diff --git a/hosts/default.nix b/hosts/default.nix index 2a7acbee..1fa0d609 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -42,6 +42,7 @@ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ./fae self.nixosModules.pub-solar + self.nixosModules.acme ]; }; diff --git a/hosts/fae/paperless.nix b/hosts/fae/paperless.nix index aad4c5f4..6605ba63 100644 --- a/hosts/fae/paperless.nix +++ b/hosts/fae/paperless.nix @@ -51,7 +51,7 @@ in { PAPERLESS_OCR_LANGUAGE = "nld+deu"; PAPERLESS_ADMIN_USER = psCfg.user.name; PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name; - PAPERLESS_URL = "https://paperless.local"; + PAPERLESS_URL = "https://paperless.faenix.eu"; }; }; @@ -74,23 +74,32 @@ in { }; }; - #security.acme.certs = { - # "paperless.b12f.io" = {}; - #}; - services.caddy = { - enable = true; - globalConfig = '' - local_certs - ''; - virtualHosts = { - "paperless.fritz.box" = { - extraConfig = '' - reverse_proxy :${builtins.toString config.services.paperless.port} - ''; - }; + security.acme.certs = { + "paperless.faenix.eu" = {}; + }; + + services.nginx.virtualHosts = { + "paperless.faenix.eu" = { + forceSSL = true; + useACMEHost = "paperless.faenix.eu"; + locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}"; }; }; + #services.caddy = { + # enable = true; + # globalConfig = '' + # local_certs + # ''; + # virtualHosts = { + # "paperless.fritz.box" = { + # extraConfig = '' + # reverse_proxy :${builtins.toString config.services.paperless.port} + # ''; + # }; + # }; + #}; + networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.tmpfiles.rules = [ diff --git a/modules/acme/default.nix b/modules/acme/default.nix new file mode 100644 index 00000000..77b6187c --- /dev/null +++ b/modules/acme/default.nix @@ -0,0 +1,27 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: { + age.secrets."hosting-de-acme-secrets" = { + file = "${flake.self}/secrets/hosting-de-acme-secrets.age"; + mode = "400"; + owner = "acme"; + }; + + security.acme = { + acceptTerms = true; + + defaults = { + email = "jfw@miom.space"; + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsProvider = "hostingde"; + dnsPropagationCheck = true; + environmentFile = config.age.secrets."hosting-de-acme-secrets".path; + group = "nginx"; + webroot = null; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 58ed2c0c..443c1f28 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,6 +5,7 @@ }: { flake = { nixosModules = rec { + acme = import ./acme; audio = import ./audio; bluetooth = import ./bluetooth; core = import ./core; diff --git a/secrets/hosting-de-acme-secrets.age b/secrets/hosting-de-acme-secrets.age new file mode 100644 index 00000000..20686d29 Binary files /dev/null and b/secrets/hosting-de-acme-secrets.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c0b0aa89..47955d72 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let machines = { dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms"; ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun"; + fae = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP3xI8c8+SI5QPTHqR0YIwKvG8x2MJGC/arBu4BkCP0 root@fae"; }; users = { teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; @@ -19,4 +20,5 @@ in { "mnx-bonanza-pf1.p12.age".publicKeys = allKeys; "docker-ci-runner-secrets.age".publicKeys = allKeys; "test-secret.age".publicKeys = [users.teutat3s-5-nfc]; + "hosting-de-acme-secrets.age".publicKeys = [machines.fae users.teutat3s users.teutat3s-5-nfc]; }