diff options
fixup
Diffstat (limited to 'services')
| -rw-r--r-- | services/acme_server.nix | 23 | ||||
| -rw-r--r-- | services/ejabberd.nix | 13 | ||||
| -rw-r--r-- | services/mailserver.nix | 4 | ||||
| -rw-r--r-- | services/movim.nix | 28 | ||||
| -rw-r--r-- | services/murmur.nix | 27 | ||||
| -rw-r--r-- | services/website.nix | 44 |
6 files changed, 82 insertions, 57 deletions
diff --git a/services/acme_server.nix b/services/acme_server.nix new file mode 100644 index 0000000..bd6961b --- /dev/null +++ b/services/acme_server.nix @@ -0,0 +1,23 @@ +{ fqdn }: { pkgs, config, lib, ... }: +let + inherit fqdn; +in +{ + users.groups.acme = { }; + + /* trigger the actual certificate generation for additional hostname */ + security.acme.certs."${fqdn}" = { + extraDomainNames = [ "mail.crashoverburn.com"]; + }; + + secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token; + # Configure ACME appropriately + security.acme.acceptTerms = true; + security.acme.defaults = { + dnsProvider = "gandiv5"; + group = "acme"; + environmentFile = config.secrix.system.secrets.dns01.decrypted.path; + # We don't need to wait for propagation since this is a local DNS server + dnsPropagationCheck = false; + }; +} diff --git a/services/ejabberd.nix b/services/ejabberd.nix index 935a409..7149a0d 100644 --- a/services/ejabberd.nix +++ b/services/ejabberd.nix @@ -236,12 +236,13 @@ in }; }; security.acme.certs.${fqdn} = { -# extraDomainNames = map (x: "${x}.${fqdn}") [ -# "pubsub" -# "proxy" -# "upload" -# "conference" -# ]; + # extraDomainNames = map (x: "${x}.${fqdn}") [ + # "pubsub" + # "proxy" + # "upload" + # "conference" + # ]; + #useACMEHost = "crashoverburn.com"; group = "ejabberd-cert"; postRun = "systemctl restart ejabberd.service"; }; diff --git a/services/mailserver.nix b/services/mailserver.nix index 7807e0b..015f0df 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,4 +1,4 @@ -{ hashedPasswordFile }: { pkgs, ... }: +{ hashedPasswordFile }: { config, pkgs, ... }: { mailserver = { stateVersion = 3; @@ -13,6 +13,6 @@ aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; }; }; - certificateScheme = "acme-nginx"; + x509.useACMEHost = config.mailserver.fqdn; }; } diff --git a/services/movim.nix b/services/movim.nix index 27b273b..4d9ce31 100644 --- a/services/movim.nix +++ b/services/movim.nix @@ -1,26 +1,26 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - port =2024; + port = 2024; in { -# Nginx configuration + # Nginx configuration services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; }; - services.movim = { - enable = true; - domain = "${fqdn}"; - port = 2024; # WebSocket port - - podConfig = { - timezone = "UTC"; - description = "OverBurnSocial"; - xmppdomain = fqdn; - }; - nginx = - { + services.movim = { + enable = true; + domain = "${fqdn}"; + port = 2024; # WebSocket port + + podConfig = { + timezone = "UTC"; + description = "OverBurnSocial"; + xmppdomain = fqdn; + }; + nginx = + { forceSSL = true; useACMEHost = "crashoverburn.com"; }; diff --git a/services/murmur.nix b/services/murmur.nix index f40774f..6e2ed7b 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -51,23 +51,24 @@ in ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})" ''; security.acme.certs.${fqdn} = { + #useACMEHost = "crashoverburn.com"; group = "murmur-cert"; postRun = "systemctl restart murmur.service"; - webroot = "/var/lib/acme/acme-challenge/"; + #webroot = "/var/lib/acme/acme-challenge/"; }; users.groups.murmur-cert.members = [ "murmur" "nginx" ]; -# services.nginx = { -# enable = true; -# virtualHosts.${fqdn} = { -# listenAddresses = [ -# "10.0.1.30" -# ]; -# useACMEHost = "crashoverburn.com"; -# #enableACME = true; -# forceSSL = true; -# locations."/".return = "301 https://crashoverburn.com/mumble"; -# }; -# }; + # services.nginx = { + # enable = true; + # virtualHosts.${fqdn} = { + # listenAddresses = [ + # "10.0.1.30" + # ]; + # useACMEHost = "crashoverburn.com"; + # #enableACME = true; + # forceSSL = true; + # locations."/".return = "301 https://crashoverburn.com/mumble"; + # }; + # }; } diff --git a/services/website.nix b/services/website.nix index 784f3b3..b15ffa2 100644 --- a/services/website.nix +++ b/services/website.nix @@ -1,37 +1,37 @@ { webroot }: { config, lib, pkgs, ... }: -let -fqdn = "crashoverburn.com"; +let + fqdn = "crashoverburn.com"; in { users.users.nginx.extraGroups = [ "acme" ]; - security.acme.certs."${fqdn}" = - { - extraDomainNames= map (x: "${x}.${fqdn}") + security.acme.certs."${fqdn}" = + { + extraDomainNames = map (x: "${x}.${fqdn}") [ - "pubsub" - "proxy" - "upload" - "conference" - "social" - "pics.social" - ]; - webroot = "/var/lib/acme/acme-challenge/"; - }; + "pubsub" + "proxy" + "upload" + "conference" + "social" + "pics.social" + ]; + # webroot = "/var/lib/acme/acme-challenge/"; + }; services.nginx = { enable = true; virtualHosts = { "${fqdn}" = { forceSSL = true; - enableACME = true; - #useACMEHost = "crashoverburn.com"; + #enableACME = true; + useACMEHost = "crashoverburn.com"; locations."/".root = webroot; }; - "crashoverburn.online" = { - forceSSL = true; - #useACMEHost = "crashoverburn.com"; - enableACME = true; - locations."/".root = webroot; - }; + # "crashoverburn.online" = { + # forceSSL = true; + # useACMEHost = "crashoverburn.com"; + #enableACME = true; + # locations."/".root = webroot; + # }; }; }; } |