SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-23 03:51:29 +00:00
Code Issues Projects Releases Wiki Activity

add wildcard ACME certificate

Browse source
This commit is contained in:
Alexander Tomokhov 2023-12-19 01:07:05 +04:00
parent 312077240a
commit b37cadff68
9 changed files with 45 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
letsencrypt/acme.nix
View file

@ -27,13 +27,18 @@ in
reloadServices = [ "nginx" ]; reloadServices = [ "nginx" ];
}; };
certs = lib.mkForce { certs = lib.mkForce {
"${cfg.domain}" = { "wildcard-${cfg.domain}" = {
domain = "*.${cfg.domain}"; domain = "*.${cfg.domain}";
extraDomainNames = [ "${cfg.domain}" ]; extraDomainNames = [ "${cfg.domain}" ];
group = "acmereceivers"; group = "acmereceivers";
dnsProvider = lib.strings.toLower cfg.dns.provider; dnsProvider = lib.strings.toLower cfg.dns.provider;
credentialsFile = acme-env-filepath; credentialsFile = acme-env-filepath;
}; };
"${cfg.domain}" = {
domain = cfg.domain;
group = "acmereceivers";
webroot = "/var/lib/acme/acme-challenge";
};
}; };
}; };
systemd.services.acme-secrets = { systemd.services.acme-secrets = {

4
sp-modules/bitwarden/module.nix
View file

@ -72,8 +72,8 @@ in
''; '';
}; };
services.nginx.virtualHosts."password.${sp.domain}" = { services.nginx.virtualHosts."password.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

4
sp-modules/gitea/module.nix
View file

@ -79,8 +79,8 @@ in
}; };
}; };
services.nginx.virtualHosts."git.${sp.domain}" = { services.nginx.virtualHosts."git.${sp.domain}" = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

4
sp-modules/jitsi-meet/module.nix
View file

@ -21,8 +21,8 @@ in
}; };
}; };
services.nginx.virtualHosts."meet.${domain}" = { services.nginx.virtualHosts."meet.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = domain;
enableACME = false; enableACME = false;

4
sp-modules/nextcloud/module.nix
View file

@ -69,8 +69,8 @@
}; };
}; };
services.nginx.virtualHosts.${hostName} = { services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

8
sp-modules/ocserv/module.nix
View file

@ -28,8 +28,8 @@ in
tcp-port = 8443 tcp-port = 8443
udp-port = 8443 udp-port = 8443
server-cert = /var/lib/acme/${domain}/fullchain.pem server-cert = /var/lib/acme/wildcard-${domain}/fullchain.pem
server-key = /var/lib/acme/${domain}/key.pem server-key = /var/lib/acme/wildcard-${domain}/key.pem
compression = true compression = true
@ -56,8 +56,8 @@ in
''; '';
}; };
services.nginx.virtualHosts."vpn.${domain}" = { services.nginx.virtualHosts."vpn.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;

21
sp-modules/pleroma/module.nix
View file

@ -99,5 +99,26 @@ in
}; };
# seems to be an upstream nixpkgs/nixos bug (missing hexdump) # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
systemd.services.pleroma.path = [ pkgs.util-linux ]; systemd.services.pleroma.path = [ pkgs.util-linux ];
services.nginx.virtualHosts."social.${sp.domain}" = {
sslCertificate = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
root = "/var/www/social.${sp.domain}";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
};
}; };
} }

4
sp-modules/simple-nixos-mailserver/config.nix
View file

@ -67,8 +67,8 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable
}; };
certificateScheme = "manual"; certificateScheme = "manual";
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem"; certificateFile = "/var/lib/acme/wildcard-${sp.domain}/fullchain.pem";
keyFile = "/var/lib/acme/${sp.domain}/key.pem"; keyFile = "/var/lib/acme/wildcard-${sp.domain}/key.pem";
# Enable IMAP and POP3 # Enable IMAP and POP3
enableImap = true; enableImap = true;

29
webserver/nginx.nix
View file

@ -22,8 +22,8 @@ in
virtualHosts = { virtualHosts = {
"${domain}" = { "${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -37,8 +37,8 @@ in
''; '';
}; };
"api.${domain}" = { "api.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; sslCertificateKey = "/var/lib/acme/wildcard-${domain}/key.pem";
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
@ -57,27 +57,6 @@ in
}; };
}; };
}; };
"social.${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
root = "/var/www/social.${domain}";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
};
}; };
}; };
} }