tsuki: configure wildcard certs for nginx

2023-03-08 14:32:39 +01:00 · 2023-03-08 14:32:39 +01:00 · 7a0fcf7805
parent ebd854a0ae
commit 7a0fcf7805
3 changed files with 34 additions and 22 deletions
--- a/hosts/tsuki/services/kanidm.nix
+++ b/hosts/tsuki/services/kanidm.nix
@ -1,10 +1,12 @@
 { pkgs, config, ... }: let
  cfg = config.services.kanidm;
 in {
-  systemd.services.kanidm = {
-    requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ];
+  systemd.services.kanidm = let
+    certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
+  in {
+    requires = [ "acme-finished-${certName}.target" ];
    serviceConfig.LoadCredential = let
-      certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory;
+      certDir = config.security.acme.certs.${certName}.directory;
    in [
      "fullchain.pem:${certDir}/fullchain.pem"
      "key.pem:${certDir}/key.pem"
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@ -6,14 +6,22 @@
    inherit (secrets) ips ports;
  in
 {
+  sops.secrets."cloudflare/api-key" = {};

-  # All of these nginx endpoints are hosted through a cloudflare proxy.
-  # This has several implications for the configuration:
-  #   - The sites I want to protect using a client side certificate needs to 
-  #     use a client side certificate given by cloudflare, since the client cert set here
-  #     only works to secure communication between nginx and cloudflare
-  #   - I don't need to redirect http traffic to https manually, as cloudflare does it for me
-  #   - I don't need to request ACME certificates manually, as cloudflare does it for me.
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "h7x4@nani.wtf";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.sops.secrets."cloudflare/api-key".path;
+      dnsPropagationCheck = true;
+    };
+    certs."nani.wtf" = {
+      extraDomainNames = [ "*.nani.wtf" ];
+    };
+  };
+
+  users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];

  services.nginx = let
    generateServerAliases =
@ -46,9 +54,8 @@
        subdomains: extraSettings: let
          settings = with keys.certificates; {
            serverAliases = drop 1 (generateServerAliases domains subdomains);
-            onlySSL = true;
-            sslCertificate = server.crt;
-            sslCertificateKey = server.key;
+            useACMEHost = "nani.wtf";
+            forceSSL = true;

            extraConfig = ''
              ssl_client_certificate ${cloudflare-origin-pull-ca};
@ -77,22 +84,23 @@
            };
          };

-          onlySSL = true;
-
-          sslCertificate = keys.certificates.server.crt;
-          sslCertificateKey = keys.certificates.server.key;
+          useACMEHost = "nani.wtf";
+          forceSSL = true;

          extraConfig = ''
-            ssl_client_certificate ${cloudflare-origin-pull-ca};
-            ssl_verify_client on;
            add_header Access-Control-Allow-Origin *;
            default_type text/plain;
+            ssl_client_certificate ${cloudflare-origin-pull-ca};
+            ssl_verify_client on;
          '';
        };
      }
      (proxy ["plex"] "http://localhost:${s ports.plex}" {})
      (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
-      (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
+      (host ["matrix"] {
+        enableACME = lib.mkForce false;
+        locations."/_synapse".proxyPass = "http://$synapse_backend";
+      })
      (host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
      # (host ["cache"] { root = "/var/lib/nix-cache"; })
      (proxy ["git"] "http://localhost:${s ports.gitea}" {})
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@ -2,6 +2,8 @@ headscale:
    oauth_secret: ""
 hedgedoc:
    env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
+cloudflare:
+    api-key: ENC[AES256_GCM,data:dqKGLnIlPAgBNTxcRo6Q55hKoe8Qg9UCmDvJioJdhBxmjTXQrf0LFL/iMC73K+Kj0ejuzBRJaqfN6548aZZTSDb8hPTygh7PEILqdxNrap9uDm229eJM/zrShOIRaNLH,iv:pUkuU3Es20ujDtOYfGZodxEUZSlfAe/45ewEkPG1GP4=,tag:sA7nMLldPRRo0jwcdF34ng==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -17,8 +19,8 @@ sops:
            UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
            rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-07T12:35:57Z"
-    mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str]
+    lastmodified: "2023-03-08T13:37:44Z"
+    mac: ENC[AES256_GCM,data:SrdyqQbOyFct6Hj+fBgAz4MBbHOKDvSKF4OsRgq4/byI7BTdtRaFD1tq0nndP84xfapiLhd8o6f2ZrncyrYkciNiZcFN2Dj7lAg8LOuIpYeh/TTOLsWXTyfjJ7rK2x845kEDoR9oTWUDM2yKFrvIZzZuxavDw71eEYzg2QxJCAI=,iv:quIGgipT59h8PwlYcDKd8K5pW0TPXM3T+lvdegLkwKk=,tag:Yv+Yg5tSOhuL3/iSbJMT1Q==,type:str]
    pgp:
        - created_at: "2023-03-07T12:32:53Z"
          enc: |