sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: activate acme on sentinel

Browse source
This commit is contained in:
oddlama 2023-05-31 18:06:53 +02:00
parent 4fd369f034
commit ef03fd0594
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 45 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

84
hosts/sentinel/nginx.nix
View file

@ -1,51 +1,57 @@
{config, ...}: let {
config,
nodes,
...
}: let
inherit (config.repo.secrets.local) acme personalDomain; inherit (config.repo.secrets.local) acme personalDomain;
in { in {
networking.domain = personalDomain; networking.domain = personalDomain;
rekey.secrets."dhparams.pem" = {
file = ./secrets/dhparams.pem.age;
mode = "440";
group = "nginx";
};
rekey.secrets.acme-credentials = { rekey.secrets.acme-credentials = {
file = ./secrets/acme-credentials.age; file = ./secrets/acme-credentials.age;
mode = "440"; mode = "440";
group = "acme"; group = "acme";
}; };
#security.acme = { security.acme = {
# acceptTerms = true; acceptTerms = true;
# defaults = { defaults = {
# inherit (acme) email; inherit (acme) email;
# credentialsFile = config.rekey.secrets.acme-credentials.path; credentialsFile = config.rekey.secrets.acme-credentials.path;
# dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
# dnsPropagationCheck = true; dnsPropagationCheck = true;
# reloadServices = ["nginx"]; reloadServices = ["nginx"];
# }; };
#}; };
#extra.acme.wildcardDomains = acme.domains; extra.acme.wildcardDomains = acme.domains;
#users.groups.acme.members = ["nginx"]; users.groups.acme.members = ["nginx"];
#services.nginx = { rekey.secrets."dhparams.pem" = {
# enable = true; file = ./secrets/dhparams.pem.age;
# upstreams."kanidm" = { mode = "440";
# servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {}; group = "nginx";
# extraConfig = '' };
# zone kanidm 64k;
# keepalive 2; services.nginx = let
# ''; authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
# }; in {
# virtualHosts.${authDomain} = { enable = true;
# forceSSL = true; upstreams."kanidm" = {
# useACMEHost = config.lib.extra.matchingWildcardCert authDomain; servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:8300" = {};
# locations."/".proxyPass = "https://kanidm"; extraConfig = ''
# # Allow using self-signed certs to satisfy kanidm's requirement zone kanidm 64k;
# # for TLS connections. (This is over wireguard anyway) keepalive 2;
# extraConfig = '' '';
# proxy_ssl_verify off; };
# ''; virtualHosts.${authDomain} = {
# }; forceSSL = true;
#}; useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
locations."/".proxyPass = "https://kanidm";
# Allow using self-signed certs to satisfy kanidm's requirement
# for TLS connections. (This is over wireguard anyway)
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
} }