tsuki: configure wildcard certs for nginx
This commit is contained in:
parent
ebd854a0ae
commit
7a0fcf7805
@ -1,10 +1,12 @@
|
||||
{ pkgs, config, ... }: let
|
||||
cfg = config.services.kanidm;
|
||||
in {
|
||||
systemd.services.kanidm = {
|
||||
requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ];
|
||||
systemd.services.kanidm = let
|
||||
certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
|
||||
in {
|
||||
requires = [ "acme-finished-${certName}.target" ];
|
||||
serviceConfig.LoadCredential = let
|
||||
certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory;
|
||||
certDir = config.security.acme.certs.${certName}.directory;
|
||||
in [
|
||||
"fullchain.pem:${certDir}/fullchain.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
|
@ -6,14 +6,22 @@
|
||||
inherit (secrets) ips ports;
|
||||
in
|
||||
{
|
||||
sops.secrets."cloudflare/api-key" = {};
|
||||
|
||||
# All of these nginx endpoints are hosted through a cloudflare proxy.
|
||||
# This has several implications for the configuration:
|
||||
# - The sites I want to protect using a client side certificate needs to
|
||||
# use a client side certificate given by cloudflare, since the client cert set here
|
||||
# only works to secure communication between nginx and cloudflare
|
||||
# - I don't need to redirect http traffic to https manually, as cloudflare does it for me
|
||||
# - I don't need to request ACME certificates manually, as cloudflare does it for me.
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "h7x4@nani.wtf";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.sops.secrets."cloudflare/api-key".path;
|
||||
dnsPropagationCheck = true;
|
||||
};
|
||||
certs."nani.wtf" = {
|
||||
extraDomainNames = [ "*.nani.wtf" ];
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];
|
||||
|
||||
services.nginx = let
|
||||
generateServerAliases =
|
||||
@ -46,9 +54,8 @@
|
||||
subdomains: extraSettings: let
|
||||
settings = with keys.certificates; {
|
||||
serverAliases = drop 1 (generateServerAliases domains subdomains);
|
||||
onlySSL = true;
|
||||
sslCertificate = server.crt;
|
||||
sslCertificateKey = server.key;
|
||||
useACMEHost = "nani.wtf";
|
||||
forceSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
ssl_client_certificate ${cloudflare-origin-pull-ca};
|
||||
@ -77,22 +84,23 @@
|
||||
};
|
||||
};
|
||||
|
||||
onlySSL = true;
|
||||
|
||||
sslCertificate = keys.certificates.server.crt;
|
||||
sslCertificateKey = keys.certificates.server.key;
|
||||
useACMEHost = "nani.wtf";
|
||||
forceSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
ssl_client_certificate ${cloudflare-origin-pull-ca};
|
||||
ssl_verify_client on;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
default_type text/plain;
|
||||
ssl_client_certificate ${cloudflare-origin-pull-ca};
|
||||
ssl_verify_client on;
|
||||
'';
|
||||
};
|
||||
}
|
||||
(proxy ["plex"] "http://localhost:${s ports.plex}" {})
|
||||
(host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
|
||||
(proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
|
||||
(host ["matrix"] {
|
||||
enableACME = lib.mkForce false;
|
||||
locations."/_synapse".proxyPass = "http://$synapse_backend";
|
||||
})
|
||||
(host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
|
||||
# (host ["cache"] { root = "/var/lib/nix-cache"; })
|
||||
(proxy ["git"] "http://localhost:${s ports.gitea}" {})
|
||||
|
@ -2,6 +2,8 @@ headscale:
|
||||
oauth_secret: ""
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
|
||||
cloudflare:
|
||||
api-key: ENC[AES256_GCM,data:dqKGLnIlPAgBNTxcRo6Q55hKoe8Qg9UCmDvJioJdhBxmjTXQrf0LFL/iMC73K+Kj0ejuzBRJaqfN6548aZZTSDb8hPTygh7PEILqdxNrap9uDm229eJM/zrShOIRaNLH,iv:pUkuU3Es20ujDtOYfGZodxEUZSlfAe/45ewEkPG1GP4=,tag:sA7nMLldPRRo0jwcdF34ng==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -17,8 +19,8 @@ sops:
|
||||
UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
|
||||
rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-03-07T12:35:57Z"
|
||||
mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str]
|
||||
lastmodified: "2023-03-08T13:37:44Z"
|
||||
mac: ENC[AES256_GCM,data:SrdyqQbOyFct6Hj+fBgAz4MBbHOKDvSKF4OsRgq4/byI7BTdtRaFD1tq0nndP84xfapiLhd8o6f2ZrncyrYkciNiZcFN2Dj7lAg8LOuIpYeh/TTOLsWXTyfjJ7rK2x845kEDoR9oTWUDM2yKFrvIZzZuxavDw71eEYzg2QxJCAI=,iv:quIGgipT59h8PwlYcDKd8K5pW0TPXM3T+lvdegLkwKk=,tag:Yv+Yg5tSOhuL3/iSbJMT1Q==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-03-07T12:32:53Z"
|
||||
enc: |
|
||||
|
Loading…
Reference in New Issue
Block a user