diff --git a/flake.lock b/flake.lock index 6529b81..f5e8575 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1655000332, - "narHash": "sha256-G4rs6nRox0146D6uI+zLxl8PwKXEO4PngyNXtY82DJI=", + "lastModified": 1654819923, + "narHash": "sha256-s3m3dbCVWw7XAFbkIJyPKtlqgbcDD+2BrBOGTRn0fIw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d64abb978cc2fa4b88b074a64d1b456183c8db17", + "rev": "a58de450c514aa1bc5a4999f92656ab6b600dc59", "type": "github" }, "original": { @@ -125,11 +125,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1654953433, - "narHash": "sha256-TwEeh4r50NdWHFAHQSyjCk2cZxgwUfcCCAJOhPdXB28=", + "lastModified": 1654682581, + "narHash": "sha256-Jb1PQCwKgwdNAp907eR5zPzuxV+kRroA3UIxUxCMJ9s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "90cd5459a1fd707819b9a3fb9c852beaaac3b79a", + "rev": "e0169d7a9d324afebf5679551407756c77af8930", "type": "github" }, "original": { diff --git a/services/fava.nix b/services/fava.nix index 8e796f5..59494ad 100644 --- a/services/fava.nix +++ b/services/fava.nix @@ -13,11 +13,7 @@ cfg = config.my.services.fava; my = config.my; - domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; - secrets = config.my.secrets; in { options.my.services.fava = let @@ -69,7 +65,7 @@ in { services.nginx.virtualHosts = { "fava.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; listen = [ # FIXME: hardcoded tailscale IP @@ -90,7 +86,5 @@ in { }; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = ["fava.${domain}"]; }; } diff --git a/services/gitea/default.nix b/services/gitea/default.nix index c6472fb..6796d88 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -15,8 +15,6 @@ my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.gitea = let inherit (lib) types; @@ -103,7 +101,7 @@ in { virtualHosts = { "git.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -112,8 +110,6 @@ in { }; }; - security.acme.certs.${fqdn}.extraDomainNames = ["git.${domain}"]; - systemd.services.gitea.preStart = "${pkgs.coreutils}/bin/ln -sfT ${./templates} ${config.services.gitea.stateDir}/custom/templates"; }; } diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 3160770..4a4ceea 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -14,8 +14,6 @@ my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; # hardcoded in NixOS module :( jellyfinPort = 8096; @@ -33,14 +31,12 @@ in { # Proxy to Jellyfin services.nginx.virtualHosts."jellyfin.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/" = { proxyPass = "http://localhost:${toString jellyfinPort}/"; proxyWebsockets = true; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = ["jellyfin.${domain}"]; }; } diff --git a/services/lohr.nix b/services/lohr.nix index a86a0b3..c7a5acf 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -13,11 +13,7 @@ cfg = config.my.services.lohr; my = config.my; - domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; - secrets = config.my.secrets; lohrPkg = let flake = builtins.getFlake "github:alarsyo/lohr?rev=58503cc8b95c8b627f6ae7e56740609e91f323cd"; @@ -77,14 +73,12 @@ in { services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = ["lohr.${domain}"]; }; } diff --git a/services/matrix.nix b/services/matrix.nix index eab7e37..82cfb88 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -32,10 +32,7 @@ public = 443; private = 11339; }; - domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.matrix = let inherit (lib) types; @@ -150,7 +147,7 @@ in { virtualHosts = { "matrix.${domain}" = { onlySSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations = let proxyToClientPort = { @@ -184,7 +181,7 @@ in { "matrix.${domain}_federation" = rec { onlySSL = true; serverName = "matrix.${domain}"; - useACMEHost = fqdn; + useACMEHost = domain; locations."/".return = "404"; @@ -208,7 +205,7 @@ in { "${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."= /.well-known/matrix/server".extraConfig = let server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";}; @@ -233,7 +230,7 @@ in { # Element Web app deployment # "chat.${domain}" = { - useACMEHost = fqdn; + useACMEHost = domain; forceSSL = true; root = pkgs.element-web.override { @@ -262,8 +259,6 @@ in { }; }; - security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain]; - # For administration tools. environment.systemPackages = [pkgs.matrix-synapse]; diff --git a/services/miniflux.nix b/services/miniflux.nix index b4cf78e..5738d8e 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -15,8 +15,6 @@ my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.miniflux = let inherit (lib) types; @@ -62,7 +60,7 @@ in { virtualHosts = { "reader.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -70,7 +68,5 @@ in { }; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = ["reader.${domain}"]; }; } diff --git a/services/monitoring.nix b/services/monitoring.nix index a648578..57731ff 100644 --- a/services/monitoring.nix +++ b/services/monitoring.nix @@ -13,8 +13,6 @@ cfg = config.my.services.monitoring; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.monitoring = let inherit (lib) types; @@ -105,17 +103,15 @@ in { }; services.nginx = { - virtualHosts.${cfg.domain} = { + virtualHosts.${config.services.grafana.domain} = { locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyWebsockets = true; }; forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = [cfg.domain]; }; } diff --git a/services/navidrome.nix b/services/navidrome.nix index c901495..75e6d53 100644 --- a/services/navidrome.nix +++ b/services/navidrome.nix @@ -14,8 +14,6 @@ cfg = config.my.services.navidrome; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.navidrome = let inherit (lib) types; @@ -48,7 +46,7 @@ in { services.nginx.virtualHosts."music.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; listen = [ # FIXME: hardcoded tailscale IP @@ -69,7 +67,5 @@ in { proxyWebsockets = true; }; }; - - security.acme.certs.${fqdn}.extraDomainNames = ["music.${domain}"]; }; } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 7349970..330548e 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -16,8 +16,6 @@ let cfg = config.my.services.nextcloud; my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; dbName = "nextcloud"; in { options.my.services.nextcloud = let @@ -87,13 +85,11 @@ in { virtualHosts = { "cloud.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; }; }; }; - security.acme.certs.${fqdn}.extraDomainNames = ["cloud.${domain}"]; - my.services.restic-backup = let nextcloudHome = config.services.nextcloud.home; in diff --git a/services/nginx.nix b/services/nginx.nix index d84425c..a69d1ac 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -54,11 +54,10 @@ in { certs = let domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; gandiKey = config.my.secrets.gandiKey; in { - "${fqdn}" = { + "${domain}" = { + extraDomainNames = ["*.${domain}"]; dnsProvider = "gandiv5"; credentialsFile = config.age.secrets."gandi/api-key".path; group = "nginx"; diff --git a/services/paperless.nix b/services/paperless.nix index 415d35e..3c1aee7 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -14,8 +14,6 @@ cfg = config.my.services.paperless; my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; paperlessDomain = "paperless.${domain}"; in { options.my.services.paperless = let @@ -101,7 +99,7 @@ in { services.nginx.virtualHosts = { "${paperlessDomain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; listen = [ # FIXME: hardcoded tailscale IP @@ -124,8 +122,6 @@ in { }; }; - security.acme.certs.${fqdn}.extraDomainNames = [paperlessDomain]; - my.services.restic-backup = mkIf cfg.enable { paths = [ config.services.paperless.dataDir diff --git a/services/transmission.nix b/services/transmission.nix index 13ad6fa..822070c 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -14,8 +14,6 @@ cfg = config.my.services.transmission; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; webuiDomain = "transmission.${domain}"; transmissionRpcPort = 9091; @@ -75,7 +73,7 @@ in { services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}"; @@ -93,8 +91,5 @@ in { } ]; }; - - security.acme.certs.${fqdn}.extraDomainNames = [webuiDomain]; - }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 43ffc85..2d8d370 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -15,8 +15,6 @@ my = config.my; domain = config.networking.domain; - hostname = config.networking.hostName; - fqdn = "${hostname}.${domain}"; in { options.my.services.vaultwarden = let inherit (lib) types; @@ -70,7 +68,7 @@ in { virtualHosts = { "pass.${domain}" = { forceSSL = true; - useACMEHost = fqdn; + useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; @@ -88,8 +86,6 @@ in { }; }; - security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"]; - # FIXME: should be renamed to vaultwarden eventually my.services.restic-backup = mkIf cfg.enable { paths = ["/var/lib/bitwarden_rs"];