alejandro-angulo/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactored how SSL certs are configured for nginx

Browse source 
Made a separate ACME module to handle requesting certs from multiple
machines. Right now, the module only supports exactly one wildcard cert.
It might make sense to have cache.kilonull.com use a cert specific to
its subdomain rather than also requesting a wildcard cert (or maybe the
nginx on its host shouldn't care about TLS and it should be node's
responsibility).
This commit is contained in:
Alejandro Angulo 2023-07-16 10:53:02 -07:00
parent 60917107b1
commit d5969ca923
Signed by: alejandro-angulo
GPG key ID: 75579581C74554B6
9 changed files with 128 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

12
systems/x86_64-linux/gospel/default.nix
View file

@ -8,6 +8,8 @@
./zfs.nix
];
age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
aa = {
nix.enable = true;
@ -19,11 +21,19 @@
apps.yubikey.enable = true;
security.acme = {
enable = true;
# useStaging = true;
domainName = "kilonull.com";
dnsCredentialsFile = config.age.secrets.cf_dns_kilonull.path;
};
services.openssh.enable = true;
services.nix-serve = {
enable = true;
domain_name = "kilonull.com";
subdomain_name = "gospel";
subdomain_name = "cache";
acmeCertName = "kilonull.com";
};
services.printing.enable = true;
services.tailscale = {

18
systems/x86_64-linux/node/default.nix
View file

@ -8,6 +8,8 @@
./zfs.nix
];
age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
aa = {
nix.enable = true;
nix.useSelfhostedCache = true;
@ -18,8 +20,20 @@
configureServerRouting = true;
};
services.openssh.enable = true;
services.adguardhome.enable = true;
services.nextcloud.enable = true;
services.adguardhome = {
enable = true;
acmeCertName = "kilonull.com";
};
services.nextcloud = {
enable = true;
acmeCertName = "kilonull.com";
};
security.acme = {
enable = true;
domainName = "kilonull.com";
dnsCredentialsFile = config.age.secrets.cf_dns_kilonull.path;
};
system.zfs.enable = true;
system.monitoring.enable = true;