Vaultwarden to cert-store

2025-01-20 23:18:33 +02:00 · 2025-01-20 23:18:33 +02:00 · a840a276ae
commit a840a276ae
parent 3c9f55eb8c
3 changed files with 5 additions and 23 deletions
--- a/services/acme-cert-store.nix
+++ b/services/acme-cert-store.nix
@ -6,6 +6,7 @@
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiJZWlmiEkVzlf5/KV/jKkCGlgp8mnEeCnwk/dhdctJ gitea"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgIXTr7HxC13UNZP0UCALBRJuiDh4U0Nnd4GPIE4RQR vaultwarden"
    ];
  };

--- a/services/acme-dns.nix
+++ b/services/acme-dns.nix
@ -1,16 +0,0 @@
-{ ... }:
-{
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "vili.m.sinerva@gmail.com";
-      environmentFile = "/var/lib/acme/dns-creds";
-      dnsProvider = "ovh";
-      group = "nginx";
-      extraLegoFlags = [
-        "--dns.propagation-wait"
-        "60s"
-      ];
-    };
-  };
-}
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -1,11 +1,8 @@
 { ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];

-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  networking.firewall.allowedTCPPorts = [ 443 ];
  networking.firewall.allowedUDPPorts = [ 443 ];

  services = {
@ -43,8 +40,8 @@
      virtualHosts."vaultwarden.vsinerva.fi" = {
        forceSSL = true;
        kTLS = true;
-        enableACME = true;
-        acmeRoot = null;
+        sslCertificate = "/mnt/acme/fullchain.pem";
+        sslCertificateKey = "/mnt/acme/key.pem";
        locations."/" = {
          proxyPass = "http://localhost:8000";
        };