diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix index b75daad8..3f1faa2e 100644 --- a/hosts/shark/configuration.nix +++ b/hosts/shark/configuration.nix @@ -6,6 +6,7 @@ ../../base.nix ../../misc/metrics-exporters.nix + ./services/nginx.nix ./services/kanidm.nix ]; diff --git a/hosts/shark/services/kanidm.nix b/hosts/shark/services/kanidm.nix index 0e0c0f16..b17c5714 100644 --- a/hosts/shark/services/kanidm.nix +++ b/hosts/shark/services/kanidm.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: let cfg = config.services.kanidm; - domain = "auth.pvv.ntnu.no"; + domain = "idmtest.pvv.ntnu.no"; bindaddr_web = "127.0.0.1:8300"; # bindaddr_ldaps = "0.0.0.0:636"; in { @@ -22,12 +22,10 @@ in { }; }; - systemd.services.kanidm = let - certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost; - in { - requires = [ "acme-finished-${certName}.target" ]; + systemd.services.kanidm = { + requires = [ "acme-finished-${domain}.target" ]; serviceConfig.LoadCredential = let - certDir = config.security.acme.certs.${certName}.directory; + certDir = config.security.acme.certs.${domain}.directory; in [ "fullchain.pem:${certDir}/fullchain.pem" "key.pem:${certDir}/key.pem" diff --git a/hosts/shark/services/nginx.nix b/hosts/shark/services/nginx.nix new file mode 100644 index 00000000..2a69bd52 --- /dev/null +++ b/hosts/shark/services/nginx.nix @@ -0,0 +1,29 @@ +{ config, values, ... }: +{ + security.acme = { + acceptTerms = true; + defaults.email = "drift@pvv.ntnu.no"; + }; + + services.nginx = { + enable = true; + + enableReload = true; + + defaultListenAddresses = [ + values.hosts.shark.ipv4 + "[${values.hosts.shark.ipv6}]" + + "127.0.0.1" + "127.0.0.2" + "[::1]" + ]; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +}