtualHosts.${config.services.grafana.domain} = { + virtualHosts.${cfg.domain} = { locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; }; forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain]; }; } diff --git a/services/navidrome.nix b/services/navidrome.nix index 75e6d53..c901495 100644 --- a/services/navidrome.nix +++ b/services/navidrome.nix @@ -14,6 +14,8 @@ cfg = config.my.services.navidrome; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.navidrome = let inherit (lib) types; @@ -46,7 +48,7 @@ in { services.nginx.virtualHosts."music.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -67,5 +69,7 @@ in { proxyWebsockets = true; }; }; + + security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"]; }; } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 330548e..7349970 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -16,6 +16,8 @@ let cfg = config.my.services.nextcloud; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; dbName = "nextcloud"; in { options.my.services.nextcloud = let @@ -85,11 +87,13 @@ in { virtualHosts = { "cloud.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; }; }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"]; + my.services.restic-backup = let nextcloudHome = config.services.nextcloud.home; in diff --git a/services/nginx.nix b/services/nginx.nix index a69d1ac..d84425c 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -54,10 +54,11 @@ in { certs = let domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; gandiKey = config.my.secrets.gandiKey; in { - "${domain}" = { - extraDomainNames = ["*.${domain}"]; + "${fqdn}" = { dnsProvider = "gandiv5"; credentialsFile = config.age.secrets."gandi/api-key".path; group = "nginx"; diff --git a/services/paperless.nix b/services/paperless.nix index 3c1aee7..415d35e 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -14,6 +14,8 @@ cfg = config.my.services.paperless; my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; paperlessDomain = "paperless.${domain}"; in { options.my.services.paperless = let @@ -99,7 +101,7 @@ in { services.nginx.virtualHosts = { "${paperlessDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; listen = [ # FIXME: hardcoded tailscale IP @@ -122,6 +124,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain]; + my.services.restic-backup = mkIf cfg.enable { paths = [ config.services.paperless.dataDir diff --git a/services/transmission.nix b/services/transmission.nix index 822070c..c2f4944 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -14,6 +14,8 @@ cfg = config.my.services.transmission; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; webuiDomain = "transmission.${domain}"; transmissionRpcPort = 9091; @@ -73,7 +75,7 @@ in { services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; @@ -91,5 +93,7 @@ in { } ]; }; + + security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain]; }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 2d8d370..43ffc85 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -15,6 +15,8 @@ my = config.my; domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; in { options.my.services.vaultwarden = let inherit (lib) types; @@ -68,7 +70,7 @@ in { virtualHosts = { "pass.${domain}" = { forceSSL = true; - useACMEHost = domain; + useACMEHost = fqdn; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -86,6 +88,8 @@ in { }; }; + security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"]; + # FIXME: should be renamed to vaultwarden eventually my.services.restic-backup = mkIf cfg.enable { paths = ["/var/lib/bitwarden_rs"]; From 973415fe4d28cabd6a8ea2c9d3c64f38f3138b12 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:20:12 +0200 Subject: [PATCH 5/6] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/e0169d7a9d324afebf5679551407756c77af8930' (2022-06-08) → 'github:NixOS/nixpkgs/90cd5459a1fd707819b9a3fb9c852beaaac3b79a' (2022-06-11) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/a58de450c514aa1bc5a4999f92656ab6b600dc59' (2022-06-10) → 'github:NixOS/nixpkgs/d64abb978cc2fa4b88b074a64d1b456183c8db17' (2022-06-12) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index f5e8575..6529b81 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1654819923, - "narHash": "sha256-s3m3dbCVWw7XAFbkIJyPKtlqgbcDD+2BrBOGTRn0fIw=", + "lastModified": 1655000332, + "narHash": "sha256-G4rs6nRox0146D6uI+zLxl8PwKXEO4PngyNXtY82DJI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a58de450c514aa1bc5a4999f92656ab6b600dc59", + "rev": "d64abb978cc2fa4b88b074a64d1b456183c8db17", "type": "github" }, "original": { @@ -125,11 +125,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1654682581, - "narHash": "sha256-Jb1PQCwKgwdNAp907eR5zPzuxV+kRroA3UIxUxCMJ9s=", + "lastModified": 1654953433, + "narHash": "sha256-TwEeh4r50NdWHFAHQSyjCk2cZxgwUfcCCAJOhPdXB28=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e0169d7a9d324afebf5679551407756c77af8930", + "rev": "90cd5459a1fd707819b9a3fb9c852beaaac3b79a", "type": "github" }, "original": { From 37f19dfb2ee64266e13445ebafa6ca15c2fd9a70 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 12 Jun 2022 17:59:41 +0200 Subject: [PATCH 6/6] hosts: move miniflux from poseidon to hades --- hosts/hades/default.nix | 6 ++++++ hosts/hades/secrets.nix | 2 ++ hosts/poseidon/default.nix | 6 ------ hosts/poseidon/secrets.nix | 2 -- modules/secrets/miniflux/admin-credentials.age | Bin 597 -> 558 bytes modules/secrets/secrets.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index cb47d27..4fd34ee 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -57,6 +57,12 @@ in { my.services = { fail2ban.enable = true; + miniflux = { + enable = true; + adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path; + privatePort = 8080; + }; + restic-backup = { enable = true; repo = "b2:hades-backup-alarsyo"; diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix index f562d22..464bcc1 100644 --- a/hosts/hades/secrets.nix +++ b/hosts/hades/secrets.nix @@ -13,6 +13,8 @@ // attrs; in lib.mapAttrs toSecret { + "miniflux/admin-credentials" = {}; + "restic-backup/hades-credentials" = {}; "restic-backup/hades-password" = {}; diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index 7c3bd67..b05967f 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -96,12 +96,6 @@ in { port = 8083; }; - miniflux = { - enable = true; - adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path; - privatePort = 8080; - }; - matrix = { enable = true; secretConfigFile = config.age.secrets."matrix-synapse/secret-config".path; diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix index 66f6673..719d569 100644 --- a/hosts/poseidon/secrets.nix +++ b/hosts/poseidon/secrets.nix @@ -21,8 +21,6 @@ owner = "matrix-synapse"; }; - "miniflux/admin-credentials" = {}; - "nextcloud/admin-pass" = { owner = "nextcloud"; }; diff --git a/modules/secrets/miniflux/admin-credentials.age b/modules/secrets/miniflux/admin-credentials.age index ee534fb684f738e45a223e393e7f14bed881e097..11c576f36bbbd3c601e6e95c5b89e0947be9a194 100644 GIT binary patch delta 525 zcmcc0vW{hfPJM{0rM7E$YPLmMZfKNWfK!Tpx_*?YNr;g}c70Pj-@%cAklLc1mzbfki+`xMf6Aj+05Tg+ZdFi@8a1T6$zbRz_Z;374*&LUD11 zZfc5=si~o*LP3N@rBS+qnRiBEv3YT7icy+be!hRXQ+=VCb4iv-PN=_6PNYkTrE8F% ziDj9kk&j_ES87PPp^34VL4|>KzOz@NrHNsBaY>F#T2xrBp=WYwqN$&ezF%&nn_*Qt z$U3FsNC(~YqSVCVR0T65B}*5sfV_g>#N-H(YFK7My%90|BP_qzI$B42J6UP$6(kv(QWUj0bpQ;MaDql~N%A6=S!=l0{ zW4EvfkAmFPps?U96K|J@$aIt3FypX_g50R$ykst2U0sFb(vpyTzo_KIa{W|`yi^lE zvw$o&XM@mCr;vPYr_}TypK`OnP{;fTKVPo;@1H+5} delta 564 zcmZ3-a+PI*PJL-^P?BM~X?CD~K)z9sepN<(d48^GPL`K`p?Pplm}zlAPDOY|Mv;$W zB$t<=cVb?7NSTRgRjx_7Sy;NWM^2DMxM`4qesQ{cenF{aNI{xKexhSqIhU@TLUD11 zZfc5=si~o*LY0|osYRfIXOgQ|u(p9mVnCLAd8KPaTD?cHNkwINNV<``zO%EpsZnZB zadNU#uD7cJmt|pINMcn|scE)rad25+K}cpwl#54Ycv7N%u~Aa4kzt@?j$4*#fN7B< z$hzdBJneiH-Snc=#Nt$iBC7&(qg;gy3)>{kT$eh9=y(@}h$59Jw>pywE_ZM9AXAGZ zQ}g`#&`i^kppY;VpX78$_oOI`LRU|-aKk{ya94L@ms}S&_dq9?+{%J{1Lr~`)6@c! zi~=WpUw^LTd{YDGNV6*ce9KI8pNeFY$OsotOYKOn6myS2^F)I{(-JeY@Z>}@?GW=y zvqfvg+8ifSql=2NxU0@!qPiSTJqz z^?gzb)0d0(U-*0W%sqj3uU|I2FDr}domO%6<}5`?Crz1Ltr^@x4b7h2%v-(wY;-a3 zdbmhN*Uv2BBy;XmzB6y@JNGuPe0DeYPx;+BU&EexRxAzEj_-+BSb3>)>X~PIUG~jO F0090>%)bBt diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 455f7b0..58082b8 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -17,7 +17,7 @@ in { "matrix-synapse/secret-config.age".publicKeys = [alarsyo poseidon]; - "miniflux/admin-credentials.age".publicKeys = [alarsyo poseidon]; + "miniflux/admin-credentials.age".publicKeys = [alarsyo hades]; "nextcloud/admin-pass.age".publicKeys = [alarsyo poseidon];