From 2d90edb0be0ec6063a646b4473d1663179dd55fc Mon Sep 17 00:00:00 2001 From: Mel Date: Wed, 12 Feb 2025 18:39:45 +0100 Subject: Create wildcard certificates for rnrd external and internal domain Signed-off-by: Mel --- modules/www/default.nix | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/www/default.nix b/modules/www/default.nix index 9a97522..ecc9b66 100644 --- a/modules/www/default.nix +++ b/modules/www/default.nix @@ -1,6 +1,16 @@ -{ me, pkgs, util, ... }: +{ + me, + config, + pkgs, + lib, + util, + ... +}: let + inherit (lib) mergeAttrsList; + inherit (config.age) secrets; + rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu"; base-index = pkgs.substituteAll { @@ -13,15 +23,40 @@ let "favicon.png" = ../../assets/favicon.png; }; + certificate = domain: { + ${domain} = { + domain = "*.${domain}"; + extraDomainNames = [ domain ]; + + dnsProvider = "cloudflare"; + credentialFiles = { + CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path; + }; + }; + }; in { imports = [ ./tailnet.nix ]; + age.secrets = { + cloudflare-dns.file = ../../secrets/cloudflare-dns.age; + }; + security.acme = { acceptTerms = true; - defaults.email = "mel@rnrd.eu"; # causes issues with tailscale certificates preliminarySelfsigned = false; + defaults = { + email = "mel@rnrd.eu"; + # our certificates are really only used with Nginx + group = config.services.nginx.group; + reloadServices = [ "nginx.service" ]; + }; + + certs = mergeAttrsList [ + (certificate "rnrd.eu") + (certificate "rnrd.fyi") + ]; }; services.nginx = { @@ -57,9 +92,10 @@ in base = { default = true; serverName = rnrdUrl; - root = base; forceSSL = true; - enableACME = true; + useACMEHost = "rnrd.eu"; + + root = base; extraConfig = '' access_log /var/log/nginx/base.access.log json_combined; ''; -- cgit 1.4.1