emelie/nix-deploy
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Wiki Activity

Add new wildcard certs for graven.se, openpgpkey WKD

Browse source
This commit is contained in:
Emelie Graven 2021-11-27 22:48:34 +01:00
parent eb91a3beaf
commit 4de118b741
Signed by: emelie
GPG key ID: C11123726DBB55A1
11 changed files with 174 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

1
unstable/config/hosts/wind/configuration.nix
View file

@ -13,6 +13,7 @@
./services/gitea.nix
./services/restic.nix
./services/vaultwarden.nix
./services/wireguard.nix
./data/secrets/secrets.nix
];

BIN
unstable/config/hosts/wind/data/secrets/acme_graven_se.env Normal file
View file

Binary file not shown.

BIN
unstable/config/hosts/wind/data/secrets/secrets.nix
View file

Binary file not shown.

BIN
unstable/config/hosts/wind/data/secrets/wg_key Normal file
View file

Binary file not shown.

17
unstable/config/hosts/wind/services/acme.nix
View file

@ -4,11 +4,18 @@
security.acme = {
acceptTerms = true;
email = "admin+certs@graven.dev";
certs."graven.dev" = {
extraDomainNames = [ "*.graven.dev" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_dev.file;
};
certs = {
"graven.dev" = {
extraDomainNames = [ "*.graven.dev" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_dev.file;
};
"graven.se" = {
extraDomainNames = [ "*.graven.se" ];
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_graven_se.file;
};
};
};
}

186
unstable/config/hosts/wind/services/nginx.nix
View file

@ -1,79 +1,111 @@
{
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
imports = [ ../../../common/services/nginx.nix ];
services.nginx.virtualHosts = {
"graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".root = "/var/www/graven.dev/public";
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
locations."/.well-known/matrix/" = {
root = "/var/www/matrix/public";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"rss.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
};
"git.graven.dev" = {
useACMEHost = "graven.dev";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
"openpgpkey.graven.dev" = {
forceSSL = true;
useACMEHost = "graven.dev";
locations."/" = {
root = "/var/www/openpgpkey/graven.dev";
extraConfig = ''
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"openpgpkey.graven.se" = {
forceSSL = true;
useACMEHost = "graven.se";
locations."/" = {
root = "/var/www/openpgpkey/graven.se";
extraConfig = ''
default_type "application/octet-stream";
add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
'';
};
};
"mta-sts.graven.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.graven.se" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.nao.sh" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.amandag.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.queersin.space" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
"mta-sts.anarkafem.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mta-sts/public";
};
};
}

48
unstable/config/hosts/wind/services/wireguard.nix Normal file
View file

@ -0,0 +1,48 @@
{ pkgs, config, ... }:
{
networking.nat.enable = true;
networking.nat.externalInterface = "ens3";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
peers = [
# List of allowed peers.
{ # Feel free to give a meaning full name
# Public key of the peer (not a file path).
publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
}