From 8f63afc43b1d5c1ce344c8f75888dbc10964f8dd Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 10 Oct 2023 15:21:16 +0200 Subject: [PATCH] Use stable channel and use helper function for acme challenge proxy --- config/hosts/coturn/secrets.nix | 4 +- config/hosts/hydra/secrets.nix | 4 +- config/hosts/jellyfin/secrets.nix | 4 +- config/hosts/lifeline/secrets.nix | 34 ++++--- config/hosts/mail-2/secrets.nix | 34 ++++--- config/hosts/mastodon/secrets.nix | 10 +- config/hosts/matrix/secrets.nix | 82 ++++++++-------- config/hosts/metrics/secrets.nix | 34 ++++--- config/hosts/netbox/secrets.nix | 4 +- config/hosts/nextcloud/secrets.nix | 6 +- config/hosts/paperless/secrets.nix | 34 ++++--- config/hosts/valkyrie/secrets.nix | 98 ++++++++++--------- config/hosts/web-public-2/nginx.nix | 49 +++++----- .../virtualHosts/acme-challenge.nix | 85 ++++------------ .../virtualHosts/anisync.grzb.de.nix | 18 ++-- .../virtualHosts/gameserver.grzb.de.nix | 18 ++-- .../web-public-2/virtualHosts/git.grzb.de.nix | 18 ++-- .../virtualHosts/mewtube.nekover.se.nix | 18 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 18 ++-- flake.nix | 3 + hosts.nix | 1 - 21 files changed, 257 insertions(+), 319 deletions(-) diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix index 415b223..48fd211 100644 --- a/config/hosts/coturn/secrets.nix +++ b/config/hosts/coturn/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv,... }: { deployment.keys."static-auth-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; destDir = "/secrets"; user = "turnserver"; group = "turnserver"; diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix index 7ccf047..43329f7 100644 --- a/config/hosts/hydra/secrets.nix +++ b/config/hosts/hydra/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix index c1c22c6..922d4c4 100644 --- a/config/hosts/jellyfin/secrets.nix +++ b/config/hosts/jellyfin/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; + keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index b14e281..f2b6e23 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix index 70606af..67beb5b 100644 --- a/config/hosts/mail-2/secrets.nix +++ b/config/hosts/mail-2/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "systemd-network"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index b6a827c..42f7489 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "mastodon-secret-key-base.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "mastodon-otp-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -18,7 +18,7 @@ uploadAt = "pre-activation"; }; "mastodon-vapid-private-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; @@ -26,7 +26,7 @@ uploadAt = "pre-activation"; }; "mastodon-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; destDir = "/secrets"; user = "mastodon"; group = "mastodon"; diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 7024f35..dac6301 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -1,43 +1,45 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."matrix-registration-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-turn-shared-secret.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-email-smtp-pass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-homeserver-signing-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."matrix-SYNCV3_SECRET.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-turn-shared-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-email-smtp-pass.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-homeserver-signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-SYNCV3_SECRET.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/metrics/secrets.nix b/config/hosts/metrics/secrets.nix index 43b06b3..fcf9baa 100644 --- a/config/hosts/metrics/secrets.nix +++ b/config/hosts/metrics/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."metrics-grafana-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."metrics-grafana-smtp-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "metrics-grafana-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "metrics-grafana-smtp-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix index e31c666..216aca4 100644 --- a/config/hosts/netbox/secrets.nix +++ b/config/hosts/netbox/secrets.nix @@ -1,7 +1,7 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys."netbox-secret-key.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; destDir = "/secrets"; user = "netbox"; group = "netbox"; diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix index c4a91b9..b344d78 100644 --- a/config/hosts/nextcloud/secrets.nix +++ b/config/hosts/nextcloud/secrets.nix @@ -1,8 +1,8 @@ -{ ... }: +{ keyCommandEnv, ... }: { deployment.keys = { "nextcloud-adminpass.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; @@ -10,7 +10,7 @@ uploadAt = "pre-activation"; }; "nextcloud-secretfile.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; + keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ]; destDir = "/secrets"; user = "nextcloud"; group = "nextcloud"; diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix index 92a8b1d..6726881 100644 --- a/config/hosts/paperless/secrets.nix +++ b/config/hosts/paperless/secrets.nix @@ -1,19 +1,21 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."paperless-admin-password.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."paperless-samba-credentials.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 4395a6d..3acc555 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -1,51 +1,53 @@ -{ ... }: +{ keyCommandEnv, ... }: { - deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; + deployment.keys = { + "wireguard-valkyrie-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site2-grzb-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-site1-jsts-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 46a711c..122a4b2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -11,33 +11,32 @@ worker_connections 1024; ''; - streamConfig = '' - map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 10.202.41.107:8443; - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 127.0.0.1:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; - hydra.nekover.se 10.202.41.121:8443; - matrix.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; - nekover.se 127.0.0.1:8443; - nix-cache.nekover.se 10.202.41.121:8443; - social.nekover.se 10.202.41.104:8443; - } - - server { - listen 0.0.0.0:443; - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - appendConfig = '' worker_processes auto; + + stream { + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se 10.202.41.121:8443; + matrix.nekover.se 10.202.41.112:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nix-cache.nekover.se 10.202.41.121:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + } ''; appendHttpConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 7e0190e..9cd0be4 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,68 +1,23 @@ { ... }: -{ - services.nginx.virtualHosts = { - "jellyfin.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://jellyfin.vs.grzb.de:80"; - }; - }; - "mail-1.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mail-1.vs.grzb.de:80"; - }; - }; - "mastodon.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - }; - }; - "matrix.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://matrix.vs.grzb.de:80"; - }; - }; - "netbox.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://netbox.vs.grzb.de:80"; - }; - }; - "grafana.grzb.de" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://metrics.vs.grzb.de:80"; - }; - }; - "turn.nekover.se" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://coturn.vs.grzb.de:80"; - }; - }; +let + acmeDomainMap = { + "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; + "mail-1.grzb.de" = "mail-1.vs.grzb.de"; + "social.nekover.se" = "mastodon.vs.grzb.de"; + "matrix.nekover.se" = "matrix.vs.grzb.de"; + "netbox.grzb.de" = "netbox.vs.grzb.de"; + "grafana.grzb.de" = "metrics.vs.grzb.de"; + "turn.nekover.se" = "coturn.vs.grzb.de"; }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); } diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix index 381294e..9a3950a 100644 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."anisync.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://anisync.vs.grzb.de:8080"; proxyWebsockets = true; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix index 4efedd4..c746f3d 100644 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."gameserver.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://pterodactyl.vs.grzb.de"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix index 03b1a96..ac9eefb 100644 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."git.grzb.de" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://gitlab.vs.grzb.de:80"; extraConfig = '' diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix index 3a297e8..1ab842a 100644 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."mewtube.nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/" = { proxyPass = "http://cloudtube.vs.grzb.de:10412"; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 91c131d..7c95ec5 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -3,18 +3,12 @@ services.nginx.virtualHosts."nekover.se" = { forceSSL = true; enableACME = true; - listen = [ - { - addr = "localhost"; - port = 1234; - } # workaround for enableACME check - { - addr = "localhost"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; extraConfig = '' diff --git a/flake.nix b/flake.nix index a9af2db..d2341f7 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,9 @@ specialArgs = { inherit nixpkgs-unstable hosts simple-nixos-mailserver; + + # Provide environment for secret key command + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; diff --git a/hosts.nix b/hosts.nix index fc2716d..4f00d17 100644 --- a/hosts.nix +++ b/hosts.nix @@ -102,7 +102,6 @@ in environment = "proxmox"; }; web-public-2 = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; };