diff --git a/hosts/servers/alexandria/hosted-services.nix b/hosts/servers/alexandria/hosted-services.nix index 0c4d854..7ce040f 100644 --- a/hosts/servers/alexandria/hosted-services.nix +++ b/hosts/servers/alexandria/hosted-services.nix @@ -1,6 +1,8 @@ { config, pkgs, libs, ... }: { + users.users.nginx.extraGroups = [ "acme" ]; + services = { nginx = { enable = true; @@ -9,17 +11,7 @@ recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { - "baduhai.me" = { useACMEHoost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; }; -# "detect.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8001/"; }; -# "cinny.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8002/"; }; -# "jellyfin.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8003/"; }; -# "librespeed.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8004/"; }; -# "paperless.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8005/"; }; -# "pyload.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8006/"; }; -# "shiori.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8007/"; }; -# "sync.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8008/"; }; -# "whoogle.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://127.0.0.1:8009/"; }; -# "adguard.baduhai.me" = { default = true; enableACME = true; addSSL = true; locations."/".proxyPass = "http://100.77.225.37:3000/"; }; + "baduhai.me" = { useACMEHost = "baduhai.me"; forceSSL = true; kTLS = true; locations."/".proxyPass = "http://127.0.0.1:8000/"; }; }; }; }; diff --git a/hosts/servers/alexandria/security.nix b/hosts/servers/alexandria/security.nix index 972867b..b2f6d9c 100644 --- a/hosts/servers/alexandria/security.nix +++ b/hosts/servers/alexandria/security.nix @@ -1,18 +1,18 @@ { config, pkgs, libs, ... }: { - age.secrets.cloudflare-dns-api-key.file = ../../../secrets/cloudflare-dns-api-key.age; + age.secrets.cloudflare-creds.file = ../../../secrets/cloudflare-creds.age; security.acme = { acceptTerms = true; defaults = { email = "baduhai@proton.me"; - dnsResolver = "1.1.1.1:53"; + dnsResolver = "100.100.100.100:53"; dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflare-dns-api-key.path; + credentialsFile = config.age.secrets.cloudflare-creds.path; }; certs."baduhai.me" = { - extraDomainNames = "*.baduhai.me"; + extraDomainNames = [ "*.baduhai.me" ]; }; }; } diff --git a/secrets/cloudflare-creds.age b/secrets/cloudflare-creds.age new file mode 100644 index 0000000..beaa6ab --- /dev/null +++ b/secrets/cloudflare-creds.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 J6tVTA og1niFee66jNL4Kfi3QKV2kd/5v0/jStyJK/Qv1JoSo +WB5rwJTWzaMTIWkzuugyncLpUoxVtYWUKMS1r8uGs6g +-> NO;Ye`G-grease C rGGC SH>6Ts ;oa~sU +6f6ROG3cBPQrlQ +--- T8+r+Alz+tmTRG9T9n8jmqFcoWh0YsdeKzUtprjOsbY +;ձJ:@ TI8ʧE5Yn w`Pco +-0FזZ-YzWM,F'rqu֤3Dl?*jVEkU^"J;o<ߋؽv \ No newline at end of file diff --git a/secrets/cloudflare-dns-api-key.age b/secrets/cloudflare-dns-api-key.age deleted file mode 100644 index b1238d2..0000000 Binary files a/secrets/cloudflare-dns-api-key.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a64ac07..99ac3a5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,5 +6,5 @@ let servers = [ alexandria ]; in { - "cloudflare-dns-api-key.age".publicKeys = [ alexandria ]; + "cloudflare-creds.age".publicKeys = [ alexandria ]; }