diff --git a/README.md b/README.md index 81f7666..fa9bac9 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ including my homelab, external servers and my development machines. 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. 🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network ☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services -☁️ | VPS | envoy | Hetzner Cloud server | Mailserver (WIP, still on gentoo) +☁️ | VPS | envoy | Hetzner Cloud server | Mailserver ## Overview diff --git a/hosts/envoy/acme.nix b/hosts/envoy/acme.nix index 200c858..f818396 100644 --- a/hosts/envoy/acme.nix +++ b/hosts/envoy/acme.nix @@ -24,6 +24,6 @@ in { dnsPropagationCheck = true; reloadServices = ["nginx"]; }; - inherit (acme) certs; + inherit (acme) certs wildcardDomains; }; } diff --git a/hosts/envoy/default.nix b/hosts/envoy/default.nix index 9fd8d9f..7aab654 100644 --- a/hosts/envoy/default.nix +++ b/hosts/envoy/default.nix @@ -14,7 +14,6 @@ boot.mode = "bios"; users.groups.acme.members = ["nginx"]; - wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443]; services.nginx.enable = true; services.nginx.recommendedSetup = true; diff --git a/hosts/envoy/secrets/local.nix.age b/hosts/envoy/secrets/local.nix.age index e2152cb..bf125b7 100644 Binary files a/hosts/envoy/secrets/local.nix.age and b/hosts/envoy/secrets/local.nix.age differ diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix index 200c858..f818396 100644 --- a/hosts/sentinel/acme.nix +++ b/hosts/sentinel/acme.nix @@ -24,6 +24,6 @@ in { dnsPropagationCheck = true; reloadServices = ["nginx"]; }; - inherit (acme) certs; + inherit (acme) certs wildcardDomains; }; } diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index b7a16d1..711dec8 100644 Binary files a/hosts/sentinel/secrets/local.nix.age and b/hosts/sentinel/secrets/local.nix.age differ diff --git a/modules/acme-wildcard.nix b/modules/acme-wildcard.nix index 0aefecb..9652470 100644 --- a/modules/acme-wildcard.nix +++ b/modules/acme-wildcard.nix @@ -6,9 +6,8 @@ inherit (lib) assertMsg - attrNames filter - filterAttrs + genAttrs hasInfix head mkIf @@ -16,19 +15,14 @@ removeSuffix types ; - - wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs); in { - options.security.acme.certs = mkOption { - type = types.attrsOf (types.submodule (submod: { - options.wildcard = mkOption { - default = false; - type = types.bool; - description = "If set to true, this will automatically append `*.` to `extraDomainNames`."; - }; - - config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"]; - })); + options.security.acme.wildcardDomains = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of domains to which a wilcard certificate exists under the same name in `certs`. + All of these certs will automatically have `*.` appended to `extraDomainNames`. + ''; }; options.services.nginx.virtualHosts = mkOption { @@ -45,7 +39,7 @@ in { matchingCerts = filter (x: !hasInfix "." (removeSuffix ".${x}" domain)) - wildcardDomains; + config.security.acme.wildcardDomains; in mkIf submod.config.useACMEWildcardHost { useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}"; @@ -53,4 +47,8 @@ in { }; })); }; + + config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: { + extraDomainNames = ["*.${domain}"]; + }); } diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age index 7c82412..52232d8 100644 Binary files a/users/myuser/secrets/user.nix.age and b/users/myuser/secrets/user.nix.age differ