oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

tsuki: configure wildcard certs for nginx

This commit is contained in:
Oystein Kristoffer Tveit 2023-03-08 14:32:39 +01:00
parent ebd854a0ae
commit 7a0fcf7805
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 34 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/tsuki/services/kanidm.nix
View File

@ -1,10 +1,12 @@
{ pkgs, config, ... }: let { pkgs, config, ... }: let
cfg = config.services.kanidm; cfg = config.services.kanidm;
in { in {
systemd.services.kanidm = { systemd.services.kanidm = let
requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ]; certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
in {
requires = [ "acme-finished-${certName}.target" ];
serviceConfig.LoadCredential = let serviceConfig.LoadCredential = let
certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory; certDir = config.security.acme.certs.${certName}.directory;
in [ in [
"fullchain.pem:${certDir}/fullchain.pem" "fullchain.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem" "key.pem:${certDir}/key.pem"

42
hosts/tsuki/services/nginx/default.nix
View File

@ -6,14 +6,22 @@
inherit (secrets) ips ports; inherit (secrets) ips ports;
in in
{ {
sops.secrets."cloudflare/api-key" = {};
# All of these nginx endpoints are hosted through a cloudflare proxy. security.acme = {
# This has several implications for the configuration: acceptTerms = true;
# - The sites I want to protect using a client side certificate needs to defaults = {
# use a client side certificate given by cloudflare, since the client cert set here email = "h7x4@nani.wtf";
# only works to secure communication between nginx and cloudflare dnsProvider = "cloudflare";
# - I don't need to redirect http traffic to https manually, as cloudflare does it for me credentialsFile = config.sops.secrets."cloudflare/api-key".path;
# - I don't need to request ACME certificates manually, as cloudflare does it for me. dnsPropagationCheck = true;
};
certs."nani.wtf" = {
extraDomainNames = [ "*.nani.wtf" ];
};
};
users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];
services.nginx = let services.nginx = let
generateServerAliases = generateServerAliases =
@ -46,9 +54,8 @@
subdomains: extraSettings: let subdomains: extraSettings: let
settings = with keys.certificates; { settings = with keys.certificates; {
serverAliases = drop 1 (generateServerAliases domains subdomains); serverAliases = drop 1 (generateServerAliases domains subdomains);
onlySSL = true; useACMEHost = "nani.wtf";
sslCertificate = server.crt; forceSSL = true;
sslCertificateKey = server.key;
extraConfig = '' extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca}; ssl_client_certificate ${cloudflare-origin-pull-ca};
@ -77,22 +84,23 @@
}; };
}; };
onlySSL = true; useACMEHost = "nani.wtf";
forceSSL = true;
sslCertificate = keys.certificates.server.crt;
sslCertificateKey = keys.certificates.server.key;
extraConfig = '' extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
default_type text/plain; default_type text/plain;
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
''; '';
}; };
} }
(proxy ["plex"] "http://localhost:${s ports.plex}" {}) (proxy ["plex"] "http://localhost:${s ports.plex}" {})
(host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; }) (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
(proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (host ["matrix"] {
enableACME = lib.mkForce false;
locations."/_synapse".proxyPass = "http://$synapse_backend";
})
(host ["madmin"] { root = "${pkgs.synapse-admin}/"; }) (host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
# (host ["cache"] { root = "/var/lib/nix-cache"; }) # (host ["cache"] { root = "/var/lib/nix-cache"; })
(proxy ["git"] "http://localhost:${s ports.gitea}" {}) (proxy ["git"] "http://localhost:${s ports.gitea}" {})

6
secrets/default.yaml
View File

@ -2,6 +2,8 @@ headscale:
oauth_secret: "" oauth_secret: ""
hedgedoc: hedgedoc:
env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str] env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
cloudflare:
api-key: ENC[AES256_GCM,data:dqKGLnIlPAgBNTxcRo6Q55hKoe8Qg9UCmDvJioJdhBxmjTXQrf0LFL/iMC73K+Kj0ejuzBRJaqfN6548aZZTSDb8hPTygh7PEILqdxNrap9uDm229eJM/zrShOIRaNLH,iv:pUkuU3Es20ujDtOYfGZodxEUZSlfAe/45ewEkPG1GP4=,tag:sA7nMLldPRRo0jwcdF34ng==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -17,8 +19,8 @@ sops:
UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg== rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-07T12:35:57Z" lastmodified: "2023-03-08T13:37:44Z"
mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str] mac: ENC[AES256_GCM,data:SrdyqQbOyFct6Hj+fBgAz4MBbHOKDvSKF4OsRgq4/byI7BTdtRaFD1tq0nndP84xfapiLhd8o6f2ZrncyrYkciNiZcFN2Dj7lAg8LOuIpYeh/TTOLsWXTyfjJ7rK2x845kEDoR9oTWUDM2yKFrvIZzZuxavDw71eEYzg2QxJCAI=,iv:quIGgipT59h8PwlYcDKd8K5pW0TPXM3T+lvdegLkwKk=,tag:Yv+Yg5tSOhuL3/iSbJMT1Q==,type:str]
pgp: pgp:
- created_at: "2023-03-07T12:32:53Z" - created_at: "2023-03-07T12:32:53Z"
enc: | enc: |