diff --git a/hosts/default.nix b/hosts/default.nix index 0d7fa471..a9e0b5ac 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -100,6 +100,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -116,6 +117,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -132,6 +134,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; }; diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 0ee39d42..21c7ca7b 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -16,12 +16,73 @@ mode = "400"; }; + age.secrets."acme-namecheap-env" = { + file = "${flake.self}/secrets/acme-namecheap-env.age"; + mode = "400"; + }; + networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ]; + security.acme = { + defaults = { + environmentFile = config.age.secrets.acme-namecheap-env.path; + }; + certs = { + # Wildcard certificate gets created automatically + "buckets.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + # Wildcard certificate gets created automatically + "web.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + }; + }; + + services.nginx = { + upstreams.s3_backend.servers = { + "[::1]:3900" = { }; + }; + upstreams.web_backend.servers = { + "[::1]:3902" = { }; + }; + virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://s3_backend"; + extraConfig = '' + proxy_max_temp_file_size 0; + ''; + }; + }; + virtualHosts."web.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://web_backend"; + }; + }; + }; + services.garage = { enable = true; package = pkgs.garage_1_0_0; diff --git a/secrets/acme-namecheap-env.age b/secrets/acme-namecheap-env.age new file mode 100644 index 00000000..a09e5874 Binary files /dev/null and b/secrets/acme-namecheap-env.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 686345a9..94073752 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -100,4 +100,6 @@ in # garage "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys; "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys; + + "acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index f30dee1b..70d9f156 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "buckets" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "buckets" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "buckets" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } + record { + hostname = "*.buckets" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "web" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "*.web" + type = "CNAME" + address = "buckets.pub.solar." + } record { hostname = "tankstelle" type = "A"