From aaf9a98e7a38afc61b75a63447eb8fbb87ea93d0 Mon Sep 17 00:00:00 2001 From: Avery Date: Sun, 16 Feb 2025 17:14:00 +0100 Subject: [PATCH] Configure ACME --- .../services/_port-definitions.nix | 2 - hosts/greatyamada/services/acme.nix | 4 +- hosts/greatyamada/services/adguardhome.nix | 1 + hosts/greatyamada/services/default.nix | 1 - hosts/greatyamada/services/forgejo.nix | 1 + .../services/invidious/default.nix | 10 --- .../services/invidious/inv-sig-helper.nix | 83 ------------------- .../services/invidious/invidious.nix | 51 ------------ hosts/greatyamada/services/jellyfin.nix | 1 + hosts/greatyamada/services/nginx.nix | 7 +- hosts/greatyamada/services/ntfy.nix | 1 + hosts/greatyamada/services/radicale.nix | 1 + 12 files changed, 14 insertions(+), 149 deletions(-) delete mode 100644 hosts/greatyamada/services/invidious/default.nix delete mode 100644 hosts/greatyamada/services/invidious/inv-sig-helper.nix delete mode 100644 hosts/greatyamada/services/invidious/invidious.nix diff --git a/hosts/greatyamada/services/_port-definitions.nix b/hosts/greatyamada/services/_port-definitions.nix index 9e92852..44fcc47 100644 --- a/hosts/greatyamada/services/_port-definitions.nix +++ b/hosts/greatyamada/services/_port-definitions.nix @@ -6,8 +6,6 @@ coturn-minimum = 49192; coturn-maximum = 49200; forgejo-http = 3000; - inv-sig-helper = 12999; - invidious-http = 3002; jellyfin-http = 8096; matrix-http = 8008; matrix-https = 8448; diff --git a/hosts/greatyamada/services/acme.nix b/hosts/greatyamada/services/acme.nix index 3aff438..ebac233 100644 --- a/hosts/greatyamada/services/acme.nix +++ b/hosts/greatyamada/services/acme.nix @@ -2,11 +2,13 @@ security.acme = { acceptTerms = true; defaults.email = "aveeryy@protonmail.com"; + # Temporarily use staging server for testing + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; certs."rcia.dev" = { credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = "/run/secrets/cloudflare_api_token"; dnsProvider = "cloudflare"; - extraDomainNames = [ "*.rcia.dev" ]; + group = "nginx"; }; }; sops.secrets."cloudflare/api_token" = { diff --git a/hosts/greatyamada/services/adguardhome.nix b/hosts/greatyamada/services/adguardhome.nix index e8f7104..919c63e 100644 --- a/hosts/greatyamada/services/adguardhome.nix +++ b/hosts/greatyamada/services/adguardhome.nix @@ -44,6 +44,7 @@ in { locations."/".proxyPass = "http://127.0.0.1:${toString portDefinitions.adguardhome-http}"; extraConfig = nginxLocalServiceConfig; + useACMEHost = "rcia.dev"; }; }; } diff --git a/hosts/greatyamada/services/default.nix b/hosts/greatyamada/services/default.nix index 44554ba..9549539 100644 --- a/hosts/greatyamada/services/default.nix +++ b/hosts/greatyamada/services/default.nix @@ -3,7 +3,6 @@ ./acme.nix ./ddclient.nix ./forgejo.nix - ./invidious ./jellyfin.nix ./minecraft ./nginx.nix diff --git a/hosts/greatyamada/services/forgejo.nix b/hosts/greatyamada/services/forgejo.nix index 72a6909..ddaf216 100644 --- a/hosts/greatyamada/services/forgejo.nix +++ b/hosts/greatyamada/services/forgejo.nix @@ -43,6 +43,7 @@ in { locations."/" = { proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}"; }; + useACMEHost = "rcia.dev"; }; }; systemd.services.forgejo.preStart = '' diff --git a/hosts/greatyamada/services/invidious/default.nix b/hosts/greatyamada/services/invidious/default.nix deleted file mode 100644 index 78b8ffa..0000000 --- a/hosts/greatyamada/services/invidious/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: { - imports = [ ./invidious.nix ./inv-sig-helper.nix ]; - users = { - groups.invidious = { }; - users.invidious = { - group = "invidious"; - isSystemUser = true; - }; - }; -} diff --git a/hosts/greatyamada/services/invidious/inv-sig-helper.nix b/hosts/greatyamada/services/invidious/inv-sig-helper.nix deleted file mode 100644 index 24a331d..0000000 --- a/hosts/greatyamada/services/invidious/inv-sig-helper.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ pkgs, ... }: -let portDefinitions = import ../_port-definitions.nix; -in { - environment.systemPackages = with pkgs; [ inv-sig-helper ]; - systemd.services.inv-sig-helper = { - enable = true; - after = [ "syslog.target" "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "invidious"; - Group = "invidious"; - ExecStart = - "${pkgs.inv-sig-helper}/bin/inv_sig_helper_rust --tcp 127.0.0.1:${ - toString portDefinitions.inv-sig-helper - }"; - Restart = "always"; - RestartSec = "2s"; - Type = "simple"; - WorkingDirectory = "/tmp"; - BindPaths = "/tmp"; - CapabilityBoundingSet = [ - "~CAP_SETUID CAP_SETGID CAP_SETPCAP" - "~CAP_SYS_ADMIN" - "~CAP_SYS_PTRACE" - "~CAP_CHOWN CAP_FSETID CAP_SETFCAP" - "~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER" - "~CAP_NET_ADMIN" - "~CAP_SYS_MODULE" - "~CAP_SYS_RAWIO" - "~CAP_SYS_TIME" - "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE" - "~CAP_KILL" - "~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW" - "~CAP_SYSLOG" - "~CAP_SYS_NICE CAP_SYS_RESOURCE" - "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE" - "~CAP_SYS_BOOT" - "~CAP_LINUX_IMMUTABLE" - "~CAP_IPC_LOCK" - "~CAP_SYS_CHROOT" - "~CAP_BLOCK_SUSPEND" - "~CAP_LEASE" - "~CAP_SYS_PACCT" - "~CAP_SYS_TTY_CONFIG" - "~CAP_WAKE_ALARM" - ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectControlGroups = true; - ProtectHome = "tmpfs"; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; - RestrictNamespaces = true; - RestrictSUIDSGID = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@clock" - "~@debug" - "~@module" - "~@mount" - "~@raw-io" - "~@reboot" - "~@swap" - "~@privileged" - "~@resources" - "~@cpu-emulation" - "~@obsolete" - ]; - }; - }; -} diff --git a/hosts/greatyamada/services/invidious/invidious.nix b/hosts/greatyamada/services/invidious/invidious.nix deleted file mode 100644 index 4d5d48b..0000000 --- a/hosts/greatyamada/services/invidious/invidious.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ... }: -let - nginxLocalServiceConfig = import ../nginx-local-config.nix; - ports = import ../_port-definitions.nix; -in { - services = { - invidious = { - enable = true; - port = ports.invidious-http; - extraSettingsFile = "/var/lib/invidious/extra_configuration"; - settings = { - check_tables = true; - db.user = "invidious"; - default_user_preferences = { - locale = "es"; - dark_mode = "dark"; - autoplay = true; - video_loop = true; - quality = "dash"; - volume = 20; - }; - signature_server = "localhost:${toString ports.inv-sig-helper}"; - }; - database = { - createLocally = false; - passwordFile = "/var/lib/invidious/db_password"; - }; - hmacKeyFile = "/var/lib/invidious/hmac_key"; - }; - nginx.virtualHosts."iv.rcia.dev" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString ports.invidious-http}"; - }; - extraConfig = nginxLocalServiceConfig; - }; - }; - sops.secrets = { - "invidious/db_password" = { - path = "/var/lib/invidious/db_password"; - owner = "invidious"; - }; - "invidious/hmac" = { - path = "/var/lib/invidious/hmac_key"; - owner = "invidious"; - }; - "invidious/extra_secrets" = { - path = "/var/lib/invidious/extra_configuration"; - owner = "invidious"; - }; - }; -} diff --git a/hosts/greatyamada/services/jellyfin.nix b/hosts/greatyamada/services/jellyfin.nix index 50ce8c8..22e3650 100644 --- a/hosts/greatyamada/services/jellyfin.nix +++ b/hosts/greatyamada/services/jellyfin.nix @@ -15,6 +15,7 @@ in { "http://127.0.0.1:${toString portDefinitions.jellyfin-http}"; }; extraConfig = nginxLocalServiceConfig; + useACMEHost = "rcia.dev"; }; }; } diff --git a/hosts/greatyamada/services/nginx.nix b/hosts/greatyamada/services/nginx.nix index acfc7ad..b924e08 100644 --- a/hosts/greatyamada/services/nginx.nix +++ b/hosts/greatyamada/services/nginx.nix @@ -2,7 +2,12 @@ services.nginx = { enable = true; virtualHosts = { - "rcia.dev" = { locations."/" = { root = /var/www/public; }; }; + "rcia.dev" = { + forceSSL = true; + enableACME = true; + serverAliases = [ "*.rcia.dev" ]; + # locations."/" = { root = /var/www/public; }; + }; }; }; } diff --git a/hosts/greatyamada/services/ntfy.nix b/hosts/greatyamada/services/ntfy.nix index edefb85..589f548 100644 --- a/hosts/greatyamada/services/ntfy.nix +++ b/hosts/greatyamada/services/ntfy.nix @@ -15,6 +15,7 @@ in { proxyPass = "http://127.0.0.1:${toString ports.ntfy-http}"; recommendedProxySettings = true; }; + useACMEHost = "rcia.dev"; }; }; } diff --git a/hosts/greatyamada/services/radicale.nix b/hosts/greatyamada/services/radicale.nix index 89cfb0c..05222ba 100644 --- a/hosts/greatyamada/services/radicale.nix +++ b/hosts/greatyamada/services/radicale.nix @@ -24,6 +24,7 @@ in { "http://127.0.0.1:${toString portDefinitions.radicale-http}"; }; extraConfig = nginxLocalServiceConfig; + useACMEHost = "rcia.dev"; }; }; sops.secrets."radicale/users" = {