Use stable channel and use helper function for acme challenge proxy

config/hosts/coturn/secrets.nix

@@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv,... }:
 {
   deployment.keys."static-auth-secret.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
     destDir = "/secrets";
     user = "turnserver";
     group = "turnserver";

config/hosts/hydra/secrets.nix

@@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
   deployment.keys."signing-key.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ];
     destDir = "/secrets";
     user = "root";
     group = "root";

config/hosts/jellyfin/secrets.nix

@@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
   deployment.keys."samba-credentials.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
     destDir = "/secrets";
     user = "root";
     group = "root";

config/hosts/lifeline/secrets.nix

@@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ];
+    "wireguard-lifeline-wg0-privatekey.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ];
+    "wireguard-lifeline-mail-2-lifeline-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/mail-2/secrets.nix

@@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ];
+    "wireguard-mail-2-wg0-privatekey.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "systemd-network";
+      user = "root";
-    permissions = "0640";
+      group = "systemd-network";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ];
+    "wireguard-lifeline-mail-2-mail-2-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "systemd-network";
+      user = "root";
-    permissions = "0640";
+      group = "systemd-network";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/mastodon/secrets.nix

@@ -1,8 +1,8 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
   deployment.keys = {
     "mastodon-secret-key-base.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
       destDir = "/secrets";
       user = "mastodon";
       group = "mastodon";
@@ -10,7 +10,7 @@
       uploadAt = "pre-activation";
     };
     "mastodon-otp-secret.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ];
       destDir = "/secrets";
       user = "mastodon";
       group = "mastodon";
@@ -18,7 +18,7 @@
       uploadAt = "pre-activation";
     };
     "mastodon-vapid-private-key.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
       destDir = "/secrets";
       user = "mastodon";
       group = "mastodon";
@@ -26,7 +26,7 @@
       uploadAt = "pre-activation";
     };
     "mastodon-email-smtp-pass.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
       destDir = "/secrets";
       user = "mastodon";
       group = "mastodon";

config/hosts/matrix/secrets.nix

@@ -1,43 +1,45 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."matrix-registration-shared-secret.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ];
+    "matrix-registration-shared-secret.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ];
-    user = "matrix-synapse";
+      destDir = "/secrets";
-    group = "matrix-synapse";
+      user = "matrix-synapse";
-    permissions = "0640";
+      group = "matrix-synapse";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."matrix-turn-shared-secret.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ];
+    "matrix-turn-shared-secret.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ];
-    user = "matrix-synapse";
+      destDir = "/secrets";
-    group = "matrix-synapse";
+      user = "matrix-synapse";
-    permissions = "0640";
+      group = "matrix-synapse";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."matrix-email-smtp-pass.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ];
+    "matrix-email-smtp-pass.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ];
-    user = "matrix-synapse";
+      destDir = "/secrets";
-    group = "matrix-synapse";
+      user = "matrix-synapse";
-    permissions = "0640";
+      group = "matrix-synapse";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."matrix-homeserver-signing-key.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ];
+    "matrix-homeserver-signing-key.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ];
-    user = "matrix-synapse";
+      destDir = "/secrets";
-    group = "matrix-synapse";
+      user = "matrix-synapse";
-    permissions = "0640";
+      group = "matrix-synapse";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."matrix-SYNCV3_SECRET.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ];
+    "matrix-SYNCV3_SECRET.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ];
-    user = "matrix-synapse";
+      destDir = "/secrets";
-    group = "matrix-synapse";
+      user = "matrix-synapse";
-    permissions = "0640";
+      group = "matrix-synapse";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/metrics/secrets.nix

@@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."metrics-grafana-admin-password.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ];
+    "metrics-grafana-admin-password.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
-    user = "grafana";
+      destDir = "/secrets";
-    group = "grafana";
+      user = "grafana";
-    permissions = "0640";
+      group = "grafana";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."metrics-grafana-smtp-password.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ];
+    "metrics-grafana-smtp-password.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
-    user = "grafana";
+      destDir = "/secrets";
-    group = "grafana";
+      user = "grafana";
-    permissions = "0640";
+      group = "grafana";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/netbox/secrets.nix

@@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
   deployment.keys."netbox-secret-key.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
     destDir = "/secrets";
     user = "netbox";
     group = "netbox";

config/hosts/nextcloud/secrets.nix

@@ -1,8 +1,8 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
   deployment.keys = {
     "nextcloud-adminpass.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
       destDir = "/secrets";
       user = "nextcloud";
       group = "nextcloud";
@@ -10,7 +10,7 @@
       uploadAt = "pre-activation";
     };
     "nextcloud-secretfile.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
       destDir = "/secrets";
       user = "nextcloud";
       group = "nextcloud";

config/hosts/paperless/secrets.nix

@@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."paperless-admin-password.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ];
+    "paperless-admin-password.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ];
-    user = "paperless";
+      destDir = "/secrets";
-    group = "paperless";
+      user = "paperless";
-    permissions = "0640";
+      group = "paperless";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."paperless-samba-credentials.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ];
+    "paperless-samba-credentials.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/valkyrie/secrets.nix

@@ -1,51 +1,53 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
+    "wireguard-valkyrie-wg0-privatekey.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
+    "wireguard-valkyrie-site1-grzb-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
+    "wireguard-valkyrie-site2-grzb-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
+    "wireguard-valkyrie-site1-jsts-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ];
+    "wireguard-valkyrie-wg1-privatekey.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
-  };
+      uploadAt = "pre-activation";
-  deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
+    };
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ];
+    "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
-    destDir = "/secrets";
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
-    user = "root";
+      destDir = "/secrets";
-    group = "root";
+      user = "root";
-    permissions = "0640";
+      group = "root";
-    uploadAt = "pre-activation";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

config/hosts/web-public-2/nginx.nix

@@ -11,33 +11,32 @@
       worker_connections 1024;
     '';
 
-    streamConfig = ''
-      map $ssl_preread_server_name $address {
-        anisync.grzb.de 127.0.0.1:8443;
-        birdsite.nekover.se 10.202.41.107:8443;
-        cloud.nekover.se 10.202.41.122:8443;
-        element.nekover.se 127.0.0.1:8443;
-        gameserver.grzb.de 127.0.0.1:8443;
-        git.grzb.de 127.0.0.1:8443;
-        hydra.nekover.se 10.202.41.121:8443;
-        matrix.nekover.se 10.202.41.112:8443;
-        mewtube.nekover.se 127.0.0.1:8443;
-        nekover.se 127.0.0.1:8443;
-        nix-cache.nekover.se 10.202.41.121:8443;
-        social.nekover.se 10.202.41.104:8443;
-      }
-
-      server {
-        listen 0.0.0.0:443;
-        listen [::]:443;
-        proxy_pass $address;
-        ssl_preread on;
-        proxy_protocol on;
-      }
-    '';
-
     appendConfig = ''
       worker_processes auto;
+
+      stream {
+        map $ssl_preread_server_name $address {
+          anisync.grzb.de 127.0.0.1:8443;
+          birdsite.nekover.se 10.202.41.107:8443;
+          cloud.nekover.se 10.202.41.122:8443;
+          element.nekover.se 127.0.0.1:8443;
+          gameserver.grzb.de 127.0.0.1:8443;
+          git.grzb.de 127.0.0.1:8443;
+          hydra.nekover.se 10.202.41.121:8443;
+          matrix.nekover.se 10.202.41.112:8443;
+          mewtube.nekover.se 127.0.0.1:8443;
+          nekover.se 127.0.0.1:8443;
+          nix-cache.nekover.se 10.202.41.121:8443;
+          social.nekover.se 10.202.41.104:8443;
+        }
+        server {
+          listen 0.0.0.0:443;
+          listen [::]:443;
+          proxy_pass $address;
+          ssl_preread on;
+          proxy_protocol on;
+        }
+      }
     '';
 
     appendHttpConfig = ''

config/hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -1,68 +1,23 @@
 { ... }:
-{
+let
-  services.nginx.virtualHosts = {
+  acmeDomainMap = {
-    "jellyfin.grzb.de" = {
+    "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
-      listen = [{ 
+    "mail-1.grzb.de" = "mail-1.vs.grzb.de";
-        addr = "0.0.0.0";
+    "social.nekover.se" = "mastodon.vs.grzb.de";
-        port = 80;
+    "matrix.nekover.se" = "matrix.vs.grzb.de";
-      }];
+    "netbox.grzb.de" = "netbox.vs.grzb.de";
-      locations."^~ /.well-known/acme-challenge/" = {
+    "grafana.grzb.de" = "metrics.vs.grzb.de";
-        proxyPass = "http://jellyfin.vs.grzb.de:80";
+    "turn.nekover.se" = "coturn.vs.grzb.de";
-      };
-    };
-    "mail-1.grzb.de" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://mail-1.vs.grzb.de:80";
-      };
-    };
-    "mastodon.nekover.se" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://mastodon.vs.grzb.de:80";
-      };
-    };
-    "matrix.nekover.se" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://matrix.vs.grzb.de:80";
-      };
-    };
-    "netbox.grzb.de" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://netbox.vs.grzb.de:80";
-      };
-    };
-    "grafana.grzb.de" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://metrics.vs.grzb.de:80";
-      };
-    };
-    "turn.nekover.se" = {
-      listen = [{ 
-        addr = "0.0.0.0";
-        port = 80;
-      }];
-      locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://coturn.vs.grzb.de:80";
-      };
-    };
   };
+in
+{
+  services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://${target}:80";
+    };
+  }) acmeDomainMap);
 }

config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix

@@ -3,18 +3,12 @@
   services.nginx.virtualHosts."anisync.grzb.de" = {
     forceSSL = true;
     enableACME = true;
-    listen = [
+    listen = [{
-      { 
+      addr = "localhost";
-        addr = "localhost";
+      port = 8443;
-        port = 1234;
+      ssl = true;
-      } # workaround for enableACME check
+      extraParameters = ["proxy_protocol"];
-      {
+    }];
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
     locations."/" = {
       proxyPass = "http://anisync.vs.grzb.de:8080";
       proxyWebsockets = true;

config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix

@@ -3,18 +3,12 @@
   services.nginx.virtualHosts."gameserver.grzb.de" = {
     forceSSL = true;
     enableACME = true;
-    listen = [
+    listen = [{
-      { 
+      addr = "localhost";
-        addr = "localhost";
+      port = 8443;
-        port = 1234;
+      ssl = true;
-      } # workaround for enableACME check
+      extraParameters = ["proxy_protocol"];
-      {
+    }];
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
     locations."/" = {
       proxyPass = "http://pterodactyl.vs.grzb.de";
       extraConfig = ''

config/hosts/web-public-2/virtualHosts/git.grzb.de.nix

@@ -3,18 +3,12 @@
   services.nginx.virtualHosts."git.grzb.de" = {
     forceSSL = true;
     enableACME = true;
-    listen = [
+    listen = [{
-      { 
+      addr = "localhost";
-        addr = "localhost";
+      port = 8443;
-        port = 1234;
+      ssl = true;
-      } # workaround for enableACME check
+      extraParameters = ["proxy_protocol"];
-      {
+    }];
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
     locations."/" = {
       proxyPass = "http://gitlab.vs.grzb.de:80";
       extraConfig = ''

config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix

@@ -3,18 +3,12 @@
   services.nginx.virtualHosts."mewtube.nekover.se" = {
     forceSSL = true;
     enableACME = true;
-    listen = [
+    listen = [{
-      { 
+      addr = "localhost";
-        addr = "localhost";
+      port = 8443;
-        port = 1234;
+      ssl = true;
-      } # workaround for enableACME check
+      extraParameters = ["proxy_protocol"];
-      {
+    }];
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
     locations."/" = {
       proxyPass = "http://cloudtube.vs.grzb.de:10412";
     };

config/hosts/web-public-2/virtualHosts/nekover.se.nix

@@ -3,18 +3,12 @@
   services.nginx.virtualHosts."nekover.se" = {
     forceSSL = true;
     enableACME = true;
-    listen = [
+    listen = [{
-      { 
+      addr = "localhost";
-        addr = "localhost";
+      port = 8443;
-        port = 1234;
+      ssl = true;
-      } # workaround for enableACME check
+      extraParameters = ["proxy_protocol"];
-      {
+    }];
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
     locations."/.well-known/matrix/server" = {
       return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
       extraConfig = ''

flake.nix

@@ -28,6 +28,9 @@
 
         specialArgs = {
           inherit nixpkgs-unstable hosts simple-nixos-mailserver;
+
+          # Provide environment for secret key command
+          keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
         };
       };
     } // builtins.mapAttrs (helper.generateColmenaHost) hosts;

hosts.nix

@@ -102,7 +102,6 @@ in
       environment = "proxmox";
     };
     web-public-2 = {
-      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };