diff options
| author | Mel <mel@rnrd.eu> | 2025-02-12 18:39:45 +0100 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-02-12 18:54:57 +0100 |
| commit | 2d90edb0be0ec6063a646b4473d1663179dd55fc (patch) | |
| tree | 529e20f854df47debe4381d70141b24d0d5d3114 | |
| parent | 7afb39935e8dabd1c6797aefa3d36f6061794040 (diff) | |
| download | network-2d90edb0be0ec6063a646b4473d1663179dd55fc.tar.zst network-2d90edb0be0ec6063a646b4473d1663179dd55fc.zip | |
Create wildcard certificates for rnrd external and internal domain
Signed-off-by: Mel <mel@rnrd.eu>
| -rw-r--r-- | modules/www/default.nix | 44 | ||||
| -rw-r--r-- | secrets/cloudflare-dns.age | bin | 693 -> 803 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 5 | ||||
| -rw-r--r-- | services/cgit.nix | 2 |
4 files changed, 42 insertions, 9 deletions
diff --git a/modules/www/default.nix b/modules/www/default.nix index 9a97522..ecc9b66 100644 --- a/modules/www/default.nix +++ b/modules/www/default.nix @@ -1,6 +1,16 @@ -{ me, pkgs, util, ... }: +{ + me, + config, + pkgs, + lib, + util, + ... +}: let + inherit (lib) mergeAttrsList; + inherit (config.age) secrets; + rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu"; base-index = pkgs.substituteAll { @@ -13,15 +23,40 @@ let "favicon.png" = ../../assets/favicon.png; }; + certificate = domain: { + ${domain} = { + domain = "*.${domain}"; + extraDomainNames = [ domain ]; + + dnsProvider = "cloudflare"; + credentialFiles = { + CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path; + }; + }; + }; in { imports = [ ./tailnet.nix ]; + age.secrets = { + cloudflare-dns.file = ../../secrets/cloudflare-dns.age; + }; + security.acme = { acceptTerms = true; - defaults.email = "mel@rnrd.eu"; # causes issues with tailscale certificates preliminarySelfsigned = false; + defaults = { + email = "mel@rnrd.eu"; + # our certificates are really only used with Nginx + group = config.services.nginx.group; + reloadServices = [ "nginx.service" ]; + }; + + certs = mergeAttrsList [ + (certificate "rnrd.eu") + (certificate "rnrd.fyi") + ]; }; services.nginx = { @@ -57,9 +92,10 @@ in base = { default = true; serverName = rnrdUrl; - root = base; forceSSL = true; - enableACME = true; + useACMEHost = "rnrd.eu"; + + root = base; extraConfig = '' access_log /var/log/nginx/base.access.log json_combined; ''; diff --git a/secrets/cloudflare-dns.age b/secrets/cloudflare-dns.age index bd546a6..5eba203 100644 --- a/secrets/cloudflare-dns.age +++ b/secrets/cloudflare-dns.age Binary files differdiff --git a/secrets/secrets.nix b/secrets/secrets.nix index 823420b..8571672 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,10 +5,7 @@ let inherit (keys.system) renard lapin corsac; in { - "cloudflare-dns.age".publicKeys = [ - lapin - corsac - ] ++ allAdmins; + "cloudflare-dns.age".publicKeys = allSystems ++ allAdmins; "pds-secrets.age".publicKeys = [ lapin diff --git a/services/cgit.nix b/services/cgit.nix index 73bfbe4..125b920 100644 --- a/services/cgit.nix +++ b/services/cgit.nix @@ -65,7 +65,7 @@ in }; services.nginx.virtualHosts."git.rnrd.eu" = { - enableACME = true; + useACMEHost = "rnrd.eu"; forceSSL = true; locations = { "/" = { |