Add new wildcard certs for graven.se, openpgpkey WKD
This commit is contained in:
parent
eb91a3beaf
commit
4de118b741
|
@ -12,7 +12,6 @@
|
||||||
./services/restic.nix
|
./services/restic.nix
|
||||||
./services/synapse.nix
|
./services/synapse.nix
|
||||||
./services/postgres.nix
|
./services/postgres.nix
|
||||||
./services/mail.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
(builtins.fetchTarball {
|
|
||||||
# Pick a commit from the branch you are interested in
|
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
|
|
||||||
# And set its hash
|
|
||||||
sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
|
|
||||||
})
|
|
||||||
];
|
|
||||||
|
|
||||||
mailserver = {
|
|
||||||
enable = true;
|
|
||||||
fqdn = "anarkafem.dev";
|
|
||||||
domains = [ "anarkafem.dev" ];
|
|
||||||
loginAccounts = {
|
|
||||||
"noreply@anarkafem.dev" = {
|
|
||||||
hashedPasswordFile = config.secrets.files.email_noreply.file;
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
|
||||||
certificateScheme = 3;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
withJemalloc = true;
|
withJemalloc = true;
|
||||||
servers = { "anarkafem.dev" = {}; };
|
servers = { "anarkafem.dev" = {}; };
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
default_room_version: "9"
|
||||||
auto_join_rooms:
|
auto_join_rooms:
|
||||||
- "#suf-aalborg:anarkafem.dev"
|
- "#suf-aalborg:anarkafem.dev"
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
./services/restic.nix
|
./services/restic.nix
|
||||||
./services/vaultwarden.nix
|
./services/vaultwarden.nix
|
||||||
|
./services/wireguard.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
BIN
unstable/config/hosts/wind/data/secrets/acme_graven_se.env
Normal file
BIN
unstable/config/hosts/wind/data/secrets/acme_graven_se.env
Normal file
Binary file not shown.
Binary file not shown.
BIN
unstable/config/hosts/wind/data/secrets/wg_key
Normal file
BIN
unstable/config/hosts/wind/data/secrets/wg_key
Normal file
Binary file not shown.
|
@ -4,11 +4,18 @@
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
email = "admin+certs@graven.dev";
|
email = "admin+certs@graven.dev";
|
||||||
certs."graven.dev" = {
|
certs = {
|
||||||
extraDomainNames = [ "*.graven.dev" ];
|
"graven.dev" = {
|
||||||
dnsProvider = "hurricane";
|
extraDomainNames = [ "*.graven.dev" ];
|
||||||
credentialsFile = config.secrets.files.acme_graven_dev.file;
|
dnsProvider = "hurricane";
|
||||||
};
|
credentialsFile = config.secrets.files.acme_graven_dev.file;
|
||||||
|
};
|
||||||
|
"graven.se" = {
|
||||||
|
extraDomainNames = [ "*.graven.se" ];
|
||||||
|
dnsProvider = "hurricane";
|
||||||
|
credentialsFile = config.secrets.files.acme_graven_se.file;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,79 +1,111 @@
|
||||||
{
|
{
|
||||||
imports = [ ../../../common/services/nginx.nix ];
|
imports = [ ../../../common/services/nginx.nix ];
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"graven.dev" = {
|
"graven.dev" = {
|
||||||
useACMEHost = "graven.dev";
|
useACMEHost = "graven.dev";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".root = "/var/www/graven.dev/public";
|
locations."/".root = "/var/www/graven.dev/public";
|
||||||
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
|
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
|
||||||
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
|
locations."/_synapse".proxyPass = "http://127.0.0.1:8008";
|
||||||
locations."/.well-known/matrix/" = {
|
locations."/.well-known/matrix/" = {
|
||||||
root = "/var/www/matrix/public";
|
root = "/var/www/matrix/public";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
default_type application/json;
|
default_type application/json;
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
add_header Referrer-Policy "origin-when-cross-origin";
|
add_header Referrer-Policy "same-origin";
|
||||||
add_header X-Frame-Options "DENY";
|
add_header X-Frame-Options "DENY";
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"rss.graven.dev" = {
|
"rss.graven.dev" = {
|
||||||
useACMEHost = "graven.dev";
|
useACMEHost = "graven.dev";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
"git.graven.dev" = {
|
"git.graven.dev" = {
|
||||||
useACMEHost = "graven.dev";
|
useACMEHost = "graven.dev";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
|
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
|
||||||
};
|
};
|
||||||
"vault.graven.dev" = {
|
"vault.graven.dev" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "graven.dev";
|
useACMEHost = "graven.dev";
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://localhost:8812";
|
proxyPass = "http://localhost:8812";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
locations."/notifications/hub" = {
|
locations."/notifications/hub" = {
|
||||||
proxyPass = "http://localhost:3012";
|
proxyPass = "http://localhost:3012";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
locations."/notifications/hub/negotiate" = {
|
locations."/notifications/hub/negotiate" = {
|
||||||
proxyPass = "http://localhost:8812";
|
proxyPass = "http://localhost:8812";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"mta-sts.graven.dev" = {
|
"openpgpkey.graven.dev" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
useACMEHost = "graven.dev";
|
||||||
root = "/var/www/mta-sts/public";
|
locations."/" = {
|
||||||
};
|
root = "/var/www/openpgpkey/graven.dev";
|
||||||
"mta-sts.graven.se" = {
|
extraConfig = ''
|
||||||
forceSSL = true;
|
default_type "application/octet-stream";
|
||||||
enableACME = true;
|
add_header Access-Control-Allow-Origin "*";
|
||||||
root = "/var/www/mta-sts/public";
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
};
|
add_header Referrer-Policy "same-origin";
|
||||||
"mta-sts.nao.sh" = {
|
add_header X-Frame-Options "DENY";
|
||||||
forceSSL = true;
|
add_header X-Content-Type-Options "nosniff";
|
||||||
enableACME = true;
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
root = "/var/www/mta-sts/public";
|
'';
|
||||||
};
|
};
|
||||||
"mta-sts.amandag.net" = {
|
};
|
||||||
forceSSL = true;
|
"openpgpkey.graven.se" = {
|
||||||
enableACME = true;
|
forceSSL = true;
|
||||||
root = "/var/www/mta-sts/public";
|
useACMEHost = "graven.se";
|
||||||
};
|
locations."/" = {
|
||||||
"mta-sts.queersin.space" = {
|
root = "/var/www/openpgpkey/graven.se";
|
||||||
forceSSL = true;
|
extraConfig = ''
|
||||||
enableACME = true;
|
default_type "application/octet-stream";
|
||||||
root = "/var/www/mta-sts/public";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
};
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
"mta-sts.anarkafem.dev" = {
|
add_header Referrer-Policy "same-origin";
|
||||||
forceSSL = true;
|
add_header X-Frame-Options "DENY";
|
||||||
enableACME = true;
|
add_header X-Content-Type-Options "nosniff";
|
||||||
root = "/var/www/mta-sts/public";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
};
|
'';
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
"mta-sts.graven.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.graven.se" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.nao.sh" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.amandag.net" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.queersin.space" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
"mta-sts.anarkafem.dev" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
root = "/var/www/mta-sts/public";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
48
unstable/config/hosts/wind/services/wireguard.nix
Normal file
48
unstable/config/hosts/wind/services/wireguard.nix
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
{
|
||||||
|
networking.nat.enable = true;
|
||||||
|
networking.nat.externalInterface = "ens3";
|
||||||
|
networking.nat.internalInterfaces = [ "wg0" ];
|
||||||
|
networking.firewall = {
|
||||||
|
allowedUDPPorts = [ 51820 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.wireguard.interfaces = {
|
||||||
|
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||||
|
wg0 = {
|
||||||
|
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||||
|
ips = [ "10.100.0.1/24" ];
|
||||||
|
|
||||||
|
# The port that WireGuard listens to. Must be accessible by the client.
|
||||||
|
listenPort = 51820;
|
||||||
|
|
||||||
|
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||||
|
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# This undoes the above command
|
||||||
|
postShutdown = ''
|
||||||
|
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Path to the private key file.
|
||||||
|
#
|
||||||
|
# Note: The private key can also be included inline via the privateKey option,
|
||||||
|
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||||
|
# recommended.
|
||||||
|
privateKeyFile = builtins.toString config.secrets.files.wg_key.file;
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
# List of allowed peers.
|
||||||
|
{ # Feel free to give a meaning full name
|
||||||
|
# Public key of the peer (not a file path).
|
||||||
|
publicKey = "5u3lMMKcFWohjs0jomG/86MffY8l4E6jbqjJzdyy6ik=";
|
||||||
|
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
||||||
|
allowedIPs = [ "10.100.0.2/32" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -29,10 +29,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d00918ccaf7e1532d35db2f1e3d44db3da39b851",
|
"rev": "db22325869a05e376dbab1c31ea7664dd5fcf860",
|
||||||
"sha256": "0ynxk7vacv8nljkr60f1sdyh0a65lb6w8kzv5m30hy2qba7samrf",
|
"sha256": "0pihqkl1c5bmb62657r38irvacav51ab0r4vfa2wn027ch1ry29m",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/d00918ccaf7e1532d35db2f1e3d44db3da39b851.tar.gz",
|
"url": "https://github.com/NixOS/nixpkgs/archive/db22325869a05e376dbab1c31ea7664dd5fcf860.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixus": {
|
"nixus": {
|
||||||
|
|
Loading…
Reference in a new issue