From 936f60ae7dfed6065db69fdca47536c95f603db5 Mon Sep 17 00:00:00 2001 From: 0xTux <0xtux@pm.me> Date: Mon, 26 Aug 2024 21:01:16 +0530 Subject: [PATCH] add acme for wildcard ssl certificate --- hosts/controller/default.nix | 26 ++++++++++++++++++++++++++ hosts/controller/secrets.yaml | 9 ++++++--- modules/nixos/gitea.nix | 2 +- modules/nixos/headscale.nix | 2 +- modules/nixos/monitoring/grafana.nix | 2 +- modules/nixos/monitoring/loki.nix | 2 +- modules/nixos/monitoring/promtail.nix | 2 +- modules/nixos/ntfy-sh.nix | 2 +- modules/nixos/searx.nix | 2 +- modules/nixos/uptime-kuma.nix | 2 +- modules/nixos/vaultwarden.nix | 2 +- 11 files changed, 41 insertions(+), 12 deletions(-) diff --git a/hosts/controller/default.nix b/hosts/controller/default.nix index b289855..7e3f25f 100644 --- a/hosts/controller/default.nix +++ b/hosts/controller/default.nix @@ -26,6 +26,14 @@ searx_secret_key = { sopsFile = ./secrets.yaml; }; + + "cloudflare_credentials/email" = { + sopsFile = ./secrets.yaml; + }; + + "cloudflare_credentials/dns_api_token" = { + sopsFile = ./secrets.yaml; + }; }; boot = { @@ -44,8 +52,26 @@ security = { sudo.wheelNeedsPassword = false; + + acme = { + acceptTerms = true; + defaults.email = "0xtux@pm.me"; + certs = { + "tux.rs" = { + domain = "*.tux.rs"; + extraDomainNames = ["tux.rs"]; + dnsProvider = "cloudflare"; + credentialFiles = { + CLOUDFLARE_EMAIL_FILE = config.sops.secrets."cloudflare_credentials/email".path; + CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare_credentials/dns_api_token".path; + }; + }; + }; + }; }; + users.users.nginx.extraGroups = ["acme"]; + services = { borgbackup.jobs.controller-backup = { paths = [ diff --git a/hosts/controller/secrets.yaml b/hosts/controller/secrets.yaml index fd74e74..8732386 100644 --- a/hosts/controller/secrets.yaml +++ b/hosts/controller/secrets.yaml @@ -1,5 +1,8 @@ borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str] -searx_secret_key: ENC[AES256_GCM,data:FzQBnYDB6mrAfIBB1LCdTLSNltD7T1PoUGssW+EX74j/y9kNqPZOtxIYpsWqAfenEODrP+rUjrLXAsVrMLFng3ZOtBAI1HYTobA=,iv:Vty/zrD8jE2CoWfguHwDr14TUSejOTnpBHJjc9IcEiE=,tag:yz4ZdWsmg+ammb/dup6f4A==,type:str] +searx_secret_key: ENC[AES256_GCM,data:Z49PJ2gNI5CI0IfzOta+r67VNUvjoPpMVv5lajGhUMPzSy1KWZC5wIM3d02jWwCOsNjXdU5hE3j9W0rkoy5ZhFPXBJRUEv5b6IcaLA==,iv:364zGZkD2LO189nkvizl8yjedi1IgYEEQMA67SexSSI=,tag:qPqefG6jUaBOpUy6d7E++w==,type:str] +cloudflare_credentials: + email: ENC[AES256_GCM,data:qesgxkzUglKdYPI=,iv:2XDEoQzmtagSiILWZzJPswdhkQ+qjdZfNd+LL1nHPx8=,tag:K1F23Za2Zq78tzf0fl5zEw==,type:str] + dns_api_token: ENC[AES256_GCM,data:ibSL4KWYhqgHjo27fiSqB1iN9NWU3/qGGuLpmiMpBf+qCuh8uxR7Yw==,iv:NapMvfUSm5rgeROK7KuxGyog8s2PW9CCKtjRG87FoCQ=,tag:/Oah7PRCe4XPts0IYt83zw==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +27,8 @@ sops: NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9 uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-25T19:35:08Z" - mac: ENC[AES256_GCM,data:EtYv7GNuYAmUSSu6SZUCJTnAb42qDIQIuyTLSEsT8Jp3H7UIX7QH2eHxmAV8RfEPQ18XevQAM9UdK4YVR2trLRSBeDn/xxdFtzpo2z7kUQXz+1pDmFBLpdiPfrmNJ76ZuBr5qihiB7J8Go3KkErcyYAFEw1KQV/N4OSQB+CPnhw=,iv:QYVKKRpaJHXmICpQMhW+Le4wJwSh4yOH2NfVUpRDcbI=,tag:98m/t5U96MikHrMTgn510g==,type:str] + lastmodified: "2024-08-26T14:25:03Z" + mac: ENC[AES256_GCM,data:UOxh1tIsFmYJ8i5HKhK8ckSZTbXsl6BmJATuLIJhfT93ir/sh58E9a9D6p6+Uyl6lt9qRESKRpeHUsdy4kKtXmmutQACzUHgVobzgL/1KpGYM4A/Wj5pSWGiT6D/zDkR0pJNFEshHxNfTJE8B6ZKFkHXy85nY22DW4fLjuMD4Y4=,iv:X4ArW4afDSHZ84rnn8Cuh+4Sgmk+7NXqcewgemlW+VI=,tag:2yorv0yFRAQkTZm06TQNiA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/nixos/gitea.nix b/modules/nixos/gitea.nix index cc8f674..40c3e52 100644 --- a/modules/nixos/gitea.nix +++ b/modules/nixos/gitea.nix @@ -16,7 +16,7 @@ virtualHosts = { "git.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:3000"; diff --git a/modules/nixos/headscale.nix b/modules/nixos/headscale.nix index a92a8ac..1d83932 100644 --- a/modules/nixos/headscale.nix +++ b/modules/nixos/headscale.nix @@ -45,7 +45,7 @@ virtualHosts = { "hs.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:${toString config.services.headscale.port}"; diff --git a/modules/nixos/monitoring/grafana.nix b/modules/nixos/monitoring/grafana.nix index 0643eae..c4a696d 100644 --- a/modules/nixos/monitoring/grafana.nix +++ b/modules/nixos/monitoring/grafana.nix @@ -20,7 +20,7 @@ virtualHosts = { "grafana.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:8888"; diff --git a/modules/nixos/monitoring/loki.nix b/modules/nixos/monitoring/loki.nix index ccbcf00..eadac07 100644 --- a/modules/nixos/monitoring/loki.nix +++ b/modules/nixos/monitoring/loki.nix @@ -44,7 +44,7 @@ virtualHosts = { "loki.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:3100"; diff --git a/modules/nixos/monitoring/promtail.nix b/modules/nixos/monitoring/promtail.nix index 90d6e90..4a31bbe 100644 --- a/modules/nixos/monitoring/promtail.nix +++ b/modules/nixos/monitoring/promtail.nix @@ -42,7 +42,7 @@ virtualHosts = { "promtail.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:9080"; diff --git a/modules/nixos/ntfy-sh.nix b/modules/nixos/ntfy-sh.nix index e67a5af..fcb19e1 100644 --- a/modules/nixos/ntfy-sh.nix +++ b/modules/nixos/ntfy-sh.nix @@ -14,7 +14,7 @@ virtualHosts = { "ntfy.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:7070"; diff --git a/modules/nixos/searx.nix b/modules/nixos/searx.nix index 342f586..aa89895 100644 --- a/modules/nixos/searx.nix +++ b/modules/nixos/searx.nix @@ -30,7 +30,7 @@ virtualHosts = { "sx.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:3415"; diff --git a/modules/nixos/uptime-kuma.nix b/modules/nixos/uptime-kuma.nix index 6dc98d8..ba33ffd 100644 --- a/modules/nixos/uptime-kuma.nix +++ b/modules/nixos/uptime-kuma.nix @@ -9,7 +9,7 @@ virtualHosts = { "uptime.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:3001"; diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 88303a5..d518e16 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -15,7 +15,7 @@ virtualHosts = { "bw.tux.rs" = { forceSSL = true; - enableACME = true; + useACMEHost = "tux.rs"; locations = { "/" = { proxyPass = "http://localhost:8000";