Add ACME cert-store
This commit is contained in:
parent
e97e64325d
commit
956284a8bf
4 changed files with 45 additions and 53 deletions
15
machine-confs/cert-store.nix
Normal file
15
machine-confs/cert-store.nix
Normal file
|
|
@ -0,0 +1,15 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
networking.hostName = "cert-store";
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
../base.nix
|
||||||
|
../services/acme-cert-store.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
#Many installs will need this, and it won't hurt either way
|
||||||
|
services.qemuGuest.enable = true;
|
||||||
|
|
||||||
|
#Prevent user from being locked out of the system before switching to proper config
|
||||||
|
users.mutableUsers = pkgs.lib.mkForce true;
|
||||||
|
}
|
||||||
|
|
@ -1,31 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
networking.hostName = "honeypot";
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
../base.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
80
|
|
||||||
];
|
|
||||||
|
|
||||||
services = {
|
|
||||||
nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
|
|
||||||
virtualHosts.localhost = {
|
|
||||||
locations."/" = {
|
|
||||||
return = "200 '<html><body>It works</body></html>'";
|
|
||||||
extraConfig = ''
|
|
||||||
default_type text/html;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# HARDWARE SPECIFIC
|
|
||||||
services.qemuGuest.enable = true;
|
|
||||||
}
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
|
||||||
networking.hostName = "ntfy";
|
|
||||||
|
|
||||||
imports = [
|
|
||||||
../base.nix
|
|
||||||
../services/ntfy.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
# HARDWARE SPECIFIC
|
|
||||||
services.qemuGuest.enable = true;
|
|
||||||
|
|
||||||
# Make sure this service updates later than the rest, to capture any notifs from the others
|
|
||||||
system.autoUpgrade = {
|
|
||||||
dates = pkgs.lib.mkForce "05:00";
|
|
||||||
rebootWindow = pkgs.lib.mkForce {
|
|
||||||
lower = "04:30";
|
|
||||||
upper = "06:00";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
||||||
30
services/acme-cert-store.nix
Normal file
30
services/acme-cert-store.nix
Normal file
|
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
users.users."cert-store" = {
|
||||||
|
isNormalUser = true;
|
||||||
|
description = "Read-only access to certs";
|
||||||
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
certs."vsinerva.fi".extraDomainNames = [ "*.vsinerva.fi" ];
|
||||||
|
defaults = {
|
||||||
|
email = "vili.m.sinerva@gmail.com";
|
||||||
|
environmentFile = "/var/lib/acme/dns-creds";
|
||||||
|
dnsProvider = "ovh";
|
||||||
|
extraLegoFlags = [
|
||||||
|
"--dns.propagation-wait"
|
||||||
|
"60s"
|
||||||
|
];
|
||||||
|
postRun = ''
|
||||||
|
mkdir -p ${config.users.users."cert-store".home}/acme
|
||||||
|
cp fullchain.pem ${config.users.users."cert-store".home}/acme/
|
||||||
|
cp key.pem ${config.users.users."cert-store".home}/acme/
|
||||||
|
chown -R cert-store:cert-store ${config.users.users."cert-store".home}/acme/
|
||||||
|
chmod ugoa=r ${config.users.users."cert-store".home}/acme/*.pem
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue