cleanup and use wildcard certs

2025-04-05 18:24:11 +02:00
parent cacdcca2e6
commit 4032168d8d
9 changed files with 113 additions and 213 deletions
--- a/nixos/primordial/configuration.nix
+++ b/nixos/primordial/configuration.nix
@ -4,6 +4,23 @@
  lib,
  ...
 }: let
+  makeVirtualHost = {
+    subdomain,
+    port,
+  }: {
+    name = "${subdomain}.fuckwit.dev";
+    value = {
+      forceSSL = true;
+      useACMEHost = "fuckwit.dev";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
+
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
@ -12,6 +29,7 @@
  secretFile = name: config.sops.secrets.${name}.path;
 in {
  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets."acme.env" = {};
  sops.secrets."restic_mail_repository_password" = {};
  sops.secrets."restic_ssh_key" = {};
  sops.secrets."act-runner-token" = {};
@ -59,8 +77,20 @@ in {

  i18n.defaultLocale = "en_US.UTF-8";

-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "huanzodev@gmail.com";
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@fuckwit.dev";
+      dnsProvider = "cloudflare";
+      environmentFile = secretFile "acme.env";
+      dnsPropagationCheck = true;
+    };
+
+    certs."fuckwit.dev" = {
+      extraDomainNames = ["*.fuckwit.dev"];
+    };
+  };
+  users.users.nginx.extraGroups = ["acme"];

  services = {
    openssh = {
@ -104,6 +134,7 @@ in {
      };
      registry = {
        enable = true;
+        package = pkgs.gitlab-container-registry;
        defaultForProjects = true;
        externalAddress = "https://registry-git.fuckwit.dev";
        externalPort = 443;
@ -156,105 +187,73 @@ in {
      recommendedGzipSettings = true;
      recommendedOptimisation = true;

-      virtualHosts."fuckwit.dev" = let
-        serverConfig."m.server" = "matrix.fuckwit.dev:443";
-        clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
-      in {
-        enableACME = true;
-        forceSSL = true;
-        # This section is not needed if the server_name of matrix-synapse is equal to
-        # the domain (i.e. example.org from @foo:example.org) and the federation port
-        # is 8448.
-        # Further reference can be found in the docs about delegation under
-        # https://element-hq.github.io/synapse/latest/delegate.html
-        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-        # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
-        # Further reference can be found in the upstream docs at
-        # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
-        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-      };
+      virtualHosts =
+        {
+          "fuckwit.dev" = let
+            serverConfig."m.server" = "matrix.fuckwit.dev:443";
+            clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
+          in {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # This section is not needed if the server_name of matrix-synapse is equal to
+            # the domain (i.e. example.org from @foo:example.org) and the federation port
+            # is 8448.
+            # Further reference can be found in the docs about delegation under
+            # https://element-hq.github.io/synapse/latest/delegate.html
+            locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+            # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
+            # Further reference can be found in the upstream docs at
+            # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
+            locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          };

-      virtualHosts."matrix.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-        # It's also possible to do a redirect here or something else, this vhost is not
-        # needed for Matrix. It's recommended though to *not put* element
-        # here, see also the section about Element.
-        locations."/".extraConfig = ''
-          return 404;
-        '';
-        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
-        # *must not* be used here.
-        locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
-        # Forward requests for e.g. SSO and password-resets.
-        locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
-      };
+          "matrix.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;
+            # It's also possible to do a redirect here or something else, this vhost is not
+            # needed for Matrix. It's recommended though to *not put* element
+            # here, see also the section about Element.
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+            # *must not* be used here.
+            locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
+            # Forward requests for e.g. SSO and password-resets.
+            locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
+          };

-      virtualHosts."vault.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
+          "gitlab.fuckwit.dev" = {
+            useACMEHost = "fuckwit.dev";
+            forceSSL = true;

-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8000";
-        };
-      };
-
-      virtualHosts."git.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8001";
-        };
-      };
-
-      virtualHosts."grafana.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8002";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."influx.fuckwit.dev" = {
-        enableACME = true;
-        addSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8003";
-          proxyWebsockets = true;
-        };
-      };
-
-      virtualHosts."gitlab.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
-        };
-      };
-
-      virtualHosts."registry-git.fuckwit.dev" = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:4567";
-        };
-      };
-
-      # virtualHosts."drone.fuckwit.dev" = {
-      #   enableACME = true;
-      #   addSSL = true;
-
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:8004";
-      #     proxyWebsockets = true;
-      #   };
-      # };
+            locations."/" = {
+              proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+            };
+          };
+        }
+        // makeVirtualHosts [
+          {
+            subdomain = "vault";
+            port = 8000;
+          }
+          {
+            subdomain = "git";
+            port = 8001;
+          }
+          {
+            subdomain = "grafana";
+            port = 8002;
+          }
+          {
+            subdomain = "influx";
+            port = 8003;
+          }
+          {
+            subdomain = "registry-git";
+            port = 4567;
+          }
+        ];
    };

    vaultwarden = {