Migrating to security.acme
This commit is contained in:
baduhai
parent
36195dee41
commit
7b66f8d725
8 changed files with 329 additions and 302 deletions
21
flake.lock
generated
21
flake.lock
generated
|
|
@ -1,5 +1,25 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1665870395,
|
||||||
|
"narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "a630400067c6d03c9b3e0455347dc8559db14288",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"deploy-rs": {
|
"deploy-rs": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
|
@ -153,6 +173,7 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"home-manager-stable": "home-manager-stable",
|
"home-manager-stable": "home-manager-stable",
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,6 @@
|
||||||
./io
|
./io
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets.secret1.file = ../secrets/secret1.age;
|
|
||||||
|
|
||||||
networking.hostName = "io";
|
networking.hostName = "io";
|
||||||
|
|
||||||
zramSwap = {
|
zramSwap = {
|
||||||
|
|
|
||||||
|
|
@ -4,5 +4,6 @@
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./hosted-services.nix
|
./hosted-services.nix
|
||||||
|
./security.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,87 +1,94 @@
|
||||||
{ config, pkgs, libs, ... }:
|
{ config, pkgs, libs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
services = {
|
||||||
# security.acme = {
|
nginx = {
|
||||||
# acceptTerms = true;
|
enable = true;
|
||||||
# defaults = {
|
recommendedGzipSettings = true;
|
||||||
# email = "baduhai@baduhai.me";
|
recommendedOptimisation = true;
|
||||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
recommendedProxySettings = true;
|
||||||
# credentialsFile = "/var/secrets/acme"; # Transfer to secret file once I have a proper secrets solution
|
recommendedTlsSettings = true;
|
||||||
# extraLegoFlags = [ "--dns" "cloudflare" "--dns.resolvers=100.100.100.100:53" ];
|
virtualHosts = {
|
||||||
# };
|
"baduhai.me" = { useACMEHoost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; };
|
||||||
# };
|
# "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; };
|
||||||
#
|
# "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; };
|
||||||
# services = {
|
# "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
|
||||||
# nginx = {
|
# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
|
||||||
# enable = true;
|
# "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
|
||||||
# recommendedGzipSettings = true;
|
# "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
|
||||||
# recommendedOptimisation = true;
|
# "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
|
||||||
# recommendedProxySettings = true;
|
# "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
|
||||||
# recommendedTlsSettings = true;
|
# "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
|
||||||
# virtualHosts = {
|
# "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
|
||||||
# "baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; };
|
};
|
||||||
# "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; };
|
};
|
||||||
# "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; };
|
};
|
||||||
# "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
|
|
||||||
# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
|
|
||||||
# "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
|
|
||||||
# "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
|
|
||||||
# "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
|
|
||||||
# "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
|
|
||||||
# "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
|
|
||||||
# "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
|
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
docker.enable = true;
|
docker.enable = true;
|
||||||
oci-containers = {
|
oci-containers = {
|
||||||
backend = "docker";
|
backend = "docker";
|
||||||
containers = {
|
containers = {
|
||||||
"traefik" = { # Reverse proxy
|
# "traefik" = { # Reverse proxy
|
||||||
image = "docker.io/traefik:v2.8";
|
# image = "docker.io/traefik:v2.8";
|
||||||
cmd = [
|
# cmd = [
|
||||||
"--api"
|
# "--api"
|
||||||
"--providers.docker=true" # Enable the docker traefik provider
|
# "--providers.docker=true" # Enable the docker traefik provider
|
||||||
"--providers.docker.exposedbydefault=false"
|
# "--providers.docker.exposedbydefault=false"
|
||||||
"--api.dashboard=true" # Enable the Trafik dashboard
|
# "--api.dashboard=true" # Enable the Trafik dashboard
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge
|
# "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge
|
||||||
"--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email
|
# "--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email
|
||||||
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
# "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records
|
# "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records
|
||||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver
|
# "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver
|
||||||
"--entrypoints.web.address=:80" # Listen on port 80
|
# "--entrypoints.web.address=:80" # Listen on port 80
|
||||||
"--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https
|
# "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https
|
||||||
"--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https
|
# "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https
|
||||||
"--entrypoints.websecure.address=:443" # Redirect all http trafic to https
|
# "--entrypoints.websecure.address=:443" # Redirect all http trafic to https
|
||||||
"--entrypoints.websecure.http.tls=true" # Enable tls
|
# "--entrypoints.websecure.http.tls=true" # Enable tls
|
||||||
"--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls
|
# "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls
|
||||||
"--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain
|
# "--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain
|
||||||
"--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains
|
# "--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains
|
||||||
"--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data
|
# "--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data
|
||||||
"--global.checkNewVersion=false" # Don't check for new versions
|
# "--global.checkNewVersion=false" # Don't check for new versions
|
||||||
];
|
# ];
|
||||||
environment = { # Transfer to secret environmentFiles once I have a proper secrets solution
|
# environment = { # Transfer to secret environmentFiles once I have a proper secrets solution
|
||||||
CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com";
|
# CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com";
|
||||||
CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK";
|
# CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK";
|
||||||
};
|
# };
|
||||||
|
# volumes = [
|
||||||
|
# "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
|
# "/data/traefik/certs:/letsencrypt"
|
||||||
|
# ];
|
||||||
|
# ports = [
|
||||||
|
# "80:80"
|
||||||
|
# "443:443"
|
||||||
|
# ];
|
||||||
|
# extraOptions = [
|
||||||
|
# "--pull=always"
|
||||||
|
# "--label=traefik.enable=true"
|
||||||
|
# "--label=traefik.http.routers.traefik.service=api@internal"
|
||||||
|
# "--label=traefik.http.routers.traefik.entrypoints=websecure"
|
||||||
|
# "--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt"
|
||||||
|
# "--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)"
|
||||||
|
# ];
|
||||||
|
# };
|
||||||
|
"homarr" = { # Dashboard
|
||||||
|
image = "ghcr.io/ajnart/homarr:latest";
|
||||||
volumes = [
|
volumes = [
|
||||||
|
"/data/homarr/configs:/app/data/configs"
|
||||||
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
"/data/traefik/certs:/letsencrypt"
|
|
||||||
];
|
];
|
||||||
ports = [
|
ports = [
|
||||||
"80:80"
|
"8000:7575"
|
||||||
"443:443"
|
|
||||||
];
|
];
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"--pull=always"
|
"--pull=always"
|
||||||
"--label=traefik.enable=true"
|
"--label=traefik.enable=true"
|
||||||
"--label=traefik.http.routers.traefik.service=api@internal"
|
"--label=traefik.http.routers.homarr.entrypoints=websecure"
|
||||||
"--label=traefik.http.routers.traefik.entrypoints=websecure"
|
"--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt"
|
||||||
"--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt"
|
"--label=traefik.http.services.homarr.loadbalancer.server.port=7575"
|
||||||
"--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)"
|
"--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"changedetection" = { # Detect changes in webpages
|
"changedetection" = { # Detect changes in webpages
|
||||||
|
|
@ -107,24 +114,6 @@
|
||||||
"--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)"
|
"--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"homarr" = { # Dashboard
|
|
||||||
image = "ghcr.io/ajnart/homarr:latest";
|
|
||||||
volumes = [
|
|
||||||
"/data/homarr/configs:/app/data/configs"
|
|
||||||
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
||||||
];
|
|
||||||
ports = [
|
|
||||||
"8000:7575"
|
|
||||||
];
|
|
||||||
extraOptions = [
|
|
||||||
"--pull=always"
|
|
||||||
"--label=traefik.enable=true"
|
|
||||||
"--label=traefik.http.routers.homarr.entrypoints=websecure"
|
|
||||||
"--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt"
|
|
||||||
"--label=traefik.http.services.homarr.loadbalancer.server.port=7575"
|
|
||||||
"--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
"jellyfin" = {
|
"jellyfin" = {
|
||||||
image = "lscr.io/linuxserver/jellyfin:10.8.4";
|
image = "lscr.io/linuxserver/jellyfin:10.8.4";
|
||||||
environment = {
|
environment = {
|
||||||
|
|
|
||||||
18
hosts/servers/alexandria/security.nix
Normal file
18
hosts/servers/alexandria/security.nix
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, pkgs, libs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
age.secrets.cloudflare-dns-api-key.file = ../../../secrets/cloudflare-dns-api-key.age;
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
email = "baduhai@proton.me";
|
||||||
|
dnsResolver = "1.1.1.1:53";
|
||||||
|
dnsProvider = "cloudflare";
|
||||||
|
credentialsFile = config.age.secrets.cloudflare-dns-api-key.path;
|
||||||
|
};
|
||||||
|
certs."baduhai.me" = {
|
||||||
|
extraDomainNames = "*.baduhai.me";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
BIN
secrets/cloudflare-dns-api-key.age
Normal file
BIN
secrets/cloudflare-dns-api-key.age
Normal file
Binary file not shown.
Binary file not shown.
|
|
@ -6,5 +6,5 @@ let
|
||||||
servers = [ alexandria ];
|
servers = [ alexandria ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"secret1.age".publicKeys = desktops;
|
"cloudflare-dns-api-key.age".publicKeys = [ alexandria ];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue