diff options
| -rw-r--r-- | hosts/atlas/nginx.nix | 35 | ||||
| -rw-r--r-- | hosts/p-body/nginx.nix | 26 | ||||
| -rw-r--r-- | secrets/hosts/atlas/cloudflaredCreds.age | 14 | ||||
| -rw-r--r-- | secrets/hosts/p-body/cloudflaredCreds.age | 16 | ||||
| -rw-r--r-- | secrets/secrets.nix | 2 |
5 files changed, 65 insertions, 28 deletions
diff --git a/hosts/atlas/nginx.nix b/hosts/atlas/nginx.nix index 2356e1d..05cf3db 100644 --- a/hosts/atlas/nginx.nix +++ b/hosts/atlas/nginx.nix @@ -1,14 +1,13 @@ -{config, ...}: { - getchoo.server.acme.enable = true; - networking.firewall.allowedTCPPorts = [443]; - - security.acme = { - acceptTerms = true; - defaults = { - email = "[email protected]"; - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; +{ + config, + lib, + ... +}: let + inherit (config.networking) domain; +in { + getchoo.server = { + acme.enable = true; + services.cloudflared.enable = true; }; services.nginx = { @@ -20,8 +19,6 @@ recommendedTlsSettings = true; virtualHosts = let - inherit (config.networking) domain; - mkProxy = endpoint: port: { "${endpoint}" = { proxyPass = "http://localhost:${port}"; @@ -29,14 +26,16 @@ }; }; - mkVHosts = builtins.mapAttrs (_: v: - v - // { + mkVHosts = let + commonSettings = { enableACME = true; # workaround for https://github.com/NixOS/nixpkgs/issues/210807 acmeRoot = null; - forceSSL = true; - }); + + addSSL = true; + }; + in + builtins.mapAttrs (_: lib.recursiveUpdate commonSettings); in mkVHosts { "miniflux.${domain}" = { diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix index 1d491d2..3278870 100644 --- a/hosts/p-body/nginx.nix +++ b/hosts/p-body/nginx.nix @@ -1,8 +1,14 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let inherit (config.networking) domain; in { - getchoo.server.acme.enable = true; - networking.firewall.allowedTCPPorts = [443]; + getchoo.server = { + acme.enable = true; + services.cloudflared.enable = true; + }; services.nginx = { enable = true; @@ -12,8 +18,6 @@ in { recommendedProxySettings = true; recommendedTlsSettings = true; - statusPage = true; - virtualHosts = let mkProxy = endpoint: port: { "${endpoint}" = { @@ -22,14 +26,16 @@ in { }; }; - mkVHosts = builtins.mapAttrs (_: v: - v - // { + mkVHosts = let + commonSettings = { enableACME = true; # workaround for https://github.com/NixOS/nixpkgs/issues/210807 acmeRoot = null; - forceSSL = true; - }); + + addSSL = true; + }; + in + builtins.mapAttrs (_: lib.recursiveUpdate commonSettings); in mkVHosts { "api.${domain}" = { diff --git a/secrets/hosts/atlas/cloudflaredCreds.age b/secrets/hosts/atlas/cloudflaredCreds.age new file mode 100644 index 0000000..6fb3bab --- /dev/null +++ b/secrets/hosts/atlas/cloudflaredCreds.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBPL3Ay +eHVCWE51amRZY2ZIaGpYNDZpYzgwMk02c3MwNnJxT3dORVlaL2xVCjhPakdiTmwy +NDZ3QlljQkFSNG5zWEgydURST2VtdnE4OXVUWjg4Yjd0aEUKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIFpTRWZXSS9keDl0WkRzeVc5b3U4R1RxQ0ZuRFVsN1NsQjB0czk2 +YXArbWMKTFhYQnQvMVY4RlQ4akNSU2RyZ1Y5S09Tc2FJUy8wZVE2eEdCYXNxTnFu +cwotPiBfJDVHLWdyZWFzZSAjIj9Icgp3WG5lNG5jZTBqdWZtOUxYSlk2eDRna2Ro +d2lwWWtFSVVMK09NZzR1OS9aUFFhMk1qOXBkOFVmdlhGeXYKLS0tIDBSdkIxMWQ0 +NTZYT1N0ZTZlT203aXFmak85ZDV2SFRXeWtEemZmVURNSjAKiiApER/dMKCQK3Sk +OiuFg4Xa9pLz+pdiTOpLQh6cRWoxY2cmQ3voU371JKarrHcrFPQn8mKM32Rxvfjs +YBsPhceB2l5xjy6wKbhJVU+GzUDtFfMext4+OQlEERWwE5pMoNe+nCeeIm1rbBiW +VkYFfLBDlr39/9B/JeUO6vvhxbBXvkjREgbtkHQJzgrhss9UVD3VAFxcxXgzGjK0 +vem9zM1+StKwuLQuyjg/yx90/nr46vnFeKdAhUUtfcaLs3ccX3w= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/cloudflaredCreds.age b/secrets/hosts/p-body/cloudflaredCreds.age new file mode 100644 index 0000000..92de437 --- /dev/null +++ b/secrets/hosts/p-body/cloudflaredCreds.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyBKeXFl +ckJ2UStYUDZtUEpvSXNtMUNiUXd1NHIxeElaeDRZWTgrSm1tUkRNCi8wcXlqVnBH +UlRaNGpVV3ovRWh4K0R6RXhGSWZISUFPRVY2QU1scVI1TUUKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIExBbk9OMHNIakhLN3M2UHpwVndYVTNvTC9tQXdUVXZlSGpIUUl6 +MGtaalkKS3ZCSjZlUzIrVHdiemIzbW5IYnlOTjBGbHVPVXVDeWUwK3pPVmVsckp4 +SQotPiBkTkhYdi1ncmVhc2UgV0I0NgoxUXlzUktFcER5ZmVCVTFzNDlUNlo3V1k0 +cDNCQ0NBeVhZZTRBSnIzZHhadWpLc2JiMHBUbDdpYnhYQlRIakdtCnNPcEZLekZN +ekpZS0lpNHladVNhNHE3U0NDejFFYmZIVnI3MDlyK09sQkdEY0JPWS93S0VXOTUz +Y2cKLS0tIGVhODlkZ0V2dDl1b2N1NXlRcGdkcWxSRkJpRERQampZM3RNZ1pUUGpX +VVEKHP2CEMgipxc6olgCyR2q4vd4tuQQ1bkzzGujK/5jy4H2P5CClb2ktQpG1Ns9 +BudlMQcL2pNLK9YcAMWLhkSG7oRIL2RfswbatZdYxEWvTqGl1fRlm+qqitBXMVlK +30mAS8ey1cUCkCLeCvej4tF9bAgCnp/K1c/2VQgNnrorE6K/3n4eEwT1zDW9/AuX +8JTieb7EWwSnEN9h//UbMAwbR2ePVXW3J1Et8ziIgBXLZmqHoYe8AeyZm22gOk/f +0l81We4= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 40a4e79..aa57c27 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ in { "hosts/atlas/secretsJson.age".publicKeys = atlas; "hosts/atlas/miniflux.age".publicKeys = atlas; "hosts/atlas/tailscaleAuthKey.age".publicKeys = atlas; + "hosts/atlas/cloudflaredCreds.age".publicKeys = atlas; "hosts/p-body/rootPassword.age".publicKeys = p-body; "hosts/p-body/userPassword.age".publicKeys = p-body; @@ -25,4 +26,5 @@ in { "hosts/p-body/clusterToken.age".publicKeys = p-body; "hosts/p-body/secretsJson.age".publicKeys = p-body; "hosts/p-body/tailscaleAuthKey.age".publicKeys = p-body; + "hosts/p-body/cloudflaredCreds.age".publicKeys = p-body; } |