From e72a6620e2a38480d03cdb893879520feccaad7b Mon Sep 17 00:00:00 2001 From: John Bargman Date: Sat, 21 Feb 2026 23:36:19 +0000 Subject: fixup --- flake.lock | 101 ++++++++++++++++------------------------------ flake.nix | 13 ++++-- openstack.nix | 2 +- secrets/gandi_dns01_token | 7 ++++ services/acme_server.nix | 23 +++++++++++ services/ejabberd.nix | 13 +++--- services/mailserver.nix | 4 +- services/movim.nix | 28 ++++++------- services/murmur.nix | 27 +++++++------ services/website.nix | 44 ++++++++++---------- 10 files changed, 134 insertions(+), 128 deletions(-) create mode 100644 secrets/gandi_dns01_token create mode 100644 services/acme_server.nix diff --git a/flake.lock b/flake.lock index 345c5f2..22243c5 100644 --- a/flake.lock +++ b/flake.lock @@ -19,15 +19,15 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", + "lastModified": 1769939035, + "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", + "rev": "a8ca480175326551d6c4121498316261cbb5b260", "type": "github" }, "original": { @@ -82,14 +82,16 @@ }, "nixinate": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1755705508, - "narHash": "sha256-2xmMgKwvgof0Yjio/UP+g5y+K2OYwxQo186antX2v68=", + "lastModified": 1765412487, + "narHash": "sha256-nSpxVxFc9akfhKGB1G8PCa07k5k1yZehzb6q/mjI4cs=", "owner": "DarthPJB", "repo": "nixinate", - "rev": "edf603eed92c5c93b301b056c243b360da74a474", + "rev": "0ce4103a3f5a0fd23cc3af60957adc00ddea06dc", "type": "github" }, "original": { @@ -100,59 +102,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1653060744, - "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "dfd82985c273aac6eced03625f454b334daae2e8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-25_05": { - "locked": { - "lastModified": 1753749649, - "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", + "lastModified": 1771369470, + "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a", + "rev": "0182a361324364ae3f436a63005877674cf45efb", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1755593991, - "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=", + "lastModified": 1763678758, + "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a58390ab6f1aa810eb8e0f0fc74230e7cc06de03", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1694959747, - "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "970a59bd19eff3752ce552935687100c46e820a5", + "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b", "type": "github" }, "original": { @@ -162,18 +132,18 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { - "lastModified": 1753939845, - "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", + "lastModified": 1770650459, + "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "94def634a20494ee057c76998843c015909d6311", + "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -181,21 +151,21 @@ "root": { "inputs": { "nixinate": "nixinate", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "secrix": "secrix", "simple-nixos-mailserver": "simple-nixos-mailserver" } }, "secrix": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1753137768, - "narHash": "sha256-bCQ8IHak1hF38amAgz2YKIEwteU5eAkgoC0fwfoRxO0=", + "lastModified": 1763929380, + "narHash": "sha256-Yc7gZME/lcHoJH6bMPCG7CyjKWhOLJPqLI8MXtyKPHo=", "owner": "platonic-systems", "repo": "secrix", - "rev": "f783b038ee639a589affcf3c612187dafcfa0476", + "rev": "c6e3ca7af47c329dcf442a3d017ae171eee5612f", "type": "github" }, "original": { @@ -209,15 +179,14 @@ "blobs": "blobs", "flake-compat": "flake-compat", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_4", - "nixpkgs-25_05": "nixpkgs-25_05" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1754605910, - "narHash": "sha256-kVWxzm44ywJTb4REfwWCYXnROISykG0yE+X5A3Gov24=", + "lastModified": 1770659507, + "narHash": "sha256-RVZno9CypFN3eHxfULKN1K7mb/Cq0HkznnWqnshxpWY=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "57d9624c71ca65bee69b30d72b11f6c5257e9500", + "rev": "781e833633ebc0873d251772a74e4400a73f5d78", "type": "gitlab" }, "original": { diff --git a/flake.nix b/flake.nix index cf325d8..e3cf8e4 100644 --- a/flake.nix +++ b/flake.nix @@ -2,10 +2,13 @@ description = "CrashOverBurn.com"; # TODO: cgit, ejabber signup inputs = { - nixinate.url = "github:DarthPJB/nixinate"; + nixinate = { + url = "github:DarthPJB/nixinate"; + inputs.nixpkgs.follows = "nixpkgs"; + }; secrix.url = "github:platonic-systems/secrix"; - #nixpkgs_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; - nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; + #nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; }; @@ -19,7 +22,7 @@ in { formatter.x86_64-linux = pkgs.nixpkgs-fmt; - apps.x86_64-linux = (nixinate.nixinate.x86_64-linux inputs.self).nixinate // ({ secrix = secrix self; }); + apps.x86_64-linux = (nixinate.lib.genDeploy.x86_64-linux self) // ({ secrix = secrix self; }); devShell.x86_64-linux = pkgs.mkShell { buildInputs = with pkgs; [ figlet tmux ]; @@ -65,6 +68,8 @@ inputs.secrix.nixosModules.default ./openstack.nix ./users/commander.nix + + (import ./services/acme_server.nix { fqdn = "crashoverburn.com"; }) (import ./services/cgit.nix { fqdn = "code.${fqdn}"; }) (import ./services/murmur.nix { fqdn = "mumble.${fqdn}"; }) (import ./services/movim.nix { fqdn = "social.${fqdn}"; }) diff --git a/openstack.nix b/openstack.nix index 4424fc9..3af4393 100644 --- a/openstack.nix +++ b/openstack.nix @@ -2,7 +2,7 @@ { nix = { settings.trusted-users = [ "root" "commander" ]; - package = pkgs.nixVersions.latest; + package = pkgs.nixVersions.latest; extraOptions = '' experimental-features = nix-command flakes ''; diff --git a/secrets/gandi_dns01_token b/secrets/gandi_dns01_token new file mode 100644 index 0000000..423998c --- /dev/null +++ b/secrets/gandi_dns01_token @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 fT5adw zMOJktMt4vFGjWyktd1eVcMIel/bqjd4AxcyxNxkOj0 +D0ppBHBQXfFoqhdIZboEAA3CbaJxLkZwMQb+ExHI/q8 +-> ssh-ed25519 N8OrBw XOb30eQP06p9X0j5nGU/jEEmVOJRlC1QnaJ/g1+Hj14 +5M+St2/6qJ7/gwuBCkor/8kMs3VL8gExE905ulHARNg +--- nUiyKRLforZ1ty5qFwkKY5oXxFYg+1I+V/h532aAFiI +,C0G=1CsH uTDlAXaRB?P)^KYh 2E]S`쁔_a^{Gk %:jPJ \ No newline at end of file diff --git a/services/acme_server.nix b/services/acme_server.nix new file mode 100644 index 0000000..bd6961b --- /dev/null +++ b/services/acme_server.nix @@ -0,0 +1,23 @@ +{ fqdn }: { pkgs, config, lib, ... }: +let + inherit fqdn; +in +{ + users.groups.acme = { }; + + /* trigger the actual certificate generation for additional hostname */ + security.acme.certs."${fqdn}" = { + extraDomainNames = [ "mail.crashoverburn.com"]; + }; + + secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token; + # Configure ACME appropriately + security.acme.acceptTerms = true; + security.acme.defaults = { + dnsProvider = "gandiv5"; + group = "acme"; + environmentFile = config.secrix.system.secrets.dns01.decrypted.path; + # We don't need to wait for propagation since this is a local DNS server + dnsPropagationCheck = false; + }; +} diff --git a/services/ejabberd.nix b/services/ejabberd.nix index 935a409..7149a0d 100644 --- a/services/ejabberd.nix +++ b/services/ejabberd.nix @@ -236,12 +236,13 @@ in }; }; security.acme.certs.${fqdn} = { -# extraDomainNames = map (x: "${x}.${fqdn}") [ -# "pubsub" -# "proxy" -# "upload" -# "conference" -# ]; + # extraDomainNames = map (x: "${x}.${fqdn}") [ + # "pubsub" + # "proxy" + # "upload" + # "conference" + # ]; + #useACMEHost = "crashoverburn.com"; group = "ejabberd-cert"; postRun = "systemctl restart ejabberd.service"; }; diff --git a/services/mailserver.nix b/services/mailserver.nix index 7807e0b..015f0df 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,4 +1,4 @@ -{ hashedPasswordFile }: { pkgs, ... }: +{ hashedPasswordFile }: { config, pkgs, ... }: { mailserver = { stateVersion = 3; @@ -13,6 +13,6 @@ aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; }; }; - certificateScheme = "acme-nginx"; + x509.useACMEHost = config.mailserver.fqdn; }; } diff --git a/services/movim.nix b/services/movim.nix index 27b273b..4d9ce31 100644 --- a/services/movim.nix +++ b/services/movim.nix @@ -1,26 +1,26 @@ { fqdn }: { config, lib, pkgs, inputs, ... }: let - port =2024; + port = 2024; in { -# Nginx configuration + # Nginx configuration services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; }; - services.movim = { - enable = true; - domain = "${fqdn}"; - port = 2024; # WebSocket port - - podConfig = { - timezone = "UTC"; - description = "OverBurnSocial"; - xmppdomain = fqdn; - }; - nginx = - { + services.movim = { + enable = true; + domain = "${fqdn}"; + port = 2024; # WebSocket port + + podConfig = { + timezone = "UTC"; + description = "OverBurnSocial"; + xmppdomain = fqdn; + }; + nginx = + { forceSSL = true; useACMEHost = "crashoverburn.com"; }; diff --git a/services/murmur.nix b/services/murmur.nix index f40774f..6e2ed7b 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -51,23 +51,24 @@ in ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})" ''; security.acme.certs.${fqdn} = { + #useACMEHost = "crashoverburn.com"; group = "murmur-cert"; postRun = "systemctl restart murmur.service"; - webroot = "/var/lib/acme/acme-challenge/"; + #webroot = "/var/lib/acme/acme-challenge/"; }; users.groups.murmur-cert.members = [ "murmur" "nginx" ]; -# services.nginx = { -# enable = true; -# virtualHosts.${fqdn} = { -# listenAddresses = [ -# "10.0.1.30" -# ]; -# useACMEHost = "crashoverburn.com"; -# #enableACME = true; -# forceSSL = true; -# locations."/".return = "301 https://crashoverburn.com/mumble"; -# }; -# }; + # services.nginx = { + # enable = true; + # virtualHosts.${fqdn} = { + # listenAddresses = [ + # "10.0.1.30" + # ]; + # useACMEHost = "crashoverburn.com"; + # #enableACME = true; + # forceSSL = true; + # locations."/".return = "301 https://crashoverburn.com/mumble"; + # }; + # }; } diff --git a/services/website.nix b/services/website.nix index 784f3b3..b15ffa2 100644 --- a/services/website.nix +++ b/services/website.nix @@ -1,37 +1,37 @@ { webroot }: { config, lib, pkgs, ... }: -let -fqdn = "crashoverburn.com"; +let + fqdn = "crashoverburn.com"; in { users.users.nginx.extraGroups = [ "acme" ]; - security.acme.certs."${fqdn}" = - { - extraDomainNames= map (x: "${x}.${fqdn}") + security.acme.certs."${fqdn}" = + { + extraDomainNames = map (x: "${x}.${fqdn}") [ - "pubsub" - "proxy" - "upload" - "conference" - "social" - "pics.social" - ]; - webroot = "/var/lib/acme/acme-challenge/"; - }; + "pubsub" + "proxy" + "upload" + "conference" + "social" + "pics.social" + ]; + # webroot = "/var/lib/acme/acme-challenge/"; + }; services.nginx = { enable = true; virtualHosts = { "${fqdn}" = { forceSSL = true; - enableACME = true; - #useACMEHost = "crashoverburn.com"; + #enableACME = true; + useACMEHost = "crashoverburn.com"; locations."/".root = webroot; }; - "crashoverburn.online" = { - forceSSL = true; - #useACMEHost = "crashoverburn.com"; - enableACME = true; - locations."/".root = webroot; - }; + # "crashoverburn.online" = { + # forceSSL = true; + # useACMEHost = "crashoverburn.com"; + #enableACME = true; + # locations."/".root = webroot; + # }; }; }; } -- cgit v1.2.3