aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/tahoe/default.nix1
-rw-r--r--hosts/tahoe/secrets/gandi/apikey.age11
-rw-r--r--hosts/tahoe/secrets/secrets.nix5
-rw-r--r--hosts/tahoe/services.nix9
-rw-r--r--modules/services/cgit/default.nix12
-rw-r--r--modules/services/monitoring/grafana.nix11
-rw-r--r--modules/services/navidrome/default.nix15
-rw-r--r--modules/services/nginx/default.nix5
-rw-r--r--modules/services/transmission/default.nix11
-rw-r--r--profiles/acme.nix18
-rw-r--r--profiles/nas.nix2
11 files changed, 64 insertions, 36 deletions
diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index cfa3717..6fb5fcb 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -9,6 +9,7 @@ in
./networking.nix
./services.nix
"${self}/profiles/nas.nix"
+ "${self}/profiles/acme.nix"
"${self}/profiles/hardware/amd.nix"
];
diff --git a/hosts/tahoe/secrets/gandi/apikey.age b/hosts/tahoe/secrets/gandi/apikey.age
new file mode 100644
index 0000000..3f35522
--- /dev/null
+++ b/hosts/tahoe/secrets/gandi/apikey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 jMYhTKmWi5riTgT9QQVOlzlIegqM1MI2QtJbOonsL2E
+bM9xqcJc41bKs0as9lIQQQGZhB5cmaZtO1fHCsrMR9M
+-> X25519 3xMvuIuRGXBp/gbv+aZpjkp6wLw6hyRAqBIe/Pf+Szo
+2X45mDvLNcDOntT4JgZUFHpnlShm3UYv7gCpHGaj4Fo
+-> X25519 xemfO0+4pS8WG/7QoIIqULZ/xN+C0l+LbBgv4QIdcQU
+VfoMT93/3hTZdPo4ALCaEZrIO3bHhsoxCwf6DyXPwvI
+-> s06@-grease .@\9Og@9 7yCI nS'`(65/
+W1seHOnAnPFF8BB6uqQKv8JwpmoNCU93i06VtxuuHiaeGrlXNPiF0ikD/mysdA
+--- dpDFFk5ZPUwQZp96fpS85eZCVELD4GB1uwl/8ev5moA
+⇼?Zu>x3d[sLٵ )|[z1#cѨ3BHLw҂]$. \ No newline at end of file
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 34b955b..0560a57 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -28,6 +28,11 @@ in
owner = "unpoller-exporter";
};
+ "gandi/apikey.age" = {
+ publicKeys = all;
+ owner = "acme";
+ };
+
"restic/repo-systems.age".publicKeys = all;
"rsync.net/ssh-key.age".publicKeys = all;
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index a04225e..0227f4c 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -1,8 +1,7 @@
-{ config, ... }:
+{ self, config, ... }:
let secrets = config.age.secrets;
in
{
-
# this unit is broken and useless. I don't know how to not install
# it, so let's mask it.
systemd.services.mdmonitor.enable = false;
@@ -14,12 +13,12 @@ in
};
navidrome = {
enable = true;
- vhostName = "music.fcuny.xyz";
+ vhostName = "music.${config.homelab.domain}";
musicFolder = "/data/fast/music";
};
unifi = {
enable = true;
- vhostName = "unifi.fcuny.xyz";
+ vhostName = "unifi.${config.homelab.domain}";
};
monitoring = {
@@ -33,7 +32,7 @@ in
};
grafana = {
enable = true;
- vhostName = "dash.fcuny.xyz";
+ vhostName = "dash.${config.homelab.domain}";
};
promtail.enable = true;
node-exporter.enable = true;
diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix
index 5108e42..e00790c 100644
--- a/modules/services/cgit/default.nix
+++ b/modules/services/cgit/default.nix
@@ -76,6 +76,18 @@ in
default = true;
forceSSL = true;
enableACME = true;
+ listen = [
+ {
+ addr = "192.168.6.40";
+ port = 443;
+ ssl = true;
+ }
+ {
+ addr = "192.168.6.40";
+ port = 80;
+ ssl = false;
+ }
+ ];
locations = {
"~* ^.+.(css|png|ico)$" = { root = "${pkgs.cgit}/cgit"; };
# as per https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix
index 9b75fc3..28e86f6 100644
--- a/modules/services/monitoring/grafana.nix
+++ b/modules/services/monitoring/grafana.nix
@@ -46,15 +46,15 @@ in
services.nginx.virtualHosts."${cfg.vhostName}" = {
forceSSL = true;
- useACMEHost = cfg.vhostName;
+ useACMEHost = config.homelab.domain;
listen = [
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 443;
ssl = true;
}
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 80;
ssl = false;
}
@@ -67,11 +67,6 @@ in
};
};
- security.acme.certs."${cfg.vhostName}" = {
- dnsProvider = "gcloud";
- credentialsFile = secrets."acme/credentials".path;
- };
-
my.services.backup = {
paths = [ "/var/lib/grafana" ];
exclude = [
diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix
index 1e3b6e7..1c8243a 100644
--- a/modules/services/navidrome/default.nix
+++ b/modules/services/navidrome/default.nix
@@ -21,20 +21,22 @@ in
config = lib.mkIf cfg.enable {
services.navidrome = {
enable = true;
- settings = { MusicFolder = cfg.musicFolder; };
+ settings = {
+ MusicFolder = cfg.musicFolder;
+ };
};
services.nginx.virtualHosts."${cfg.vhostName}" = {
forceSSL = true;
- useACMEHost = cfg.vhostName;
+ useACMEHost = config.homelab.domain;
listen = [
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 443;
ssl = true;
}
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 80;
ssl = false;
}
@@ -45,11 +47,6 @@ in
};
};
- security.acme.certs."${cfg.vhostName}" = {
- dnsProvider = "gcloud";
- credentialsFile = secrets."acme/credentials".path;
- };
-
my.services.backup = {
paths = [ "/var/lib/navidrome" ];
exclude = [ "/var/lib/navidrome/cache/" ];
diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix
index f745b9b..ec71ba2 100644
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -18,11 +18,6 @@ in
# Nginx needs to be able to read the certificates
users.users.nginx.extraGroups = [ "acme" ];
- security.acme = {
- defaults.email = "franck@fcuny.net";
- acceptTerms = true;
- };
-
services.prometheus = {
exporters.nginx = {
enable = true;
diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix
index 824f7a5..43c4675 100644
--- a/modules/services/transmission/default.nix
+++ b/modules/services/transmission/default.nix
@@ -35,15 +35,15 @@ in
services.nginx.virtualHosts."${cfg.vhostName}" = {
forceSSL = true;
- useACMEHost = cfg.vhostName;
+ useACMEHost = config.homelab.domain;
listen = [
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 443;
ssl = true;
}
{
- addr = "100.85.232.66";
+ addr = "192.168.6.40";
port = 80;
ssl = false;
}
@@ -54,11 +54,6 @@ in
};
};
- security.acme.certs."${cfg.vhostName}" = {
- dnsProvider = "gcloud";
- credentialsFile = secrets."acme/credentials".path;
- };
-
networking.firewall = {
allowedTCPPorts = [ 52213 ];
allowedUDPPorts = [ 52213 ];
diff --git a/profiles/acme.nix b/profiles/acme.nix
new file mode 100644
index 0000000..7fc62d3
--- /dev/null
+++ b/profiles/acme.nix
@@ -0,0 +1,18 @@
+{ pkgs, lib, config, ... }:
+let
+ secrets = config.age.secrets;
+in
+{
+ security.acme.acceptTerms = true;
+ security.acme.defaults = {
+ email = "le@fcuny.net";
+ dnsProvider = "gandiv5";
+ group = config.services.nginx.group;
+ credentialsFile = secrets."gandi/apikey".path;
+ dnsPropagationCheck = true;
+ };
+ security.acme.certs."${config.homelab.domain}" = {
+ domain = "*.${config.homelab.domain}";
+ extraDomainNames = [ config.homelab.domain ];
+ };
+}
diff --git a/profiles/nas.nix b/profiles/nas.nix
index d1033af..7dc92da 100644
--- a/profiles/nas.nix
+++ b/profiles/nas.nix
@@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{
imports = [
- ./server.nix
./btrfs.nix
+ ./server.nix
];
users.groups.nas.gid = 5000;
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 08:36:08 +0000