Migrating to security.acme

2022-12-20 13:00:33 -03:00 · 2022-12-20 13:00:33 -03:00 · 7b66f8d725
commit 7b66f8d725
parent 36195dee41
8 changed files with 329 additions and 302 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -153,6 +173,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "home-manager": "home-manager",
        "home-manager-stable": "home-manager-stable",
--- a/hosts/desktops/io.nix
+++ b/hosts/desktops/io.nix
@ -10,8 +10,6 @@
    ./io
  ];

-  age.secrets.secret1.file = ../secrets/secret1.age;
-
  networking.hostName = "io";

  zramSwap = {
--- a/hosts/servers/alexandria/default.nix
+++ b/hosts/servers/alexandria/default.nix
@ -4,5 +4,6 @@
  imports = [
    ./hardware-configuration.nix
    ./hosted-services.nix
+    ./security.nix
  ];
 }
--- a/hosts/servers/alexandria/hosted-services.nix
+++ b/hosts/servers/alexandria/hosted-services.nix
@ -1,87 +1,94 @@
 { config, pkgs, libs, ... }:

 {
-
-  # security.acme = {
-  	# acceptTerms = true;
-  	# defaults = {
-  	  # email = "baduhai@baduhai.me";
-  	  # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-  	  # credentialsFile = "/var/secrets/acme"; # Transfer to secret file once I have a proper secrets solution
-  	  # extraLegoFlags = [ "--dns" "cloudflare" "--dns.resolvers=100.100.100.100:53" ];
-  	# };
-  # };
-# 
-  # services = {
-  	# nginx = {
-  	  # enable = true;
-  	  # recommendedGzipSettings = true;
-  	  # recommendedOptimisation = true;
-  	  # recommendedProxySettings = true;
-  	  # recommendedTlsSettings = true;
-  	  # virtualHosts = {
-  	  	# "baduhai.me"            = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; };
-  	  	# "detect.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; };
-  	  	# "cinny.baduhai.me"      = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; };
-  	  	# "jellyfin.baduhai.me"   = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
-  	  	# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
-  	  	# "paperless.baduhai.me"  = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
-  	  	# "pyload.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
-  	  	# "shiori.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
-  	  	# "sync.baduhai.me"       = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
-  	  	# "whoogle.baduhai.me"    = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
-  	  	# "adguard.baduhai.me"    = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
-  	  # };
-  	# };
-  # };
+  services = {
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "baduhai.me" = { useACMEHoost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; };
+#         "detect.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; };
+#         "cinny.baduhai.me"      = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; };
+#         "jellyfin.baduhai.me"   = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; };
+#         "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; };
+#         "paperless.baduhai.me"  = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; };
+#         "pyload.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; };
+#         "shiori.baduhai.me"     = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; };
+#         "sync.baduhai.me"       = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; };
+#         "whoogle.baduhai.me"    = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; };
+#         "adguard.baduhai.me"    = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; };
+      };
+    };
+  };

  virtualisation = {
    docker.enable = true;
    oci-containers = {
      backend = "docker";
      containers = {
-  	    "traefik" = { # Reverse proxy
-  	      image = "docker.io/traefik:v2.8";
-  	      cmd = [
-  	      	"--api"
-  	      	"--providers.docker=true" # Enable the docker traefik provider
-  	      	"--providers.docker.exposedbydefault=false"
-  	      	"--api.dashboard=true" # Enable the Trafik dashboard
-  	      	"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge
-  	      	"--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email
-  	      	"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
-  	      	"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records
-  	      	"--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver
-  	      	"--entrypoints.web.address=:80" # Listen on port 80
-  	      	"--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https
-  	      	"--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https
-  	      	"--entrypoints.websecure.address=:443" # Redirect all http trafic to https
-  	      	"--entrypoints.websecure.http.tls=true" # Enable tls
-  	      	"--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls
-  	      	"--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain
-  	      	"--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains
-  	      	"--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data
-  	      	"--global.checkNewVersion=false" # Don't check for new versions
-  	      ];
-  	      environment = { # Transfer to secret environmentFiles once I have a proper secrets solution
-  	      	CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com";
-  	      	CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK";
-  	      };
+#         "traefik" = { # Reverse proxy
+#           image = "docker.io/traefik:v2.8";
+#           cmd = [
+#             "--api"
+#             "--providers.docker=true" # Enable the docker traefik provider
+#             "--providers.docker.exposedbydefault=false"
+#             "--api.dashboard=true" # Enable the Trafik dashboard
+#             "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" # Enable dns challenge
+#             "--certificatesresolvers.letsencrypt.acme.email=baduhai@baduhai.me" # Dummy email
+#             "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+#             "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" # Cloudflare has my dns records
+#             "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=100.100.100.100:53" # Use tailscale as dns resolver
+#             "--entrypoints.web.address=:80" # Listen on port 80
+#             "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Redirect all http trafic to https
+#             "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Redirect all http trafic to https
+#             "--entrypoints.websecure.address=:443" # Redirect all http trafic to https
+#             "--entrypoints.websecure.http.tls=true" # Enable tls
+#             "--entrypoints.websecure.http.tls.certResolver=letsencrypt" # Use letsencrypt for tls
+#             "--entrypoints.websecure.http.tls.domains[0].main=baduhai.me" # tls for top-level domain
+#             "--entrypoints.websecure.http.tls.domains[0].sans=*.baduhai.me" # tls for sub-domains
+#             "--global.sendAnonymousUsage=false" # Stop traefik from reporting usage data
+#             "--global.checkNewVersion=false" # Don't check for new versions
+#           ];
+#           environment = { # Transfer to secret environmentFiles once I have a proper secrets solution
+#             CLOUDFLARE_EMAIL = "haiwilliam0@gmail.com";
+#             CLOUDFLARE_DNS_API_TOKEN = "_zorlWkGYhCBrxn3g82pqOOiy9XULTdP2j7VoMVK";
+#           };
+#           volumes = [
+#             "/var/run/docker.sock:/var/run/docker.sock:ro"
+#             "/data/traefik/certs:/letsencrypt"
+#           ];
+#           ports = [
+#             "80:80"
+#             "443:443"
+#           ];
+#           extraOptions = [
+#             "--pull=always"
+#             "--label=traefik.enable=true"
+#             "--label=traefik.http.routers.traefik.service=api@internal"
+#             "--label=traefik.http.routers.traefik.entrypoints=websecure"
+#             "--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+#             "--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)"
+#           ];
+#         };
+        "homarr" = { # Dashboard
+          image = "ghcr.io/ajnart/homarr:latest";
          volumes = [
+            "/data/homarr/configs:/app/data/configs"
            "/var/run/docker.sock:/var/run/docker.sock:ro"
-  	      	"/data/traefik/certs:/letsencrypt"
          ];
          ports = [
-  	      	"80:80"
-  	      	"443:443"
+            "8000:7575"
          ];
          extraOptions = [
            "--pull=always"
            "--label=traefik.enable=true"
-  	      	"--label=traefik.http.routers.traefik.service=api@internal"
-  	      	"--label=traefik.http.routers.traefik.entrypoints=websecure"
-  	      	"--label=traefik.http.routers.traefik.tls.certresolver=letsencrypt"
-  	      	"--label=traefik.http.routers.traefik.rule=Host(`traefik.baduhai.me`)"
+            "--label=traefik.http.routers.homarr.entrypoints=websecure"
+            "--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt"
+            "--label=traefik.http.services.homarr.loadbalancer.server.port=7575"
+            "--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)"
          ];
        };
        "changedetection" = { # Detect changes in webpages
@ -107,24 +114,6 @@
            "--label=traefik.http.routers.detect.rule=Host(`detect.baduhai.me`)"
          ];
        };
-  	    "homarr" = { # Dashboard
-  	      image = "ghcr.io/ajnart/homarr:latest";
-  	      volumes = [
-  	      	"/data/homarr/configs:/app/data/configs"
-  	      	"/var/run/docker.sock:/var/run/docker.sock:ro"
-  	      ];
-  	      ports = [
-  	      	"8000:7575"
-  	      ];
-  	      extraOptions = [
-  	        "--pull=always"
-  	        "--label=traefik.enable=true"
-  	        "--label=traefik.http.routers.homarr.entrypoints=websecure"
-  	        "--label=traefik.http.routers.homarr.tls.certresolver=letsencrypt"
-  	        "--label=traefik.http.services.homarr.loadbalancer.server.port=7575"
-  	        "--label=traefik.http.routers.homarr.rule=Host(`baduhai.me`)"
-  	      ];
-  	    };
        "jellyfin" = {
          image = "lscr.io/linuxserver/jellyfin:10.8.4";
          environment = {
--- a/hosts/servers/alexandria/security.nix
+++ b/hosts/servers/alexandria/security.nix
@ -0,0 +1,18 @@
+{ config, pkgs, libs, ... }:
+
+{
+  age.secrets.cloudflare-dns-api-key.file = ../../../secrets/cloudflare-dns-api-key.age;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare-dns-api-key.path;
+    };
+    certs."baduhai.me" = {
+      extraDomainNames = "*.baduhai.me";
+    };
+  };
+}
--- a/secrets/cloudflare-dns-api-key.age
+++ b/secrets/cloudflare-dns-api-key.age
--- a/secrets/secret1.age
+++ b/secrets/secret1.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,5 +6,5 @@ let
  servers = [ alexandria ];
 in
 {
-  "secret1.age".publicKeys = desktops;
+  "cloudflare-dns-api-key.age".publicKeys = [ alexandria ];
 }