pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Use ACME for certificates

Browse source 
Simplifies a lot the configuration. It eliminates the overlay and it accepts the key via environment file
This commit is contained in:
pazpi 2024-11-06 12:09:39 +01:00
parent 191119d1f1
commit d86ded0d74
4 changed files with 77 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/caddy/default.nix
View file

@ -58,7 +58,12 @@ in
authKeyFile = config.age.secrets.tailscale-authKey.path; authKeyFile = config.age.secrets.tailscale-authKey.path;
}; };
caddy.enable = true; caddy = {
enable = true;
email = "pasettodavide@gmail.com";
domain = "tegola.pro";
};
}; };
virtualisation = { virtualisation = {

13
hosts/default.nix
View file

@ -13,7 +13,7 @@ let
# customOverlays = import ../overlay; # customOverlays = import ../overlay;
customOverlays = ( customOverlays = (
final: prev: { final: prev: {
caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { }; # caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { };
jellyseerr = nixpkgs-unstable.legacyPackages."x86_64-linux".jellyseerr; jellyseerr = nixpkgs-unstable.legacyPackages."x86_64-linux".jellyseerr;
} }
); );
@ -99,4 +99,15 @@ in
# specialArgs = { }; # specialArgs = { };
}; };
nextcloud = nixpkgs.lib.nixosSystem {
pkgs = pkgs "x86_64-linux";
modules = [
myModule
proxmoxModule
./nextcloud
agenix.nixosModules.default
];
# specialArgs = { };
};
} }

53
modules/networking/caddy.nix
View file

@ -13,6 +13,23 @@ in
{ {
options.my.networking.caddy = { options.my.networking.caddy = {
enable = lib.mkEnableOption "Enable caddy as reverse proxy"; enable = lib.mkEnableOption "Enable caddy as reverse proxy";
domain = lib.mkOption {
default = "example.com";
type = lib.types.str;
description = ''
The domain where Caddy is reachable
'';
};
email = lib.mkOption {
default = "user@domain.com";
type = lib.types.str;
description = ''
Email for Certbot
'';
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -25,28 +42,50 @@ in
}; };
}; };
# Insted on relying on caddy to provide TLS, we use certbot to get a certificate
# https://aottr.dev/posts/2024/08/homelab-setting-up-caddy-reverse-proxy-with-ssl-on-nixos/
security.acme = {
acceptTerms = true;
defaults.email = cfg.email;
# TESTING ONLY!
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
certs."${cfg.domain}" = {
group = config.services.caddy.group;
domain = "${cfg.domain}";
extraDomainNames = [ "*.${cfg.domain}" ];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
environmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
};
};
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.caddy-custom;
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
globalConfig = '' globalConfig = ''
admin :2024 admin :2024
servers { servers {
metrics metrics
} }
''; '';
extraConfig = ''
extraConfig =
let
certPath = config.security.acme.certs."${cfg.domain}".directory;
in
''
(cloudflare) { (cloudflare) {
tls { tls ${certPath}/cert.pem ${certPath}/key.pem {
dns cloudflare {env.CLOUDFLARE_KEY} protocols tls1.3
resolvers 1.1.1.1 100.100.100.100
} }
} }
''; '';
}; };
systemd.services.caddy.serviceConfig = { systemd.services.caddy.serviceConfig = {
EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE";
}; };

20
secrets/cloudflare-tegola-apiKey.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 BFt3Fg 3BOjRS3gXw2m7aF/cFMDIUEkxXOa+c5CyBI7YRLqGms -> ssh-ed25519 BFt3Fg W//eYYU4aPOIstbKg/42XU5RlwAwqB2P/+BBiVInxCY
v/evjDvdsenaKYYd3kiRqmVZQbeIUkVuPGOheZtJEOs F06umStqDvKdQR2c5Xi9KOn7PLV7jXTQQOmgStO0dXM
-> ssh-ed25519 Si3UKw H/AzU/m7neT+UV9OrXTRPZtEUIu59iofjDoSTvyPTk0 -> ssh-ed25519 Si3UKw +KBURMIwbPhiO7QjaSyRp3Y8TRQ5PKvEJG7iLxxEmRY
d7qkQT90YhD1XTUFreMw+/1paJjpj5xQxltnkuNYE6E yzXCbhXynQXnZ5OvCutMx1lNrHdP4y2ZMfLDX242IRM
-> ssh-ed25519 3UG3uw Dktzj/64DXaVRTmbsM5hWBftPFo8QSDvGl/xqG2lATQ -> ssh-ed25519 3UG3uw XMPr/2l6UcS7GOkBQHciCMRPLsCB3qt/SP6NwRUv4go
5yTfsJGFruBVXd3foK5Qtts7tvY3DbBEuoFOVnUiIgM qgTyMKDDdo5wMEfrW47KkzMReltqXXW1qfaQGuBYYKc
-> ssh-ed25519 JEhtoQ 4EZdqHV1NCL5KkY16HWmln3lo8ZvOJMXSxiCkwXQxD4 -> ssh-ed25519 JEhtoQ 7iktd5bTGrk9zWI3S4pd9vrTYBJ+fWtv58l4YEw+4Qk
l9KfUtJLcXTT2g9tvujcthhMoXcpcdh+BAIl1go07VU k1DmUoPoDlxu3VzvdF+0gH3HeOJ+QZ+qmagzbdCK+eQ
--- cPsKGqV7VxQBE4YNw8vftdGTSW62AWWVPwxP2yoYwcw --- OxYCCTwnyL3tR5JmlM4Pxb6dctimEeML2Jz0EUGYUpk
JM§´¹ÖÀY¾ùÞ(R@É7³³G.S`<b*ÔǵaC)”‡W^l¢UЮjÒxÿ¾º"£aE1UÑéŽCL•A;8± ߥ>0L”<4C>sÇltoPÛäPq <EFBFBD>Öq¸+X/W¾ªð®WÚ+kkáïW<-ʬ¢ÛˆÔðý²ì=­n{t†£•Ït²âòë<C3B2>x±¤¹y# 'È#×+^£fm2Jˆ-ØÉÈ^ü)]Jˆv<><E2809A>