feat(hosts/granodomus-lima): use acme for SSL on exposed host
This commit is contained in:
parent
062e26796e
commit
addfd6453d
|
@ -4,15 +4,10 @@
|
||||||
config,
|
config,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sopsPath = key: config.sops.secrets.${key}.path;
|
mkVirtHost = lib.attrsets.recursiveUpdate {
|
||||||
|
forceSSL = true;
|
||||||
mkVirtHost = certificateName:
|
enableACME = true;
|
||||||
lib.attrsets.recursiveUpdate {
|
};
|
||||||
forceSSL = true;
|
|
||||||
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
|
|
||||||
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
|
|
||||||
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
|
|
||||||
};
|
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../hardware/netcup-vps-200-g10.nix
|
../hardware/netcup-vps-200-g10.nix
|
||||||
|
@ -41,7 +36,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
ignoreIP = let
|
ignoreIP = let
|
||||||
vpn = (builtins.import ../state.nix).vpn;
|
vpn = (builtins.import ../state.nix).vpn;
|
||||||
extractIPs = host: config: [config.v4 config.v6];
|
extractIPs = _: config: [config.v4 config.v6];
|
||||||
in
|
in
|
||||||
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
|
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
|
||||||
};
|
};
|
||||||
|
@ -51,10 +46,10 @@ in {
|
||||||
|
|
||||||
services.nginx.virtualHosts = let
|
services.nginx.virtualHosts = let
|
||||||
services = (builtins.import ../state.nix).services;
|
services = (builtins.import ../state.nix).services;
|
||||||
removeUnexposed = lib.attrsets.filterAttrs (name: config: config ? "external" && config.external);
|
removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
|
||||||
createVirtHost = name: config: {
|
createVirtHost = name: config: {
|
||||||
name = "${name}.tammena.me";
|
name = "${name}.tammena.me";
|
||||||
value = mkVirtHost "${name}-tammena-me" {
|
value = mkVirtHost {
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.host}:${builtins.toString config.port}";
|
proxyPass = "http://${config.host}:${builtins.toString config.port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
@ -65,7 +60,7 @@ in {
|
||||||
lib.mapAttrs' createVirtHost (removeUnexposed services);
|
lib.mapAttrs' createVirtHost (removeUnexposed services);
|
||||||
|
|
||||||
sops.secrets =
|
sops.secrets =
|
||||||
lib.mapAttrs' (name: config: {
|
lib.mapAttrs' (name: _: {
|
||||||
name = "certificate-key-${name}-tammena-me";
|
name = "certificate-key-${name}-tammena-me";
|
||||||
value = {
|
value = {
|
||||||
owner = "nginx";
|
owner = "nginx";
|
||||||
|
@ -74,27 +69,6 @@ in {
|
||||||
})
|
})
|
||||||
(builtins.import ../state.nix).services;
|
(builtins.import ../state.nix).services;
|
||||||
|
|
||||||
# services.nginx.virtualHosts = {
|
|
||||||
# "config.tammena.me" = mkVirtHost "config-tammena-me" {
|
|
||||||
# locations."/" = {
|
|
||||||
# proxyPass = "https://config.home";
|
|
||||||
# proxyWebsockets = true;
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# "todo.tammena.me" = mkVirtHost "todo-tammena-me" {
|
|
||||||
# locations."/" = {
|
|
||||||
# proxyPass = "https://todo.home";
|
|
||||||
# proxyWebsockets = true;
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# "time.tammena.me" = mkVirtHost "time-tammena-me" {
|
|
||||||
# locations."/" = {
|
|
||||||
# proxyPass = "https://time.home";
|
|
||||||
# proxyWebsockets = true;
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
services.qemuGuest.enable = true;
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
services.bind = {
|
services.bind = {
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
|
@ -7,8 +6,6 @@
|
||||||
internalPort = 5232;
|
internalPort = 5232;
|
||||||
cfg = config.services.radicaleWithInfcloud;
|
cfg = config.services.radicaleWithInfcloud;
|
||||||
|
|
||||||
sopsPath = key: config.sops.secrets.${key}.path;
|
|
||||||
|
|
||||||
htpasswd_filename = "/etc/radicale/users";
|
htpasswd_filename = "/etc/radicale/users";
|
||||||
in {
|
in {
|
||||||
options.services."radicaleWithInfcloud" = with lib; {
|
options.services."radicaleWithInfcloud" = with lib; {
|
||||||
|
@ -54,13 +51,9 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable nginx proxy with ACME
|
# Enable nginx proxy with ACME
|
||||||
services.nginx.virtualHosts."cal.tammena.me" = let
|
services.nginx.virtualHosts."cal.tammena.me" = {
|
||||||
certificateName = "cal-tammena-me";
|
|
||||||
in {
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
|
enableACME = true;
|
||||||
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
|
|
||||||
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://[::1]:${builtins.toString internalPort}";
|
proxyPass = "http://[::1]:${builtins.toString internalPort}";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBqDCCAU2gAwIBAgIUN1xAqAk8fpv1fe3pekGIEjhmpiowCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTM5NThaFw0yNDExMDUy
|
|
||||||
MTM5NThaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABDVTB1SfuQbqUaM4QICW22kbbi4/RjV2G8su1fuQeMsa6YCp3Skl+NsnX24m
|
|
||||||
dhI+8IDyukxrco3KBqkoQ4DVpaejfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
|
|
||||||
BggrBgEFBQcDATAZBgNVHREEEjAQgg5jYWwudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
|
|
||||||
qwzA7/SfmMN/ae/s+npixYFZbtMwHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
|
|
||||||
rWWZT6swCgYIKoZIzj0EAwIDSQAwRgIhAMp4+2+ZbBEqEWoc5e8x6HvDwFc9v0Hq
|
|
||||||
DjyiRM9nOIHHAiEAygDCeTVbLil/CnyoaBzZ0ueujKhXHTivnswLX05YUkM=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBqzCCAVKgAwIBAgIUbhftS4D+aE8zrKZZ1oEmbr1VIIowCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDRaFw0yNDExMDUy
|
|
||||||
MTQwMDRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABBsrwKiLkWKz+InN/fY5weBuBqm79ANXvAR3yckbCfd2uPMnuQG2zqjsTniF
|
|
||||||
RdRMiVoVga4dOCwvO38lcQv0/06jgYMwgYAwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
|
|
||||||
MAoGCCsGAQUFBwMBMBwGA1UdEQQVMBOCEWNvbmZpZy50YW1tZW5hLm1lMB0GA1Ud
|
|
||||||
DgQWBBRYof6XYSynBDKsuu+euj0Y3YjPEDAfBgNVHSMEGDAWgBQA+twP2yay+C3X
|
|
||||||
JDsZsiKtZZlPqzAKBggqhkjOPQQDAgNHADBEAiBw4dTvjO+zYPsv1fnvtFAI4wnO
|
|
||||||
NhcGQw7NLZuElGHU3wIgAzXOWFCaI2GVE7F6UFU2RMDdODrCNzsmWGpQc/q7xjA=
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBpzCCAU2gAwIBAgIUIt5Vq8vD0KgXL3se9tfMDDf3WIswCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDlaFw0yNDExMDUy
|
|
||||||
MTQwMDlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABJ3oh7A2Fh1wWZVv9e40cgEzUHokHWxnlgFERgHJ6K3Vj9T7OkZxnBbrbMJb
|
|
||||||
8THwaiPMXLFmxNvYzpB/VEEjXRCjfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
|
|
||||||
BggrBgEFBQcDATAZBgNVHREEEjAQgg5naXQudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
|
|
||||||
tpzJcISsrz5pWeqdQqXOMiU3A9owHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
|
|
||||||
rWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgLxPAFIR91qfY3c8MVW9aDHP+H9FIFV7J
|
|
||||||
O4ziCiysrWwCIQDZu7wd79qjmbpi9hZ7mhJgnVzPyWlSYOcoAhBSbhADLw==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBqjCCAU+gAwIBAgIUdtzKCtg60ov4uv9wq8BUoY7AzfcwCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTRaFw0yNDExMDUy
|
|
||||||
MTQwMTRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABBYmlSt8Dvn/UEXBrEPr4P2tgJ/KB39eW+8VYviRbVU3cRT9E4SkQlvP2GNy
|
|
||||||
ubme0/fdhXGPR5IBkgxFVsjZ3JujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
|
||||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPcmVhZC50YW1tZW5hLm1lMB0GA1UdDgQW
|
|
||||||
BBTC7uwuHtWPvvLuJNPEuHI5yZ34jzAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
|
||||||
siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEA9X4uGMe6bePVZgJEFvMIYim2290+
|
|
||||||
pWSEUu8nMfKHp9UCIQCYsAzzE0+xvHsY/ji/MaaPewfTGiP9wRw+Aj071QFSLg==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBqTCCAU+gAwIBAgIUVzphXFAp3znAnDTnN/dc4xp2n7EwCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTlaFw0yNDExMDUy
|
|
||||||
MTQwMTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABEKyJMoIKHu5Ia8u28PpnhFKKb+Rfny6Yd9AmoDM6PYwGCTnUHW++WvkGknq
|
|
||||||
SC9Z4Fctsf7xHLZF++vQoy1o2p6jgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
|
||||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdGltZS50YW1tZW5hLm1lMB0GA1UdDgQW
|
|
||||||
BBQfyn6d6feTl3IwdO/zTwGyZec7qTAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
|
||||||
siKtZZlPqzAKBggqhkjOPQQDAgNIADBFAiEAqamkuEOQ3ONO2JQZgPmiw+W+MhAk
|
|
||||||
Mx8f1Dh4Kpf8OfACICU2y+1OAziJDlnM56xyQvBmKVSJkZykOoNAaZI8SoYe
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,11 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIBqjCCAU+gAwIBAgIUEuZlqKfEB+axYUvr9ODqYWyTW9QwCgYIKoZIzj0EAwIw
|
|
||||||
FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMjRaFw0yNDExMDUy
|
|
||||||
MTQwMjRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
|
||||||
A0IABONx/Qy4ukmMr/xx/onP7JsxLEx1L/IuKrrTJdcMKQw3KWdmLnZhmhCDaggO
|
|
||||||
d5kPri7fH3i6WQeR+Yd6eOJiVMujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
|
|
||||||
CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdG9kby50YW1tZW5hLm1lMB0GA1UdDgQW
|
|
||||||
BBRiGgT0KmCURLb+c1Cv13zamYwJNDAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
|
|
||||||
siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEAxvlQmrapCM59iE2czjK1C2E4IiLJ
|
|
||||||
6jYm2OMqU3ToqWwCIQCkJA1cxvDf3yuLEXuFPUwkVOsbUG933HAxI2WIKTswRg==
|
|
||||||
-----END CERTIFICATE-----
|
|
Loading…
Reference in a new issue