From 75af9cd046a17751ff23e1845dc3c5593fec1da8 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Tue, 4 Apr 2023 22:05:11 +0200 Subject: [PATCH] attic: add acme --- agenix/hosts/attic/acme/credentials.age | 13 +++++++++++++ agenix/hosts/attic/config.nix | 6 ++++++ secrets.nix | 2 ++ system/hosts/attic.nix | 5 ++++- system/nixos/acme-attic.nix | 23 +++++++++++++++++++++++ 5 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 agenix/hosts/attic/acme/credentials.age create mode 100644 system/nixos/acme-attic.nix diff --git a/agenix/hosts/attic/acme/credentials.age b/agenix/hosts/attic/acme/credentials.age new file mode 100644 index 0000000..96ee38a --- /dev/null +++ b/agenix/hosts/attic/acme/credentials.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBZWEFs +RWJpNlRUZ1ZFTWtRajhvU0JieWFBNk50L3hTU1VpYmYzdkw4N3hZCmpadUsvc1g3 +NC84dFJMZklKRm9KRnhMWGZ2TlJTQjlrYnJNL25vN0hwZk0KLT4gc3NoLWVkMjU1 +MTkgc1ZmNkNBIHdsc3N2cXJOQ0NNR293M3J3V2dPNXBDQzhXL2FwYUVSeDFkTmZW +TEtiVHcKeVVTNFVpYnRHY2I4NnR0WGk5OStITVZKQUhiLzVKdzRMM0V5dzA4TFow +TQotPiBaRGQvZHYrLWdyZWFzZSAvTTAocTUyCkFBd2I0cTZodUF3SFpZRzdaU1l4 +Q3k3Q3BXZjl5eTM3em5WZ1JCcW5SZmRTWStBMkFxQ3RwV0JXU05ZSE1PbngKTE5H +cGhPOFp0NjBoVnAyWUdLTVFNclJGM3BhZVdlU1Nnbllib2Y3S0dYSQotLS0gN2xU +OE1uSXpPMG9YcFkvTVdqZ2dlalA2SFFxSXRZNFNDaVVpMVFoZE13NAq9+hYgo/p8 +DgxCfKSB+2SptR2K6Im1p5wc3MWTqb7pypm3Ag2PSc6AhQDlWmm0/ZVU49ux/lIT +gpjAaCc0DLo7ata/rBHDpTYUt48O+Ot1pTDkM8k1te0vKoSvXi3DtZC/7w== +-----END AGE ENCRYPTED FILE----- diff --git a/agenix/hosts/attic/config.nix b/agenix/hosts/attic/config.nix index 87e9990..55833b8 100644 --- a/agenix/hosts/attic/config.nix +++ b/agenix/hosts/attic/config.nix @@ -4,6 +4,12 @@ file = ./user/danielPassword.age; }; + acme-credentials = { + file = ./acme/credentials.age; + owner = "acme"; + group = "acme"; + }; + tailscale-authkey = { file = ./tailscale/authkey.age; }; diff --git a/secrets.nix b/secrets.nix index b478588..f7f71d7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -47,6 +47,8 @@ in # attic "agenix/hosts/attic/user/danielPassword.age".publicKeys = attic; + "agenix/hosts/attic/acme/credentials.age".publicKeys = attic; + "agenix/hosts/attic/tailscale/authkey.age".publicKeys = attic; "agenix/hosts/attic/atticd/environment.age".publicKeys = attic; diff --git a/system/hosts/attic.nix b/system/hosts/attic.nix index 6e21182..5823ebf 100644 --- a/system/hosts/attic.nix +++ b/system/hosts/attic.nix @@ -12,6 +12,9 @@ in ../nixos/git.nix + ../nixos/acme-attic.nix + ../nixos/nginx.nix + (import ../nixos/atticd.nix (args // { inherit secret; })) ../nixos/tailscale.nix @@ -70,7 +73,7 @@ in networks = { "10-wan" = { - matchConfig.Name = "eth0"; + matchConfig.Name = "enp1s0"; networkConfig = { DHCP = "ipv4"; Address = "2a01:4f8:c0c:fa14::1/64"; diff --git a/system/nixos/acme-attic.nix b/system/nixos/acme-attic.nix new file mode 100644 index 0000000..8733aaa --- /dev/null +++ b/system/nixos/acme-attic.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + + defaults = { + email = "acme@kempkens.io"; + group = "nginx"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.acme-credentials.path; + dnsResolver = "1.1.1.1:53"; + dnsPropagationCheck = true; + reloadServices = [ "nginx.service" ]; + }; + + certs = { + "cache.daniel.sx" = { + domain = "*.cache.daniel.sx"; + }; + }; + }; +}