tsuki: configure wildcard certs for nginx

This commit is contained in:
Oystein Kristoffer Tveit 2023-03-08 14:32:39 +01:00
parent ebd854a0ae
commit 7a0fcf7805
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 34 additions and 22 deletions

View File

@ -1,10 +1,12 @@
{ pkgs, config, ... }: let
cfg = config.services.kanidm;
in {
systemd.services.kanidm = {
requires = [ "acme-finished-${cfg.serverSettings.domain}.target" ];
systemd.services.kanidm = let
certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
in {
requires = [ "acme-finished-${certName}.target" ];
serviceConfig.LoadCredential = let
certDir = config.security.acme.certs.${cfg.serverSettings.domain}.directory;
certDir = config.security.acme.certs.${certName}.directory;
in [
"fullchain.pem:${certDir}/fullchain.pem"
"key.pem:${certDir}/key.pem"

View File

@ -6,14 +6,22 @@
inherit (secrets) ips ports;
in
{
sops.secrets."cloudflare/api-key" = {};
# All of these nginx endpoints are hosted through a cloudflare proxy.
# This has several implications for the configuration:
# - The sites I want to protect using a client side certificate needs to
# use a client side certificate given by cloudflare, since the client cert set here
# only works to secure communication between nginx and cloudflare
# - I don't need to redirect http traffic to https manually, as cloudflare does it for me
# - I don't need to request ACME certificates manually, as cloudflare does it for me.
security.acme = {
acceptTerms = true;
defaults = {
email = "h7x4@nani.wtf";
dnsProvider = "cloudflare";
credentialsFile = config.sops.secrets."cloudflare/api-key".path;
dnsPropagationCheck = true;
};
certs."nani.wtf" = {
extraDomainNames = [ "*.nani.wtf" ];
};
};
users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];
services.nginx = let
generateServerAliases =
@ -46,9 +54,8 @@
subdomains: extraSettings: let
settings = with keys.certificates; {
serverAliases = drop 1 (generateServerAliases domains subdomains);
onlySSL = true;
sslCertificate = server.crt;
sslCertificateKey = server.key;
useACMEHost = "nani.wtf";
forceSSL = true;
extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca};
@ -77,22 +84,23 @@
};
};
onlySSL = true;
sslCertificate = keys.certificates.server.crt;
sslCertificateKey = keys.certificates.server.key;
useACMEHost = "nani.wtf";
forceSSL = true;
extraConfig = ''
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
add_header Access-Control-Allow-Origin *;
default_type text/plain;
ssl_client_certificate ${cloudflare-origin-pull-ca};
ssl_verify_client on;
'';
};
}
(proxy ["plex"] "http://localhost:${s ports.plex}" {})
(host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
(proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
(host ["matrix"] {
enableACME = lib.mkForce false;
locations."/_synapse".proxyPass = "http://$synapse_backend";
})
(host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
# (host ["cache"] { root = "/var/lib/nix-cache"; })
(proxy ["git"] "http://localhost:${s ports.gitea}" {})

View File

@ -2,6 +2,8 @@ headscale:
oauth_secret: ""
hedgedoc:
env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
cloudflare:
api-key: ENC[AES256_GCM,data:dqKGLnIlPAgBNTxcRo6Q55hKoe8Qg9UCmDvJioJdhBxmjTXQrf0LFL/iMC73K+Kj0ejuzBRJaqfN6548aZZTSDb8hPTygh7PEILqdxNrap9uDm229eJM/zrShOIRaNLH,iv:pUkuU3Es20ujDtOYfGZodxEUZSlfAe/45ewEkPG1GP4=,tag:sA7nMLldPRRo0jwcdF34ng==,type:str]
sops:
kms: []
gcp_kms: []
@ -17,8 +19,8 @@ sops:
UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-07T12:35:57Z"
mac: ENC[AES256_GCM,data:jKRXsFeyqRVkU4yGpVm4iOrXZV5mnWC7c63ifKmWJR/eMH1M5I7nKrrn7RA9DjZcwBnWyO5HcYk/NjjMP5HZbSmUMEafKBs3GpZDFziGG4eQSgZdca4MSNXwAqtQqYwtjsixww637uwSycwdf+9cphSBGhsdFOctaIsOuuheZEc=,iv:KDhnBg9+mZWyaKsiijITAkyvyx8eFsflBB0+jbY6aZQ=,tag:qJxf5RUb/5hzXI8pjGgLFw==,type:str]
lastmodified: "2023-03-08T13:37:44Z"
mac: ENC[AES256_GCM,data:SrdyqQbOyFct6Hj+fBgAz4MBbHOKDvSKF4OsRgq4/byI7BTdtRaFD1tq0nndP84xfapiLhd8o6f2ZrncyrYkciNiZcFN2Dj7lAg8LOuIpYeh/TTOLsWXTyfjJ7rK2x845kEDoR9oTWUDM2yKFrvIZzZuxavDw71eEYzg2QxJCAI=,iv:quIGgipT59h8PwlYcDKd8K5pW0TPXM3T+lvdegLkwKk=,tag:Yv+Yg5tSOhuL3/iSbJMT1Q==,type:str]
pgp:
- created_at: "2023-03-07T12:32:53Z"
enc: |