tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

acme: Switch to a wildcard certificate #111

Manually merged
tlater merged 1 commit from tlater/wildcard-cert into master 2024-04-16 00:26:30 +01:00
Conversation 0 Commits 1 Files changed 11 +24 -11
11 changed files with 24 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
configuration/nginx.nix
View file

@ -49,6 +49,13 @@
security.acme = {
defaults.email = "tm@tlater.net";
acceptTerms = true;
certs."tlater.net" = {
extraDomainNames = ["*.tlater.net"];
dnsProvider = "hetzner";
group = "nginx";
credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
};
};
services.backups.acme = {

2
configuration/services/afvalcalendar.nix
View file

@ -44,7 +44,7 @@
services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
enableHSTS = true;
root = "/srv/afvalcalendar";

2
configuration/services/conduit.nix
View file

@ -178,7 +178,7 @@ in {
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
useACMEHost = "tlater.net";
listen = [
{

2
configuration/services/foundryvtt.nix
View file

@ -24,7 +24,7 @@ in {
inherit (config.services.foundryvtt) port;
in {
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/" = {

2
configuration/services/gitea.nix
View file

@ -41,7 +41,7 @@ in {
httpPort = config.services.forgejo.settings.server.HTTP_PORT;
in {
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";

2
configuration/services/metrics/grafana.nix
View file

@ -38,7 +38,7 @@ in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};

2
configuration/services/nextcloud.nix
View file

@ -45,7 +45,7 @@ in {
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
# The upstream module already adds HSTS
};

2
configuration/services/webserver.nix
View file

@ -16,7 +16,7 @@ in {
serverAliases = ["www.${domain}"];
forceSSL = true;
enableACME = true;
useACMEHost = "tlater.net";
enableHSTS = true;
locations."/".proxyPass = "http://${addr}:${toString port}";

4
configuration/sops.nix
View file

@ -34,6 +34,10 @@
"heisenbridge/as-token" = {};
"heisenbridge/hs-token" = {};
"hetzner-api" = {
owner = "acme";
};
# Nextcloud
"nextcloud/tlater" = {
owner = "nextcloud";

5
keys/production.yaml
View file

@ -1,3 +1,4 @@
hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
battery-manager:
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
@ -31,8 +32,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-04-06T15:32:49Z"
mac: ENC[AES256_GCM,data:ShqLJf9b20LdmjK6MMPtI3KicE+fPc0ejzVGEIdgbNs7ueDwdt7jqgpDrpiyf+vW86tr3I1E1VTlh127XlSH/RZDRRHehpX0tnBiF0zMscmt1vdinY4cPhTwhLJ1fdpVpY8ihdOqv0UFyC39HP78aWESX5S/dJZQ6vS7K5VGKTY=,iv:TYE9f9iyrUQxmMeKXApEYsSPcMWK8vndyBm7HtJyJPo=,tag:vSlobwA1R0Go7BYgNVpMkw==,type:str]
lastmodified: "2024-04-15T23:13:18Z"
mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
pgp:
- created_at: "2024-03-18T04:02:00Z"
enc: |-

5
keys/staging.yaml
View file

@ -1,3 +1,4 @@
hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
@ -31,8 +32,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-04-06T15:33:40Z"
mac: ENC[AES256_GCM,data:qB9uDDM5K6+BmeAKyTJ0Sel6Um0Fc9IhdV3wAn13WxpwDtxmMsdqnwaewI/KepsRG3k76x9vkYL+oKkUysqq1r1FkocUDg4DnKnf1KtKo2Zm9MPcVRG833m6oDoTeGnmgrAMTDKy1tUdGkXW40IfbMakbSjSIfLbrymtoHeVbaE=,iv:8P8M4Ueo3Idlgo+Yqj6JUtFfWX949fz6HfRHEOy1/Vg=,tag:ou+IGZSQSfX6gNoxbpAipg==,type:str]
lastmodified: "2024-04-15T23:13:27Z"
mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
pgp:
- created_at: "2023-12-29T15:25:27Z"
enc: |