about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2023-05-07 13:45:04 -0700
committerFranck Cuny <franck@fcuny.net>2023-05-08 19:22:28 -0700
commit5d11f49ecf05048626227dfe6f758360775b300f (patch)
treeac86934f30f88b8749fcbf930a2660e3326d92c9
parentmodule for homelab (diff)
downloadworld-5d11f49ecf05048626227dfe6f758360775b300f.tar.gz
profile/acme: default DNS provider is gandi
Add the API key for gandi to the secrest, create a profile for acme with
my defaults.

The profile is loaded by tahoe since that's where our services are
running on.

Update all the servers in nginx to listen on their wireguard interface.
-rw-r--r--hosts/tahoe/default.nix1
-rw-r--r--hosts/tahoe/secrets/gandi/apikey.age11
-rw-r--r--hosts/tahoe/secrets/secrets.nix5
-rw-r--r--hosts/tahoe/services.nix9
-rw-r--r--modules/services/cgit/default.nix12
-rw-r--r--modules/services/monitoring/grafana.nix11
-rw-r--r--modules/services/navidrome/default.nix15
-rw-r--r--modules/services/nginx/default.nix5
-rw-r--r--modules/services/transmission/default.nix11
-rw-r--r--profiles/acme.nix18
-rw-r--r--profiles/nas.nix2
11 files changed, 64 insertions, 36 deletions
diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index cfa3717..6fb5fcb 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -9,6 +9,7 @@ in
     ./networking.nix
     ./services.nix
     "${self}/profiles/nas.nix"
+    "${self}/profiles/acme.nix"
     "${self}/profiles/hardware/amd.nix"
   ];
 
diff --git a/hosts/tahoe/secrets/gandi/apikey.age b/hosts/tahoe/secrets/gandi/apikey.age
new file mode 100644
index 0000000..3f35522
--- /dev/null
+++ b/hosts/tahoe/secrets/gandi/apikey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 jMYhTKmWi5riTgT9QQVOlzlIegqM1MI2QtJbOonsL2E
+bM9xqcJc41bKs0as9lIQQQGZhB5cmaZtO1fHCsrMR9M
+-> X25519 3xMvuIuRGXBp/gbv+aZpjkp6wLw6hyRAqBIe/Pf+Szo
+2X45mDvLNcDOntT4JgZUFHpnlShm3UYv7gCpHGaj4Fo
+-> X25519 xemfO0+4pS8WG/7QoIIqULZ/xN+C0l+LbBgv4QIdcQU
+VfoMT93/3hTZdPo4ALCaEZrIO3bHhsoxCwf6DyXPwvI
+-> s06@-grease .@\9Og@9 7yCI nS'`(65/
+W1seHOnAnPFF8BB6uqQKv8JwpmoNCU93i06VtxuuHiaeGrlXNPiF0ikD/mysdA
+--- dpDFFk5ZPUwQZp96fpS85eZCVELD4GB1uwl/8ev5moA
+⇼?Zu>x3d[sLٵ)|[z1#cѨ3BHLw҂]$.
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 34b955b..0560a57 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -28,6 +28,11 @@ in
     owner = "unpoller-exporter";
   };
 
+  "gandi/apikey.age" = {
+    publicKeys = all;
+    owner = "acme";
+  };
+
   "restic/repo-systems.age".publicKeys = all;
   "rsync.net/ssh-key.age".publicKeys = all;
 
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index a04225e..0227f4c 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -1,8 +1,7 @@
-{ config, ... }:
+{ self, config, ... }:
 let secrets = config.age.secrets;
 in
 {
-
   # this unit is broken and useless. I don't know how to not install
   # it, so let's mask it.
   systemd.services.mdmonitor.enable = false;
@@ -14,12 +13,12 @@ in
     };
     navidrome = {
       enable = true;
-      vhostName = "music.fcuny.xyz";
+      vhostName = "music.${config.homelab.domain}";
       musicFolder = "/data/fast/music";
     };
     unifi = {
       enable = true;
-      vhostName = "unifi.fcuny.xyz";
+      vhostName = "unifi.${config.homelab.domain}";
     };
 
     monitoring = {
@@ -33,7 +32,7 @@ in
       };
       grafana = {
         enable = true;
-        vhostName = "dash.fcuny.xyz";
+        vhostName = "dash.${config.homelab.domain}";
       };
       promtail.enable = true;
       node-exporter.enable = true;
diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix
index 5108e42..e00790c 100644
--- a/modules/services/cgit/default.nix
+++ b/modules/services/cgit/default.nix
@@ -76,6 +76,18 @@ in
       default = true;
       forceSSL = true;
       enableACME = true;
+      listen = [
+        {
+          addr = "192.168.6.40";
+          port = 443;
+          ssl = true;
+        }
+        {
+          addr = "192.168.6.40";
+          port = 80;
+          ssl = false;
+        }
+      ];
       locations = {
         "~* ^.+.(css|png|ico)$" = { root = "${pkgs.cgit}/cgit"; };
         # as per https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix
index 9b75fc3..28e86f6 100644
--- a/modules/services/monitoring/grafana.nix
+++ b/modules/services/monitoring/grafana.nix
@@ -46,15 +46,15 @@ in
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -67,11 +67,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     my.services.backup = {
       paths = [ "/var/lib/grafana" ];
       exclude = [
diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix
index 1e3b6e7..1c8243a 100644
--- a/modules/services/navidrome/default.nix
+++ b/modules/services/navidrome/default.nix
@@ -21,20 +21,22 @@ in
   config = lib.mkIf cfg.enable {
     services.navidrome = {
       enable = true;
-      settings = { MusicFolder = cfg.musicFolder; };
+      settings = {
+        MusicFolder = cfg.musicFolder;
+      };
     };
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -45,11 +47,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     my.services.backup = {
       paths = [ "/var/lib/navidrome" ];
       exclude = [ "/var/lib/navidrome/cache/" ];
diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix
index f745b9b..ec71ba2 100644
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -18,11 +18,6 @@ in
     # Nginx needs to be able to read the certificates
     users.users.nginx.extraGroups = [ "acme" ];
 
-    security.acme = {
-      defaults.email = "franck@fcuny.net";
-      acceptTerms = true;
-    };
-
     services.prometheus = {
       exporters.nginx = {
         enable = true;
diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix
index 824f7a5..43c4675 100644
--- a/modules/services/transmission/default.nix
+++ b/modules/services/transmission/default.nix
@@ -35,15 +35,15 @@ in
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -54,11 +54,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     networking.firewall = {
       allowedTCPPorts = [ 52213 ];
       allowedUDPPorts = [ 52213 ];
diff --git a/profiles/acme.nix b/profiles/acme.nix
new file mode 100644
index 0000000..7fc62d3
--- /dev/null
+++ b/profiles/acme.nix
@@ -0,0 +1,18 @@
+{ pkgs, lib, config, ... }:
+let
+  secrets = config.age.secrets;
+in
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "le@fcuny.net";
+    dnsProvider = "gandiv5";
+    group = config.services.nginx.group;
+    credentialsFile = secrets."gandi/apikey".path;
+    dnsPropagationCheck = true;
+  };
+  security.acme.certs."${config.homelab.domain}" = {
+    domain = "*.${config.homelab.domain}";
+    extraDomainNames = [ config.homelab.domain ];
+  };
+}
diff --git a/profiles/nas.nix b/profiles/nas.nix
index d1033af..7dc92da 100644
--- a/profiles/nas.nix
+++ b/profiles/nas.nix
@@ -1,8 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./server.nix
     ./btrfs.nix
+    ./server.nix
   ];
 
   users.groups.nas.gid = 5000;