WIP: acme: Switch to a wildcard certificate
This commit is contained in:
parent
8f178f776e
commit
88437d01f7
GPG key ID:
49670FD774E43268
|
|
@ -49,6 +49,13 @@
|
||||||
security.acme = {
|
security.acme = {
|
||||||
defaults.email = "tm@tlater.net";
|
defaults.email = "tm@tlater.net";
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
|
||||||
|
certs."tlater.net" = {
|
||||||
|
extraDomainNames = ["*.tlater.net"];
|
||||||
|
dnsProvider = "hetzner";
|
||||||
|
group = "nginx";
|
||||||
|
credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.backups.acme = {
|
services.backups.acme = {
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,7 @@
|
||||||
|
|
||||||
services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
|
services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
enableHSTS = true;
|
enableHSTS = true;
|
||||||
|
|
||||||
root = "/srv/afvalcalendar";
|
root = "/srv/afvalcalendar";
|
||||||
|
|
|
||||||
|
|
@ -178,7 +178,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ in {
|
||||||
inherit (config.services.foundryvtt) port;
|
inherit (config.services.foundryvtt) port;
|
||||||
in {
|
in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
enableHSTS = true;
|
enableHSTS = true;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ in {
|
||||||
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
|
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
|
||||||
in {
|
in {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
enableHSTS = true;
|
enableHSTS = true;
|
||||||
|
|
||||||
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ in {
|
||||||
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
enableHSTS = true;
|
enableHSTS = true;
|
||||||
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ in {
|
||||||
# Set up SSL
|
# Set up SSL
|
||||||
services.nginx.virtualHosts."${hostName}" = {
|
services.nginx.virtualHosts."${hostName}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
# The upstream module already adds HSTS
|
# The upstream module already adds HSTS
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ in {
|
||||||
serverAliases = ["www.${domain}"];
|
serverAliases = ["www.${domain}"];
|
||||||
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "tlater.net";
|
||||||
enableHSTS = true;
|
enableHSTS = true;
|
||||||
|
|
||||||
locations."/".proxyPass = "http://${addr}:${toString port}";
|
locations."/".proxyPass = "http://${addr}:${toString port}";
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,10 @@
|
||||||
"heisenbridge/as-token" = {};
|
"heisenbridge/as-token" = {};
|
||||||
"heisenbridge/hs-token" = {};
|
"heisenbridge/hs-token" = {};
|
||||||
|
|
||||||
|
"hetzner-api" = {
|
||||||
|
owner = "agme";
|
||||||
|
};
|
||||||
|
|
||||||
# Nextcloud
|
# Nextcloud
|
||||||
"nextcloud/tlater" = {
|
"nextcloud/tlater" = {
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
|
||||||
battery-manager:
|
battery-manager:
|
||||||
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
|
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
|
||||||
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
|
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
|
||||||
|
|
@ -31,8 +32,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2024-04-06T15:32:49Z"
|
lastmodified: "2024-04-15T23:13:18Z"
|
||||||
mac: ENC[AES256_GCM,data:ShqLJf9b20LdmjK6MMPtI3KicE+fPc0ejzVGEIdgbNs7ueDwdt7jqgpDrpiyf+vW86tr3I1E1VTlh127XlSH/RZDRRHehpX0tnBiF0zMscmt1vdinY4cPhTwhLJ1fdpVpY8ihdOqv0UFyC39HP78aWESX5S/dJZQ6vS7K5VGKTY=,iv:TYE9f9iyrUQxmMeKXApEYsSPcMWK8vndyBm7HtJyJPo=,tag:vSlobwA1R0Go7BYgNVpMkw==,type:str]
|
mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-03-18T04:02:00Z"
|
- created_at: "2024-03-18T04:02:00Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
|
||||||
battery-manager:
|
battery-manager:
|
||||||
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
|
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
|
||||||
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
|
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
|
||||||
|
|
@ -31,8 +32,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2024-04-06T15:33:40Z"
|
lastmodified: "2024-04-15T23:13:27Z"
|
||||||
mac: ENC[AES256_GCM,data:qB9uDDM5K6+BmeAKyTJ0Sel6Um0Fc9IhdV3wAn13WxpwDtxmMsdqnwaewI/KepsRG3k76x9vkYL+oKkUysqq1r1FkocUDg4DnKnf1KtKo2Zm9MPcVRG833m6oDoTeGnmgrAMTDKy1tUdGkXW40IfbMakbSjSIfLbrymtoHeVbaE=,iv:8P8M4Ueo3Idlgo+Yqj6JUtFfWX949fz6HfRHEOy1/Vg=,tag:ou+IGZSQSfX6gNoxbpAipg==,type:str]
|
mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-12-29T15:25:27Z"
|
- created_at: "2023-12-29T15:25:27Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue