fae: switch to nginx, use acme with hosting.de DNS

2024-04-13 02:11:15 +02:00 · 2024-04-13 02:11:15 +02:00 · b46f3d4ee9
parent 294ecb5f0e
commit b46f3d4ee9
6 changed files with 55 additions and 15 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -42,6 +42,7 @@
          inputs.nixos-hardware.nixosModules.raspberry-pi-4
          ./fae
          self.nixosModules.pub-solar
+          self.nixosModules.acme
        ];
      };

--- a/hosts/fae/paperless.nix
+++ b/hosts/fae/paperless.nix
@ -51,7 +51,7 @@ in {
      PAPERLESS_OCR_LANGUAGE = "nld+deu";
      PAPERLESS_ADMIN_USER = psCfg.user.name;
      PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
-      PAPERLESS_URL = "https://paperless.local";
+      PAPERLESS_URL = "https://paperless.faenix.eu";
    };
  };

@ -74,23 +74,32 @@ in {
    };
  };

-  #security.acme.certs = {
-  #  "paperless.b12f.io" = {};
-  #};
-  services.caddy = {
-    enable = true;
-    globalConfig = ''
-      local_certs
-    '';
-    virtualHosts = {
-      "paperless.fritz.box" = {
-        extraConfig = ''
-          reverse_proxy :${builtins.toString config.services.paperless.port}
-        '';
-      };
+  security.acme.certs = {
+    "paperless.faenix.eu" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "paperless.faenix.eu" = {
+      forceSSL = true;
+      useACMEHost = "paperless.faenix.eu";
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
    };
  };

+  #services.caddy = {
+  #  enable = true;
+  #  globalConfig = ''
+  #    local_certs
+  #  '';
+  #  virtualHosts = {
+  #    "paperless.fritz.box" = {
+  #      extraConfig = ''
+  #        reverse_proxy :${builtins.toString config.services.paperless.port}
+  #      '';
+  #    };
+  #  };
+  #};
+
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  systemd.tmpfiles.rules = [
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@ -0,0 +1,27 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  age.secrets."hosting-de-acme-secrets" = {
+    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
+    mode = "400";
+    owner = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "jfw@miom.space";
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      dnsProvider = "hostingde";
+      dnsPropagationCheck = true;
+      environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
+      group = "nginx";
+      webroot = null;
+    };
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -5,6 +5,7 @@
 }: {
  flake = {
    nixosModules = rec {
+      acme = import ./acme;
      audio = import ./audio;
      bluetooth = import ./bluetooth;
      core = import ./core;
--- a/secrets/hosting-de-acme-secrets.age
+++ b/secrets/hosting-de-acme-secrets.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -3,6 +3,7 @@ let
  machines = {
    dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
    ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
+    fae = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP3xI8c8+SI5QPTHqR0YIwKvG8x2MJGC/arBu4BkCP0 root@fae";
  };
  users = {
    teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
@ -19,4 +20,5 @@ in {
  "mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
  "docker-ci-runner-secrets.age".publicKeys = allKeys;
  "test-secret.age".publicKeys = [users.teutat3s-5-nfc];
+  "hosting-de-acme-secrets.age".publicKeys = [machines.fae users.teutat3s users.teutat3s-5-nfc];
 }