feat(hosts/granodomus-lima): use acme for SSL on exposed host
This commit is contained in:
parent
062e26796e
commit
addfd6453d
|
@ -4,15 +4,10 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
sopsPath = key: config.sops.secrets.${key}.path;
|
||||
|
||||
mkVirtHost = certificateName:
|
||||
lib.attrsets.recursiveUpdate {
|
||||
forceSSL = true;
|
||||
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
|
||||
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
|
||||
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
|
||||
};
|
||||
mkVirtHost = lib.attrsets.recursiveUpdate {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
../hardware/netcup-vps-200-g10.nix
|
||||
|
@ -41,7 +36,7 @@ in {
|
|||
enable = true;
|
||||
ignoreIP = let
|
||||
vpn = (builtins.import ../state.nix).vpn;
|
||||
extractIPs = host: config: [config.v4 config.v6];
|
||||
extractIPs = _: config: [config.v4 config.v6];
|
||||
in
|
||||
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
|
||||
};
|
||||
|
@ -51,10 +46,10 @@ in {
|
|||
|
||||
services.nginx.virtualHosts = let
|
||||
services = (builtins.import ../state.nix).services;
|
||||
removeUnexposed = lib.attrsets.filterAttrs (name: config: config ? "external" && config.external);
|
||||
removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
|
||||
createVirtHost = name: config: {
|
||||
name = "${name}.tammena.me";
|
||||
value = mkVirtHost "${name}-tammena-me" {
|
||||
value = mkVirtHost {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.host}:${builtins.toString config.port}";
|
||||
proxyWebsockets = true;
|
||||
|
@ -65,7 +60,7 @@ in {
|
|||
lib.mapAttrs' createVirtHost (removeUnexposed services);
|
||||
|
||||
sops.secrets =
|
||||
lib.mapAttrs' (name: config: {
|
||||
lib.mapAttrs' (name: _: {
|
||||
name = "certificate-key-${name}-tammena-me";
|
||||
value = {
|
||||
owner = "nginx";
|
||||
|
@ -74,27 +69,6 @@ in {
|
|||
})
|
||||
(builtins.import ../state.nix).services;
|
||||
|
||||
# services.nginx.virtualHosts = {
|
||||
# "config.tammena.me" = mkVirtHost "config-tammena-me" {
|
||||
# locations."/" = {
|
||||
# proxyPass = "https://config.home";
|
||||
# proxyWebsockets = true;
|
||||
# };
|
||||
# };
|
||||
# "todo.tammena.me" = mkVirtHost "todo-tammena-me" {
|
||||
# locations."/" = {
|
||||
# proxyPass = "https://todo.home";
|
||||
# proxyWebsockets = true;
|
||||
# };
|
||||
# };
|
||||
# "time.tammena.me" = mkVirtHost "time-tammena-me" {
|
||||
# locations."/" = {
|
||||
# proxyPass = "https://time.home";
|
||||
# proxyWebsockets = true;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
services.qemuGuest.enable = true;
|
||||
|
||||
services.bind = {
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
|
@ -7,8 +6,6 @@
|
|||
internalPort = 5232;
|
||||
cfg = config.services.radicaleWithInfcloud;
|
||||
|
||||
sopsPath = key: config.sops.secrets.${key}.path;
|
||||
|
||||
htpasswd_filename = "/etc/radicale/users";
|
||||
in {
|
||||
options.services."radicaleWithInfcloud" = with lib; {
|
||||
|
@ -54,13 +51,9 @@ in {
|
|||
};
|
||||
|
||||
# Enable nginx proxy with ACME
|
||||
services.nginx.virtualHosts."cal.tammena.me" = let
|
||||
certificateName = "cal-tammena-me";
|
||||
in {
|
||||
services.nginx.virtualHosts."cal.tammena.me" = {
|
||||
forceSSL = true;
|
||||
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
|
||||
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
|
||||
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://[::1]:${builtins.toString internalPort}";
|
||||
};
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqDCCAU2gAwIBAgIUN1xAqAk8fpv1fe3pekGIEjhmpiowCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTM5NThaFw0yNDExMDUy
|
||||
MTM5NThaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABDVTB1SfuQbqUaM4QICW22kbbi4/RjV2G8su1fuQeMsa6YCp3Skl+NsnX24m
|
||||
dhI+8IDyukxrco3KBqkoQ4DVpaejfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
|
||||
BggrBgEFBQcDATAZBgNVHREEEjAQgg5jYWwudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
|
||||
qwzA7/SfmMN/ae/s+npixYFZbtMwHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
|
||||
rWWZT6swCgYIKoZIzj0EAwIDSQAwRgIhAMp4+2+ZbBEqEWoc5e8x6HvDwFc9v0Hq
|
||||
DjyiRM9nOIHHAiEAygDCeTVbLil/CnyoaBzZ0ueujKhXHTivnswLX05YUkM=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqzCCAVKgAwIBAgIUbhftS4D+aE8zrKZZ1oEmbr1VIIowCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDRaFw0yNDExMDUy
|
||||
MTQwMDRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABBsrwKiLkWKz+InN/fY5weBuBqm79ANXvAR3yckbCfd2uPMnuQG2zqjsTniF
|
||||
RdRMiVoVga4dOCwvO38lcQv0/06jgYMwgYAwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
|
||||
MAoGCCsGAQUFBwMBMBwGA1UdEQQVMBOCEWNvbmZpZy50YW1tZW5hLm1lMB0GA1Ud
|
||||
DgQWBBRYof6XYSynBDKsuu+euj0Y3YjPEDAfBgNVHSMEGDAWgBQA+twP2yay+C3X
|
||||
JDsZsiKtZZlPqzAKBggqhkjOPQQDAgNHADBEAiBw4dTvjO+zYPsv1fnvtFAI4wnO
|
||||
NhcGQw7NLZuElGHU3wIgAzXOWFCaI2GVE7F6UFU2RMDdODrCNzsmWGpQc/q7xjA=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBpzCCAU2gAwIBAgIUIt5Vq8vD0KgXL3se9tfMDDf3WIswCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDlaFw0yNDExMDUy
|
||||
MTQwMDlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABJ3oh7A2Fh1wWZVv9e40cgEzUHokHWxnlgFERgHJ6K3Vj9T7OkZxnBbrbMJb
|
||||
8THwaiPMXLFmxNvYzpB/VEEjXRCjfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
|
||||
BggrBgEFBQcDATAZBgNVHREEEjAQgg5naXQudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
|
||||
tpzJcISsrz5pWeqdQqXOMiU3A9owHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
|
||||
rWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgLxPAFIR91qfY3c8MVW9aDHP+H9FIFV7J
|
||||
O4ziCiysrWwCIQDZu7wd79qjmbpi9hZ7mhJgnVzPyWlSYOcoAhBSbhADLw==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqjCCAU+gAwIBAgIUdtzKCtg60ov4uv9wq8BUoY7AzfcwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTRaFw0yNDExMDUy
|
||||
MTQwMTRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABBYmlSt8Dvn/UEXBrEPr4P2tgJ/KB39eW+8VYviRbVU3cRT9E4SkQlvP2GNy
|
||||
ubme0/fdhXGPR5IBkgxFVsjZ3JujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPcmVhZC50YW1tZW5hLm1lMB0GA1UdDgQW
|
||||
BBTC7uwuHtWPvvLuJNPEuHI5yZ34jzAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
||||
siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEA9X4uGMe6bePVZgJEFvMIYim2290+
|
||||
pWSEUu8nMfKHp9UCIQCYsAzzE0+xvHsY/ji/MaaPewfTGiP9wRw+Aj071QFSLg==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqTCCAU+gAwIBAgIUVzphXFAp3znAnDTnN/dc4xp2n7EwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTlaFw0yNDExMDUy
|
||||
MTQwMTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABEKyJMoIKHu5Ia8u28PpnhFKKb+Rfny6Yd9AmoDM6PYwGCTnUHW++WvkGknq
|
||||
SC9Z4Fctsf7xHLZF++vQoy1o2p6jgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdGltZS50YW1tZW5hLm1lMB0GA1UdDgQW
|
||||
BBQfyn6d6feTl3IwdO/zTwGyZec7qTAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
||||
siKtZZlPqzAKBggqhkjOPQQDAgNIADBFAiEAqamkuEOQ3ONO2JQZgPmiw+W+MhAk
|
||||
Mx8f1Dh4Kpf8OfACICU2y+1OAziJDlnM56xyQvBmKVSJkZykOoNAaZI8SoYe
|
||||
-----END CERTIFICATE-----
|
|
@ -1,11 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBqjCCAU+gAwIBAgIUEuZlqKfEB+axYUvr9ODqYWyTW9QwCgYIKoZIzj0EAwIw
|
||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMjRaFw0yNDExMDUy
|
||||
MTQwMjRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||
A0IABONx/Qy4ukmMr/xx/onP7JsxLEx1L/IuKrrTJdcMKQw3KWdmLnZhmhCDaggO
|
||||
d5kPri7fH3i6WQeR+Yd6eOJiVMujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdG9kby50YW1tZW5hLm1lMB0GA1UdDgQW
|
||||
BBRiGgT0KmCURLb+c1Cv13zamYwJNDAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
||||
siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEAxvlQmrapCM59iE2czjK1C2E4IiLJ
|
||||
6jYm2OMqU3ToqWwCIQCkJA1cxvDf3yuLEXuFPUwkVOsbUG933HAxI2WIKTswRg==
|
||||
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue