kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

[NGINX] Fix ACME

Browse source
This commit is contained in:
Kat Inskip 2023-04-26 18:11:18 -07:00
parent dc7cdad1af
commit c980cd0207
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
7 changed files with 10 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/roles/matrix-homeserver/nginx.nix
View file

@ -16,6 +16,7 @@ in {
"kittywit.ch" = { "kittywit.ch" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}; };

3
nixos/roles/vaultwarden-server/nginx.nix
View file

@ -1,5 +1,8 @@
_: { _: {
services.nginx.virtualHosts."vault.kittywit.ch" = { services.nginx.virtualHosts."vault.kittywit.ch" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:4000"; proxyPass = "http://localhost:4000";

6
nixos/roles/vaultwarden-server/vaultwarden.nix
View file

@ -5,12 +5,6 @@
... ...
}: }:
with lib; { with lib; {
secrets.variables = mapListToAttrs (field:
nameValuePair "vaultwarden-${field}" {
path = "secrets/vaultwarden";
inherit field;
}) ["password" "smtp"];
users.users.vaultwarden.name = "bitwarden_rs"; users.users.vaultwarden.name = "bitwarden_rs";
users.groups.vaultwarden.name = "bitwarden_rs"; users.groups.vaultwarden.name = "bitwarden_rs";

3
nixos/roles/web-server/acme.nix
View file

@ -1,8 +1,7 @@
_: { _: {
environment.etc."ssl/credentials_template".text = '' environment.etc."ssl/credentials_template".text = ''
CF_API_EMAIL=!!CLOUDFLARE_EMAIL!! CF_API_EMAIL=!!CLOUDFLARE_EMAIL!!
CF_DNS_API_TOKEN=!!CLOUDFLARE_TOKEN!! CLOUDFLARE_API_KEY=!!CLOUDFLARE_API_KEY!!
CF_ZONE_API_TOKEN=!!CLOUDFLARE_TOKEN!!
''; '';
security.acme = { security.acme = {

2
nixos/roles/web-server/scalpel.nix
View file

@ -2,7 +2,7 @@
scalpel.trafos."credentials_file" = { scalpel.trafos."credentials_file" = {
source = "/etc/ssl/credentials_template"; source = "/etc/ssl/credentials_template";
matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path; matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path;
matchers."CLOUDFLARE_TOKEN".secret = config.sops.secrets.cloudflare_token.path; matchers."CLOUDFLARE_API_KEY".secret = config.sops.secrets.cloudflare_api_key.path;
owner = "acme"; owner = "acme";
group = "acme"; group = "acme";
mode = "0440"; mode = "0440";

2
nixos/roles/web-server/secrets.nix
View file

@ -5,7 +5,7 @@ _: let
}; };
in { in {
sops.secrets.cloudflare_email = secretConfig; sops.secrets.cloudflare_email = secretConfig;
sops.secrets.cloudflare_token = secretConfig; sops.secrets.cloudflare_api_key = secretConfig;
scalpels = [ scalpels = [
./scalpel.nix ./scalpel.nix

6
nixos/roles/web-server/secrets.yaml
View file

@ -1,5 +1,5 @@
cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str] cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str]
cloudflare_token: ENC[AES256_GCM,data:gEiJNdzrQhHMRFLHZ5ZMe2T6VyZgMnXfufbu6LbtiVyQST53TBo7pQ==,iv:a/J6bUZbHQIQBRy8DV7MJe4TffElFBlDRAm3/j5E9hQ=,tag:n/07dZNyBWNpFKQCctkuBw==,type:str] cloudflare_api_key: ENC[AES256_GCM,data:kCDaXb1BPWoNVFVRjfOw4577BlIbMtsaouRT8dwNiL/JGNWH9w==,iv:rKSpeSfjIiQNFu58qjNnUtdBPIfXhIa6u7G7wqBohSg=,tag:7wnoB1MBj55okWzNISKftA==,type:str]
sops: sops:
shamir_threshold: 1 shamir_threshold: 1
kms: [] kms: []
@ -16,8 +16,8 @@ sops:
VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB
o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA== o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-25T23:06:23Z" lastmodified: "2023-04-27T01:10:09Z"
mac: ENC[AES256_GCM,data:w+3/oRHEdhUG7jUlRfMDtjY1W1ybyIlINopzuxLxvLWj6yTVA8/D8mp99V3kg7MvKBWW43hA0mQ+MkH8EtPfEDIXZKaMvmY89mKygc2FMGrFcgHVV9zg3qqxk84Zp1lg8+G4gwsgRuNAumFHrlvgCsZUVqEZGjy+cf+R4Dpmw2s=,iv:ax1E/PcwQ0ZcXlsdwY0hQvRp6b38o4qfEhNQASuxQoM=,tag:zEthuo4DoG/1DX28aogntw==,type:str] mac: ENC[AES256_GCM,data:tsvbspqI3jrwWQ/728g+urvhbDTvYJ70rcW1F3w5hC0YR6n7M4oED+QXOoH437Q85A9168OvfNqoIIIq3zEq7OWhk1dtInW2EWh2j5nHz1aFkiYg7VonfktJN9ylyamuZVKkmarMc87thzZrU+Ntb2VOdYsYd0AdWtlfY1CT++4=,iv:TI7tUjAUNc6DxpPRrrEdrsWxiJP6F+BZLGaOzTyo+3I=,tag:2zbq3/rMWFNjkRoBnYgfEA==,type:str]
pgp: pgp:
- created_at: "2023-04-25T23:00:27Z" - created_at: "2023-04-25T23:00:27Z"
enc: | enc: |