diff options
author | Franck Cuny <franck@fcuny.net> | 2023-05-07 13:45:04 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2023-05-08 19:22:28 -0700 |
commit | 5d11f49ecf05048626227dfe6f758360775b300f (patch) | |
tree | ac86934f30f88b8749fcbf930a2660e3326d92c9 /modules | |
parent | module for homelab (diff) | |
download | world-5d11f49ecf05048626227dfe6f758360775b300f.tar.gz |
profile/acme: default DNS provider is gandi
Add the API key for gandi to the secrest, create a profile for acme with my defaults. The profile is loaded by tahoe since that's where our services are running on. Update all the servers in nginx to listen on their wireguard interface.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/services/cgit/default.nix | 12 | ||||
-rw-r--r-- | modules/services/monitoring/grafana.nix | 11 | ||||
-rw-r--r-- | modules/services/navidrome/default.nix | 15 | ||||
-rw-r--r-- | modules/services/nginx/default.nix | 5 | ||||
-rw-r--r-- | modules/services/transmission/default.nix | 11 |
5 files changed, 24 insertions, 30 deletions
diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix index 5108e42..e00790c 100644 --- a/modules/services/cgit/default.nix +++ b/modules/services/cgit/default.nix @@ -76,6 +76,18 @@ in default = true; forceSSL = true; enableACME = true; + listen = [ + { + addr = "192.168.6.40"; + port = 443; + ssl = true; + } + { + addr = "192.168.6.40"; + port = 80; + ssl = false; + } + ]; locations = { "~* ^.+.(css|png|ico)$" = { root = "${pkgs.cgit}/cgit"; }; # as per https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix index 9b75fc3..28e86f6 100644 --- a/modules/services/monitoring/grafana.nix +++ b/modules/services/monitoring/grafana.nix @@ -46,15 +46,15 @@ in services.nginx.virtualHosts."${cfg.vhostName}" = { forceSSL = true; - useACMEHost = cfg.vhostName; + useACMEHost = config.homelab.domain; listen = [ { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 443; ssl = true; } { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 80; ssl = false; } @@ -67,11 +67,6 @@ in }; }; - security.acme.certs."${cfg.vhostName}" = { - dnsProvider = "gcloud"; - credentialsFile = secrets."acme/credentials".path; - }; - my.services.backup = { paths = [ "/var/lib/grafana" ]; exclude = [ diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix index 1e3b6e7..1c8243a 100644 --- a/modules/services/navidrome/default.nix +++ b/modules/services/navidrome/default.nix @@ -21,20 +21,22 @@ in config = lib.mkIf cfg.enable { services.navidrome = { enable = true; - settings = { MusicFolder = cfg.musicFolder; }; + settings = { + MusicFolder = cfg.musicFolder; + }; }; services.nginx.virtualHosts."${cfg.vhostName}" = { forceSSL = true; - useACMEHost = cfg.vhostName; + useACMEHost = config.homelab.domain; listen = [ { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 443; ssl = true; } { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 80; ssl = false; } @@ -45,11 +47,6 @@ in }; }; - security.acme.certs."${cfg.vhostName}" = { - dnsProvider = "gcloud"; - credentialsFile = secrets."acme/credentials".path; - }; - my.services.backup = { paths = [ "/var/lib/navidrome" ]; exclude = [ "/var/lib/navidrome/cache/" ]; diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix index f745b9b..ec71ba2 100644 --- a/modules/services/nginx/default.nix +++ b/modules/services/nginx/default.nix @@ -18,11 +18,6 @@ in # Nginx needs to be able to read the certificates users.users.nginx.extraGroups = [ "acme" ]; - security.acme = { - defaults.email = "franck@fcuny.net"; - acceptTerms = true; - }; - services.prometheus = { exporters.nginx = { enable = true; diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix index 824f7a5..43c4675 100644 --- a/modules/services/transmission/default.nix +++ b/modules/services/transmission/default.nix @@ -35,15 +35,15 @@ in services.nginx.virtualHosts."${cfg.vhostName}" = { forceSSL = true; - useACMEHost = cfg.vhostName; + useACMEHost = config.homelab.domain; listen = [ { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 443; ssl = true; } { - addr = "100.85.232.66"; + addr = "192.168.6.40"; port = 80; ssl = false; } @@ -54,11 +54,6 @@ in }; }; - security.acme.certs."${cfg.vhostName}" = { - dnsProvider = "gcloud"; - credentialsFile = secrets."acme/credentials".path; - }; - networking.firewall = { allowedTCPPorts = [ 52213 ]; allowedUDPPorts = [ 52213 ]; |