WIP: authelia: Add SSO

acme: Switch to a wildcard certificate
2024-04-16 01:26:44 +02:00 · 2024-04-16 01:25:59 +02:00
9 changed files with 18 additions and 7 deletions
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@ -49,6 +49,13 @@
  security.acme = {
    defaults.email = "tm@tlater.net";
    acceptTerms = true;
    certs."tlater.net" = {
      extraDomainNames = ["*.tlater.net"];
      dnsProvider = "hetzner";
      group = "nginx";
      credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
    };
  };
  services.backups.acme = {
--- a/configuration/services/afvalcalendar.nix
+++ b/configuration/services/afvalcalendar.nix
@ -44,7 +44,7 @@
  services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    enableHSTS = true;
    root = "/srv/afvalcalendar";
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@ -178,7 +178,7 @@ in {
  };
  services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
+    useACMEHost = "tlater.net";
    listen = [
      {
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@ -24,7 +24,7 @@ in {
    inherit (config.services.foundryvtt) port;
  in {
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    enableHSTS = true;
    locations."/" = {
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -41,7 +41,7 @@ in {
    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
  in {
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    enableHSTS = true;
    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -38,7 +38,7 @@ in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    enableHSTS = true;
    enableAuthorization = true;
    locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -45,7 +45,7 @@ in {
  # Set up SSL
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    # The upstream module already adds HSTS
  };
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -16,7 +16,7 @@ in {
    serverAliases = ["www.${domain}"];
    forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
    enableHSTS = true;
    locations."/".proxyPass = "http://${addr}:${toString port}";
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -34,6 +34,10 @@
      "heisenbridge/as-token" = {};
      "heisenbridge/hs-token" = {};
      "hetzner-api" = {
        owner = "acme";
      };
      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
Author	SHA1	Message	Date
Tristan Daniël Maat	a98d63c20c	WIP: authelia: Add SSO	2024-04-16 01:26:44 +02:00
Tristan Daniël Maat	e16f3be326	acme: Switch to a wildcard certificate	2024-04-16 01:25:59 +02:00