emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Add new wildcard certs for graven.se, openpgpkey WKD

Browse source
This commit is contained in:
Emelie Graven 2021-11-27 22:48:34 +01:00
parent eb91a3beaf
commit 4de118b741
Signed by: emelie
GPG key ID: C11123726DBB55A1
11 changed files with 174 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
unstable/config/hosts/grondahl/configuration.nix
View file

@ -12,7 +12,6 @@
./services/restic.nix
./services/synapse.nix
./services/postgres.nix
./services/mail.nix
];
boot.loader.grub.enable = true;

25
unstable/config/hosts/grondahl/services/mail.nix
View file

@ -1,25 +0,0 @@
{ config, ... }:
{
imports = [
(builtins.fetchTarball {
# Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
# And set its hash
sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
})
];
mailserver = {
enable = true;
fqdn = "anarkafem.dev";
domains = [ "anarkafem.dev" ];
loginAccounts = {
"noreply@anarkafem.dev" = {
hashedPasswordFile = config.secrets.files.email_noreply.file;
};
};
certificateScheme = 3;
};
}

1
unstable/config/hosts/grondahl/services/synapse.nix
View file

@ -25,6 +25,7 @@
withJemalloc = true;
servers = { "anarkafem.dev" = {}; };
extraConfig = ''
default_room_version: "9"
auto_join_rooms:
- "#suf-aalborg:anarkafem.dev"
'';

1
unstable/config/hosts/wind/configuration.nix
View file

@ -13,6 +13,7 @@
./services/gitea.nix
./services/restic.nix
./services/vaultwarden.nix
./services/wireguard.nix
./data/secrets/secrets.nix
];

BIN
unstable/config/hosts/wind/data/secrets/acme_graven_se.env Normal file
View file

Binary file not shown.

BIN
unstable/config/hosts/wind/data/secrets/secrets.nix
View file

Binary file not shown.

BIN
unstable/config/hosts/wind/data/secrets/wg_key Normal file
View file

Binary file not shown.

17
unstable/config/hosts/wind/services/acme.nix
View file

@ -4,11 +4,18 @@
security.acme = {
acceptTerms = true;
email = "admin+certs@graven.dev";
certs."graven.dev" = {
extraDomainNames = [ "*.graven.dev" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_dev.file;
};
certs = {
"graven.dev" = {
extraDomainNames = [ "*.graven.dev" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_dev.file;
};
"graven.se" = {
extraDomainNames = [ "*.graven.se" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_se.file;
};
};
};
}

186
unstable/config/hosts/wind/services/nginx.nix
View file

@ -1,79 +1,111 @@
{
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"openpgpkey.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
root = "/var/www/openpgpkey/graven.dev";
extraConfig = ''
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"openpgpkey.graven.se" = {
forceSSL = true;
useACMEHost = "graven.se";
locations."/" = {
root = "/var/www/openpgpkey/graven.se";
extraConfig = ''
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
}

48
unstable/config/hosts/wind/services/wireguard.nix Normal file
View file

@ -0,0 +1,48 @@
{ pkgs, config, ... }:
{
networking.nat.enable = true;
networking.nat.externalInterface = "ens3";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
peers = [
# List of allowed peers.
{ # Feel free to give a meaning full name
# Public key of the peer (not a file path).
publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
}

6
unstable/config/sources/nix/sources.json
View file

@ -29,10 +29,10 @@
"homepage": "",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851",
"sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf",
"rev": "db22325869a05e376dbab1c31ea7664dd5fcf860",
"sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz",
"url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixus": {