darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Add acme certificates

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2022-01-14 17:44:25 +01:00
parent 4d9a804560
commit 99b8c155d9
Signed by: darkkirb
GPG key ID: 015E3768A70AFBC5
5 changed files with 32 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/nixos-8gb-fsn1-1.nix
View file

@ -7,6 +7,7 @@
./grub.nix ./grub.nix
./server.nix ./server.nix
./containers/named.nix ./containers/named.nix
./services/acme.nix
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
@ -14,7 +15,6 @@
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
boot.kernelParams = [ "zfs_force=1" ]; # Remove after next boot
boot.loader.grub.devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0" ]; boot.loader.grub.devices = [ "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0" ];
boot.loader.timeout = 5; boot.loader.timeout = 5;
boot.initrd.luks.devices = { boot.initrd.luks.devices = {

23
config/services/acme.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }: {
security.acme = {
acceptTerms = true;
email = "lotte@chir.rs";
certs."darkkirb.de" = {
domain = "*.darkkirb.de";
extraDomains = [ "darkkirb.de" ];
dnsProvider = "rfc2136";
credentialsFile = "/run/secrets/security/acme/dns";
};
certs."chir.rs" = {
domain = "*.chir.rs";
extraDomains = [ "chir.rs" ];
dnsProvider = "rfc2136";
credentialsFile = "/run/secrets/security/acme/dns";
};
certs."int.chir.rs" = {
domain = "*.int.chir.rs";
dnsProvider = "rfc2136";
credentialsFile = "/run/secrets/security/acme/dns";
};
};
}

2
config/services/haproxy.nix Normal file
View file

@ -0,0 +1,2 @@
# Mostly future-proofing, but also for the transition to this infra
{ ... }: { }

1
config/sops.nix
View file

@ -3,4 +3,5 @@
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/secrets.yaml"; sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/secrets.yaml";
sops.secrets."network/wireguard/privkey" = { }; sops.secrets."network/wireguard/privkey" = { };
sops.secrets."security/acme/dns" = { };
} }

7
secrets/nixos-8gb-fsn1-1/secrets.yaml
View file

@ -1,6 +1,9 @@
network: network:
wireguard: wireguard:
privkey: ENC[AES256_GCM,data:+avWYsJmrVYFnwi6T6NqQiXH1U+q3DsvMUT+pG4P2zJ+typzA3dQ+85HBVc=,iv:mdf2+p+7FOUPUNAmfS+CAMkw6xTHrjxQDTVDAHF4qbA=,tag:Ano//8t7dDjqfFVmdQXsfw==,type:str] privkey: ENC[AES256_GCM,data:+avWYsJmrVYFnwi6T6NqQiXH1U+q3DsvMUT+pG4P2zJ+typzA3dQ+85HBVc=,iv:mdf2+p+7FOUPUNAmfS+CAMkw6xTHrjxQDTVDAHF4qbA=,tag:Ano//8t7dDjqfFVmdQXsfw==,type:str]
security:
acme:
dns: ENC[AES256_GCM,data:BxBOnnQZLgs9Y6VSL5umzCHmvQTgxDyTRftnR7zbzARJXaRQP5tnUyZFB4oBhO5d/s4TUEwXhSbbdjBttEuI1drh8X2iNTnWtKaSx7TPFhJJXD0jN4eOSgEyZ0GQYieLCYilpiMOgpkTnSdsFkKkQylCsRcu6eXAgtvZYVg/c9SxnNgT7syC2C+VqsgkhYdrHdtguoGigpyfQ3wA4hOABjDipYGw46NHCx1jPAi1mw2txg04/GCCCggvwV6b/EQZ2rA8bBKM2Stw4wYZXvU7V+XaNZngt1vxBSR4OqU=,iv:Gw3mM1G89NdddGdiCrxuOfChudsIXEvABpoSysQfXp0=,tag:2I9lq1h37OhFEflkaj5/BQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -25,8 +28,8 @@ sops:
QkkzbUVrVWtYMWhLa0N5MzJ2KzV4MW8KEAtd2cnwNH01rYUFr+qWyAhHvUsqsxXg QkkzbUVrVWtYMWhLa0N5MzJ2KzV4MW8KEAtd2cnwNH01rYUFr+qWyAhHvUsqsxXg
not2RQLEIGbo80Z7CMIwqCIpUYOL4m70KlEKrFzflXFbOFX2en82iA== not2RQLEIGbo80Z7CMIwqCIpUYOL4m70KlEKrFzflXFbOFX2en82iA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-01-14T14:10:36Z" lastmodified: "2022-01-14T16:42:55Z"
mac: ENC[AES256_GCM,data:IJi2TNEG41bgjekGE67iwQrt1ZlmtN7QS8A4M4i417hao+g7IORArXSHDRTWrYT0Gw9xE7NEWtrnRue9ompPcgTV1bGt0Re2EAB+5TI4/7fFbxuIvpYZqhqIFUFEmOyYl+QqkvUH6yKdfdsVj4WgVI8mucxF890F5cWJ1abMaww=,iv:Rr9R3whv7gdBcj/nrsmqTm/JhqvhzdIgMh/Q8EFKP1s=,tag:sFlL5fyP/HWckrmZSgj5zA==,type:str] mac: ENC[AES256_GCM,data:babQDlZhTXrjanhrKPUQhZl4hdzvXWq8cqg0VSpGgyUsVcAreZ2g1WBxHZaNukMb9SsRKQ1URIbsMzenAFGxVOQGMxqMgKYiRyeRzYixnU2BuPnUGBWjgmmfad0lsxeFUK5UwsXHYHCDvjWslx95cIFwnmW/GezVoDebAnM9OEQ=,iv:Oa7OGzY8DP5RBenonU5Oso/Op9G3z0hYiNTxlnR9Z2Q=,tag:ZQZYCXZotkSsaTAaiS3RgA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.1 version: 3.7.1