diff --git a/hosts/tsuki/services/kanidm.nix b/hosts/tsuki/services/kanidm.nix index 298d08b..7a8765b 100644 --- a/hosts/tsuki/services/kanidm.nix +++ b/hosts/tsuki/services/kanidm.nix @@ -1,10 +1,12 @@ { pkgs, config, ... }: let cfg = config.services.kanidm; in { - systemd.services.kanidm = { - requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ]; + systemd.services.kanidm = let + certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost; + in { + requires = [ "acme-finished-${certName}.target" ]; serviceConfig.LoadCredential = let - certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory; + certDir = config.security.acme.certs.${certName}.directory; in [ "fullchain.pem:${certDir}/fullchain.pem" "key.pem:${certDir}/key.pem" diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix index 05f980b..1da06ca 100644 --- a/hosts/tsuki/services/nginx/default.nix +++ b/hosts/tsuki/services/nginx/default.nix @@ -6,14 +6,22 @@ inherit (secrets) ips ports; in { + sops.secrets."cloudflare/api-key" = {}; - # All of these nginx endpoints are hosted through a cloudflare proxy. - # This has several implications for the configuration: - # - The sites I want to protect using a client side certificate needs to - # use a client side certificate given by cloudflare, since the client cert set here - # only works to secure communication between nginx and cloudflare - # - I don't need to redirect http traffic to https manually, as cloudflare does it for me - # - I don't need to request ACME certificates manually, as cloudflare does it for me. + security.acme = { + acceptTerms = true; + defaults = { + email = "h7x4@nani.wtf"; + dnsProvider = "cloudflare"; + credentialsFile = config.sops.secrets."cloudflare/api-key".path; + dnsPropagationCheck = true; + }; + certs."nani.wtf" = { + extraDomainNames = [ "*.nani.wtf" ]; + }; + }; + + users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ]; services.nginx = let generateServerAliases = @@ -46,9 +54,8 @@ subdomains: extraSettings: let settings = with keys.certificates; { serverAliases = drop 1 (generateServerAliases domains subdomains); - onlySSL = true; - sslCertificate = server.crt; - sslCertificateKey = server.key; + useACMEHost = "nani.wtf"; + forceSSL = true; extraConfig = '' ssl_client_certificate ${cloudflare-origin-pull-ca}; @@ -77,22 +84,23 @@ }; }; - onlySSL = true; - - sslCertificate = keys.certificates.server.crt; - sslCertificateKey = keys.certificates.server.key; + useACMEHost = "nani.wtf"; + forceSSL = true; extraConfig = '' - ssl_client_certificate ${cloudflare-origin-pull-ca}; - ssl_verify_client on; add_header Access-Control-Allow-Origin *; default_type text/plain; + ssl_client_certificate ${cloudflare-origin-pull-ca}; + ssl_verify_client on; ''; }; } (proxy ["plex"] "http://localhost:${s ports.plex}" {}) (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; }) - (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) + (host ["matrix"] { + enableACME = lib.mkForce false; + locations."/_synapse".proxyPass = "http://$synapse_backend"; + }) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; }) # (host ["cache"] { root = "/var/lib/nix-cache"; }) (proxy ["git"] "http://localhost:${s ports.gitea}" {}) diff --git a/secrets/default.yaml b/secrets/default.yaml index ba026c3..c89e2d8 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -2,6 +2,8 @@ headscale: oauth_secret: "" hedgedoc: env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str] +cloudflare: + api-key: ENC[AES256_GCM,data:dqKGLnIlPAgBNTxcRo6Q55hKoe8Qg9UCmDvJioJdhBxmjTXQrf0LFL/iMC73K+Kj0ejuzBRJaqfN6548aZZTSDb8hPTygh7PEILqdxNrap9uDm229eJM/zrShOIRaNLH,iv:pUkuU3Es20ujDtOYfGZodxEUZSlfAe/45ewEkPG1GP4=,tag:sA7nMLldPRRo0jwcdF34ng==,type:str] sops: kms: [] gcp_kms: [] @@ -17,8 +19,8 @@ sops: UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-07T12:35:57Z" - mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str] + lastmodified: "2023-03-08T13:37:44Z" + mac: ENC[AES256_GCM,data:SrdyqQbOyFct6Hj+fBgAz4MBbHOKDvSKF4OsRgq4/byI7BTdtRaFD1tq0nndP84xfapiLhd8o6f2ZrncyrYkciNiZcFN2Dj7lAg8LOuIpYeh/TTOLsWXTyfjJ7rK2x845kEDoR9oTWUDM2yKFrvIZzZuxavDw71eEYzg2QxJCAI=,iv:quIGgipT59h8PwlYcDKd8K5pW0TPXM3T+lvdegLkwKk=,tag:Yv+Yg5tSOhuL3/iSbJMT1Q==,type:str] pgp: - created_at: "2023-03-07T12:32:53Z" enc: |