diff options
| author | andromeda <andromeda@lenovo> | 2026-01-02 20:21:46 +0100 |
|---|---|---|
| committer | andromeda <andromeda@lenovo> | 2026-01-02 20:21:46 +0100 |
| commit | 5366c48991c9059883dae4adcd4e6ed6a399f3ca (patch) | |
| tree | f07e4143d656ac65a9f0aa6953bb79070220a62e /machines/109-199-104-83/configuration.nix | |
| parent | 6db05df6a78dcfc9e82113fdc217ac176ba295df (diff) | |
use nginx for acme
Diffstat (limited to 'machines/109-199-104-83/configuration.nix')
| -rw-r--r-- | machines/109-199-104-83/configuration.nix | 68 |
1 files changed, 9 insertions, 59 deletions
diff --git a/machines/109-199-104-83/configuration.nix b/machines/109-199-104-83/configuration.nix index 7e170ee..1ec2aa7 100644 --- a/machines/109-199-104-83/configuration.nix +++ b/machines/109-199-104-83/configuration.nix @@ -2,86 +2,36 @@ config, modulesPath, machine, - pkgs, ... -}: { +}: rec { # mailserver config mailserver = { enable = true; stateVersion = 3; - fqdn = "mail.galaxious.de"; - domains = ["galaxious.de"]; + fqdn = "mail.${networking.domain}"; + domains = ["${networking.domain}"]; x509.useACMEHost = config.mailserver.fqdn; loginAccounts = { - "test@galaxious.de" = { + "test@${networking.domain}" = { hashedPasswordFile = builtins.toString config.age.secrets.secret3.path; }; }; }; # cert config - # systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service security.acme = { acceptTerms = true; defaults.email = "mtgmonket@gmail.com"; - certs."mail.galaxious.de" = { - domain = "mail.galaxious.de"; - dnsProvider = "rfc2136"; - environmentFile = "/var/lib/secrets/certs.secret"; - dnsPropagationCheck = false; - }; }; - services.bind = { + services.nginx = { enable = true; - extraConfig = '' - include "/var/lib/secrets/dnskeys.conf"; - ''; - zones = [ - rec { - name = "galaxious.de"; - file = "/var/db/bind/${name}"; - master = true; - extraConfig = "allow-update { key rfc2136key.galaxious.de; };"; - } - ]; - }; - systemd.services.dns-rfc2136-conf = { - requiredBy = [ - "acme-galaxious.de.service" - "bind.service" - ]; - before = [ - "acme-galaxious.de.service" - "bind.service" - ]; - unitConfig = { - ConditionPathExists = "!/var/lib/secrets/dnskeys.conf"; - }; - serviceConfig = { - Type = "oneshot"; - UMask = 77; + virtualHosts."mail.${networking.domain}" = { + forceSSL = true; + enableACME = true; }; - path = [pkgs.bind]; - script = '' - mkdir -p /var/lib/secrets - chmod 755 /var/lib/secrets - tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf - chown named:root /var/lib/secrets/dnskeys.conf - chmod 400 /var/lib/secrets/dnskeys.conf - - # extract secret value from the dnskeys.conf - while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf - - cat > /var/lib/secrets/certs.secret << EOF - RFC2136_NAMESERVER='127.0.0.1:53' - RFC2136_TSIG_ALGORITHM='hmac-sha256.' - RFC2136_TSIG_KEY='rfc2136key.galaxious.de' - RFC2136_TSIG_SECRET='$secret' - EOF - chmod 400 /var/lib/secrets/certs.secret - ''; }; + # system config system.stateVersion = "25.11"; nix.settings.experimental-features = ["flakes" "nix-command"]; imports = [(modulesPath + "/profiles/qemu-guest.nix")]; |