fae: switch to nginx, use acme with hosting.de DNS
This commit is contained in:
parent
294ecb5f0e
commit
b46f3d4ee9
|
@ -42,6 +42,7 @@
|
||||||
inputs.nixos-hardware.nixosModules.raspberry-pi-4
|
inputs.nixos-hardware.nixosModules.raspberry-pi-4
|
||||||
./fae
|
./fae
|
||||||
self.nixosModules.pub-solar
|
self.nixosModules.pub-solar
|
||||||
|
self.nixosModules.acme
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -51,7 +51,7 @@ in {
|
||||||
PAPERLESS_OCR_LANGUAGE = "nld+deu";
|
PAPERLESS_OCR_LANGUAGE = "nld+deu";
|
||||||
PAPERLESS_ADMIN_USER = psCfg.user.name;
|
PAPERLESS_ADMIN_USER = psCfg.user.name;
|
||||||
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
|
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
|
||||||
PAPERLESS_URL = "https://paperless.local";
|
PAPERLESS_URL = "https://paperless.faenix.eu";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -74,23 +74,32 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
#security.acme.certs = {
|
security.acme.certs = {
|
||||||
# "paperless.b12f.io" = {};
|
"paperless.faenix.eu" = {};
|
||||||
#};
|
};
|
||||||
services.caddy = {
|
|
||||||
enable = true;
|
services.nginx.virtualHosts = {
|
||||||
globalConfig = ''
|
"paperless.faenix.eu" = {
|
||||||
local_certs
|
forceSSL = true;
|
||||||
'';
|
useACMEHost = "paperless.faenix.eu";
|
||||||
virtualHosts = {
|
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
|
||||||
"paperless.fritz.box" = {
|
|
||||||
extraConfig = ''
|
|
||||||
reverse_proxy :${builtins.toString config.services.paperless.port}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#services.caddy = {
|
||||||
|
# enable = true;
|
||||||
|
# globalConfig = ''
|
||||||
|
# local_certs
|
||||||
|
# '';
|
||||||
|
# virtualHosts = {
|
||||||
|
# "paperless.fritz.box" = {
|
||||||
|
# extraConfig = ''
|
||||||
|
# reverse_proxy :${builtins.toString config.services.paperless.port}
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
#};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
|
|
27
modules/acme/default.nix
Normal file
27
modules/acme/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{
|
||||||
|
flake,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
age.secrets."hosting-de-acme-secrets" = {
|
||||||
|
file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
|
||||||
|
mode = "400";
|
||||||
|
owner = "acme";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
|
||||||
|
defaults = {
|
||||||
|
email = "jfw@miom.space";
|
||||||
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
dnsProvider = "hostingde";
|
||||||
|
dnsPropagationCheck = true;
|
||||||
|
environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
|
||||||
|
group = "nginx";
|
||||||
|
webroot = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,6 +5,7 @@
|
||||||
}: {
|
}: {
|
||||||
flake = {
|
flake = {
|
||||||
nixosModules = rec {
|
nixosModules = rec {
|
||||||
|
acme = import ./acme;
|
||||||
audio = import ./audio;
|
audio = import ./audio;
|
||||||
bluetooth = import ./bluetooth;
|
bluetooth = import ./bluetooth;
|
||||||
core = import ./core;
|
core = import ./core;
|
||||||
|
|
BIN
secrets/hosting-de-acme-secrets.age
Normal file
BIN
secrets/hosting-de-acme-secrets.age
Normal file
Binary file not shown.
|
@ -3,6 +3,7 @@ let
|
||||||
machines = {
|
machines = {
|
||||||
dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
|
dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
|
||||||
ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
|
ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
|
||||||
|
fae = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP3xI8c8+SI5QPTHqR0YIwKvG8x2MJGC/arBu4BkCP0 root@fae";
|
||||||
};
|
};
|
||||||
users = {
|
users = {
|
||||||
teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
||||||
|
@ -19,4 +20,5 @@ in {
|
||||||
"mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
|
"mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
|
||||||
"docker-ci-runner-secrets.age".publicKeys = allKeys;
|
"docker-ci-runner-secrets.age".publicKeys = allKeys;
|
||||||
"test-secret.age".publicKeys = [users.teutat3s-5-nfc];
|
"test-secret.age".publicKeys = [users.teutat3s-5-nfc];
|
||||||
|
"hosting-de-acme-secrets.age".publicKeys = [machines.fae users.teutat3s users.teutat3s-5-nfc];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue