William
73db534269
Updated mkNginxVHosts to use per-domain certificates (enableACME) instead of shared wildcard certificates (useACMEHost). Each service now requests its own certificate, avoiding conflicts between hosts and following the principle of least privilege. Removed wildcard certificate configuration from both alexandria and trantor. Each host now only obtains certificates for domains it actually serves: - Alexandria: pass.baduhai.dev, cloud.baduhai.dev, jellyfin.baduhai.dev - Trantor: git.baduhai.dev
50 lines
909 B
Nix
50 lines
909 B
Nix
{
|
|
config,
|
|
lib,
|
|
inputs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
utils = import ../../utils.nix { inherit inputs lib; };
|
|
inherit (utils) mkNginxVHosts;
|
|
in
|
|
|
|
{
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "baduhai@proton.me";
|
|
dnsResolver = "1.1.1.1:53";
|
|
dnsProvider = "cloudflare";
|
|
credentialsFile = config.age.secrets.cloudflare.path;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
virtualHosts = {
|
|
"_" = {
|
|
default = true;
|
|
locations."/".return = "444";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
age.secrets.cloudflare = {
|
|
file = ../../secrets/cloudflare.age;
|
|
owner = "nginx";
|
|
group = "nginx";
|
|
};
|
|
}
|