diff --git a/hosts/permafrost/configuration.nix b/hosts/permafrost/configuration.nix index 12717e3..fd8d876 100644 --- a/hosts/permafrost/configuration.nix +++ b/hosts/permafrost/configuration.nix @@ -2,8 +2,9 @@ { permafrost.nyazoom.enable = true; - permafrost.nginx.enableACME = true; - permafrost.nginx.useStagingServer = false; + permafrost.forgejo.enable = true; + permafrost.acme.enable = true; + permafrost.acme.useStagingServer = false; networking.hostName = "permafrost"; # Define your hostname. diff --git a/modules/acme.nix b/modules/acme.nix new file mode 100644 index 0000000..02682c8 --- /dev/null +++ b/modules/acme.nix @@ -0,0 +1,46 @@ +{ lib, config, ... }: + +let + cfg = config.permafrost.acme; +in +{ + options.permafrost.acme = { + enable = lib.mkEnableOption "acme nixos module"; + + certDomains = lib.mkOption { + description = "additional domains to register with the ACME cert"; + default = [ ]; + type = with lib.types; listOf str; + }; + + useStagingServer = lib.mkOption { + description = "use the letsencrypt staging server"; + default = true; + type = with lib.types; bool; + }; + }; + + config = lib.mkIf cfg.enable { + sops.secrets."cloudflare/email" = { }; + sops.secrets."cloudflare/api_key" = { }; + + security.acme.acceptTerms = true; + security.acme.certs.permafrost = { + email = "Zynh0722@gmail.com"; + domain = "scarlet.zynh.me"; + group = config.services.nginx.group; + renewInterval = "weekly"; + server = + if cfg.useStagingServer + then "https://acme-staging-v02.api.letsencrypt.org/directory" + else config.security.acme.defaults.server; + extraDomainNames = cfg.certDomains; + + dnsProvider = "cloudflare"; + credentialFiles = { + "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path; + "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path; + }; + }; + }; +} diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 86a27c7..5c82e20 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -2,7 +2,7 @@ let cfg = config.permafrost.forgejo; - ACMEEnabled = config.permafrost.nginx.enableACME; + ACMEEnabled = config.permafrost.acme.enable; in { options.permafrost.forgejo = { @@ -11,10 +11,10 @@ in config = lib.mkIf cfg.enable { permafrost.nginx.enable = lib.mkDefault true; - permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "git.zynh.me" ]; + permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "git.zynh.me" ]; services.nginx.virtualHosts."git.zynh.me" = { - forceSSL = lib.mkIf ACMEEnabled true; serverName = "git.zynh.me"; + forceSSL = lib.mkIf ACMEEnabled true; useACMEHost = lib.mkIf ACMEEnabled "permafrost"; locations."/" = { proxyPass = "http://localhost:3032"; diff --git a/modules/foundry.nix b/modules/foundry.nix index e7b37c6..e245ea2 100644 --- a/modules/foundry.nix +++ b/modules/foundry.nix @@ -2,7 +2,7 @@ let cfg = config.permafrost.foundry; - ACMEEnabled = config.permafrost.nginx.enableACME; + ACMEEnabled = config.permafrost.acme.enable; in { options.permafrost.foundry = { @@ -14,7 +14,6 @@ in permafrost.nginx.enable = lib.mkDefault true; } { - # permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "scarlet.zynh.me" ]; services.nginx.virtualHosts."scarlet.zynh.me" = { serverName = "scarlet.zynh.me"; forceSSL = lib.mkIf ACMEEnabled true; @@ -35,10 +34,9 @@ in }; } { - permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "ddbimporter.zynh.me" ]; + permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "ddbimporter.zynh.me" ]; services.nginx.virtualHosts."ddbimporter.zynh.me" = { - # TODO: Force ssl - # addSSL = true; + forceSSL = true; useACMEHost = lib.mkIf ACMEEnabled "permafrost"; serverName = "ddbimporter.zynh.me"; locations."/".proxyPass = "http://localhost:3232"; diff --git a/modules/nginx.nix b/modules/nginx.nix index 232adbd..e1daadb 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -7,8 +7,6 @@ in options.permafrost.nginx = { enable = lib.mkEnableOption "nginx nixos module"; - enableACME = lib.mkEnableOption "acme cert generation and use"; - certDomains = lib.mkOption { description = "additional domains to register with the ACME cert"; default = [ ]; @@ -25,28 +23,6 @@ in config = lib.mkIf cfg.enable { services.nginx.enable = true; - sops.secrets."cloudflare/email" = { }; - sops.secrets."cloudflare/api_key" = { }; - - security.acme.acceptTerms = true; - security.acme.certs.permafrost = lib.mkIf cfg.enableACME { - email = "Zynh0722@gmail.com"; - domain = "scarlet.zynh.me"; - group = config.services.nginx.group; - renewInterval = "weekly"; - server = - if cfg.useStagingServer - then "https://acme-staging-v02.api.letsencrypt.org/directory" - else config.security.acme.defaults.server; - extraDomainNames = cfg.certDomains; - - dnsProvider = "cloudflare"; - credentialFiles = { - "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path; - "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/modules/nyazoom.nix b/modules/nyazoom.nix index e769ff4..26f6ae3 100644 --- a/modules/nyazoom.nix +++ b/modules/nyazoom.nix @@ -4,7 +4,7 @@ let nyazoom = inputs.nyazoom.packages.${pkgs.system}.default; cfg = config.permafrost.nyazoom; - ACMEEnabled = config.permafrost.nginx.enableACME; + ACMEEnabled = config.permafrost.acme.enable; in { options.permafrost.nyazoom = { @@ -23,13 +23,11 @@ in }; permafrost.nginx.enable = lib.mkDefault true; - permafrost.nginx.certDomains = lib.mkIf ACMEEnabled [ "nyazoom.zynh.me" ]; + permafrost.acme.certDomains = lib.mkIf ACMEEnabled [ "nyazoom.zynh.me" ]; services.nginx.virtualHosts."nyazoom.zynh.me" = { - # TODO: Force ssl - # TODO: Force ssl serverName = "nyazoom.zynh.me"; - useACMEHost = lib.mkIf ACMEEnabled "permafrost"; forceSSL = lib.mkIf ACMEEnabled true; + useACMEHost = lib.mkIf ACMEEnabled "permafrost"; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = /* nginx */ ''