From d85d2eeaf28e921a9c4e3160049ac21cb87f72bf Mon Sep 17 00:00:00 2001 From: Tigor Hutasuhut Date: Sun, 24 Nov 2024 21:31:04 +0700 Subject: [PATCH] nginx: uses same ACME host to reduce the number of certs and avoid rate limits --- hardware-configuration/homeserver.nix | 4 +- secrets/nginx.yaml | 22 ++++++++ system/podman/memos.nix | 4 +- system/podman/morphos.nix | 4 +- system/podman/pihole.nix | 7 ++- system/podman/qbittorrent.nix | 4 +- system/podman/redmage-demo.nix | 4 +- system/podman/redmage.nix | 4 +- system/podman/servarr/bazarr.nix | 4 +- system/podman/servarr/prowlarr.nix | 4 +- system/podman/servarr/qbittorrent.nix | 4 +- system/podman/servarr/radarr.nix | 4 +- system/podman/servarr/rdtclient.nix | 4 +- system/podman/servarr/real-debrid-manager.nix | 4 +- system/podman/servarr/sonarr.nix | 9 +++- system/podman/soulseek.nix | 17 +++---- system/podman/suwayomi.nix | 4 +- system/podman/ytptube.nix | 7 ++- system/services/cockpit.nix | 4 +- system/services/forgejo.nix | 4 +- system/services/jellyfin.nix | 15 ++++-- system/services/kavita.nix | 4 +- system/services/navidrome.nix | 4 +- system/services/nginx.nix | 50 ++++++++++--------- system/services/ntfy-sh.nix | 4 +- system/services/photoprism.nix | 4 +- system/services/syncthing.nix | 4 +- system/services/telemetry/grafana.nix | 13 +++++ 28 files changed, 154 insertions(+), 66 deletions(-) create mode 100644 secrets/nginx.yaml diff --git a/hardware-configuration/homeserver.nix b/hardware-configuration/homeserver.nix index 080914a..e105d44 100644 --- a/hardware-configuration/homeserver.nix +++ b/hardware-configuration/homeserver.nix @@ -138,7 +138,7 @@ }; services.nginx.virtualHosts."public.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { root = "/nas/public"; @@ -149,6 +149,8 @@ }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ "public.tigor.web.id" ]; + systemd.tmpfiles.settings = { "100-nas-public-dir" = { "/nas/public" = { diff --git a/secrets/nginx.yaml b/secrets/nginx.yaml new file mode 100644 index 0000000..3a2772e --- /dev/null +++ b/secrets/nginx.yaml @@ -0,0 +1,22 @@ +nginx: + htpasswd: ENC[AES256_GCM,data:IYNlj5G3lvBZIPjMpHxKuX+iaSAVgCQk1tszlx5eMqAPk/h4wT2IVlcZsw==,iv:En3YkQ8N5GFKKMMo2mrl0gb5DQfrdnktmhOL1xN1Up4=,tag:tlX4bomr5iQJdKCJ0FeIdw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVThIbU01SXpLTFo5dUd3 + WFdwT1ZhMmRXYWNLNFJnTnhnbDFydytwNFY0ClBjck1rVzNKRHVKNk02UnMxYmdF + S2pHMDdiVFI1NUdHTUhxbm02Y0V4b3MKLS0tIG91TGlvZmJlTURVU2hyYVNQekhW + MmJRbUxNelZqbDZNTDE1M01wbnRwcVEKQYyDt02jJLXDjelL3JjgFjCDj3KR19ZO + VAIinh7lUCG6QWu85Eak0ytrXsmVk/Rucnb3unBqnFYmUNp+rYXgMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-24T14:24:45Z" + mac: ENC[AES256_GCM,data:nQok/IpaHozjeDFCOEq7wuEqp5+CBjdbsClIk9IfeK2Dz01jAnmgtwPMmZSnlbSQxBb69mw/KEj2mjYpt4vL9xe/0Dl4df6uJl6chgBRfm/JvXNbcGOag1MSarN1Oppyz9Rjqz48Ves0VtegR2NCIHaNuh5oagP9KJfgss6XibU=,iv:KvwA1S+rRPyJyseUnvalxlYQOKJ4RuAhn4nZA1sZA7M=,tag:lzjqf07wd69gDS8OmkOuEA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/system/podman/memos.nix b/system/podman/memos.nix index fd486e7..d89f56d 100644 --- a/system/podman/memos.nix +++ b/system/podman/memos.nix @@ -18,11 +18,13 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/".proxyPass = "http://${ip}:5230"; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume} chown ${uid}:${gid} ${rootVolume} diff --git a/system/podman/morphos.nix b/system/podman/morphos.nix index e074915..212cbe4 100644 --- a/system/podman/morphos.nix +++ b/system/podman/morphos.nix @@ -17,11 +17,13 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/".proxyPass = "http://${ip}:8080"; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + virtualisation.oci-containers.containers.${name} = { inherit image; hostname = name; diff --git a/system/podman/pihole.nix b/system/podman/pihole.nix index 7be3beb..5624f44 100644 --- a/system/podman/pihole.nix +++ b/system/podman/pihole.nix @@ -7,6 +7,7 @@ let ip = "10.88.1.1"; image = "docker.io/pihole/pihole:latest"; piholeDNSIPBind = "192.168.100.5"; + domain = "${name}.tigor.web.id"; in { config = mkIf (podman.enable && pihole.enable) { @@ -16,8 +17,8 @@ in reverse_proxy ${ip}:80 ''; - services.nginx.virtualHosts."pihole.tigor.web.id" = { - enableACME = true; + services.nginx.virtualHosts.${domain} = { + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "= /" = { @@ -29,6 +30,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + sops.secrets."pihole/env" = { sopsFile = ../../secrets/pihole.yaml; }; diff --git a/system/podman/qbittorrent.nix b/system/podman/qbittorrent.nix index c2feba5..9b4f59a 100644 --- a/system/podman/qbittorrent.nix +++ b/system/podman/qbittorrent.nix @@ -25,13 +25,15 @@ lib.mkMerge [ ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8080"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${volume}/{config,downloads,progress,watch} chown ${uid}:${gid} ${volume} ${volume}/{config,downloads,progress,watch} diff --git a/system/podman/redmage-demo.nix b/system/podman/redmage-demo.nix index f9e02ea..5b33850 100644 --- a/system/podman/redmage-demo.nix +++ b/system/podman/redmage-demo.nix @@ -18,13 +18,15 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8080"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume}/db mkdir -p ${rootVolume}/images diff --git a/system/podman/redmage.nix b/system/podman/redmage.nix index 19694da..bc86018 100644 --- a/system/podman/redmage.nix +++ b/system/podman/redmage.nix @@ -25,13 +25,15 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8080"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume}/db mkdir -p ${rootVolume}/images diff --git a/system/podman/servarr/bazarr.nix b/system/podman/servarr/bazarr.nix index 75f2a6b..fdd2669 100644 --- a/system/podman/servarr/bazarr.nix +++ b/system/podman/servarr/bazarr.nix @@ -21,13 +21,15 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:6767"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${configVolume} chown ${uid}:${gid} ${mediaVolume} ${configVolume} diff --git a/system/podman/servarr/prowlarr.nix b/system/podman/servarr/prowlarr.nix index 283f056..073554e 100644 --- a/system/podman/servarr/prowlarr.nix +++ b/system/podman/servarr/prowlarr.nix @@ -23,13 +23,15 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:9696"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${configVolume} chown ${uid}:${gid} ${configVolume} diff --git a/system/podman/servarr/qbittorrent.nix b/system/podman/servarr/qbittorrent.nix index 0f1373c..b6ce655 100644 --- a/system/podman/servarr/qbittorrent.nix +++ b/system/podman/servarr/qbittorrent.nix @@ -21,7 +21,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8080"; @@ -29,6 +29,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${configVolume} ${mediaVolume} chown ${uid}:${gid} ${mediaVolume} ${configVolume} diff --git a/system/podman/servarr/radarr.nix b/system/podman/servarr/radarr.nix index 7218b14..727be68 100644 --- a/system/podman/servarr/radarr.nix +++ b/system/podman/servarr/radarr.nix @@ -21,7 +21,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:7878"; @@ -29,6 +29,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${configVolume} ${mediaVolume} chown ${uid}:${gid} ${mediaVolume} ${configVolume} diff --git a/system/podman/servarr/rdtclient.nix b/system/podman/servarr/rdtclient.nix index 072510b..fc03386 100644 --- a/system/podman/servarr/rdtclient.nix +++ b/system/podman/servarr/rdtclient.nix @@ -21,7 +21,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:6500"; @@ -29,6 +29,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${volumeConfig} ${mediaVolume} chown ${uid}:${gid} ${volumeConfig} ${mediaVolume} diff --git a/system/podman/servarr/real-debrid-manager.nix b/system/podman/servarr/real-debrid-manager.nix index 3357fc6..d71a9c7 100644 --- a/system/podman/servarr/real-debrid-manager.nix +++ b/system/podman/servarr/real-debrid-manager.nix @@ -22,7 +22,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:5000"; @@ -30,6 +30,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${configVolume} ${mediaVolume} ${watchVolume} chown ${uid}:${gid} ${configVolume} ${mediaVolume} ${watchVolume} diff --git a/system/podman/servarr/sonarr.nix b/system/podman/servarr/sonarr.nix index e0bf389..ddf5f72 100644 --- a/system/podman/servarr/sonarr.nix +++ b/system/podman/servarr/sonarr.nix @@ -25,7 +25,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8989"; @@ -33,12 +33,17 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ + domain + domain-anime + ]; + services.caddy.virtualHosts.${domain-anime}.extraConfig = '' reverse_proxy ${ip-anime}:8989 ''; services.nginx.virtualHosts.${domain-anime} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8989"; diff --git a/system/podman/soulseek.nix b/system/podman/soulseek.nix index d71ecb8..06b6615 100644 --- a/system/podman/soulseek.nix +++ b/system/podman/soulseek.nix @@ -19,25 +19,20 @@ let in { config = mkIf (podman.enable && podman.${name}.enable) { - services.caddy.virtualHosts.${domain}.extraConfig = '' - @require_auth not remote_ip private_ranges - - basic_auth @require_auth { - {$AUTH_USERNAME} {$AUTH_PASSWORD} - } - - reverse_proxy ${ip}:6080 - ''; - services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:6080"; proxyWebsockets = true; + extraConfig = '' + auth_basic $auth_ip; + ''; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume}/{config,downloads,incomplete} chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete} diff --git a/system/podman/suwayomi.nix b/system/podman/suwayomi.nix index b93cd31..948dfb5 100644 --- a/system/podman/suwayomi.nix +++ b/system/podman/suwayomi.nix @@ -22,13 +22,15 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:4567"; }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + system.activationScripts."podman-${name}" = '' mkdir -p ${volume} chown ${uid}:${gid} ${volume} diff --git a/system/podman/ytptube.nix b/system/podman/ytptube.nix index e58a7e2..2565cfb 100644 --- a/system/podman/ytptube.nix +++ b/system/podman/ytptube.nix @@ -64,8 +64,7 @@ in lib.mkMerge [ (mkIf podman.${name}.enable { services.nginx.virtualHosts.${domain} = { - enableACME = true; - # useACMEHost = "ytptube.tigor.web.id"; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://${ip}:8081"; @@ -73,6 +72,10 @@ lib.mkMerge [ }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ + domain + ]; + services.caddy.virtualHosts.${domain}.extraConfig = '' @require_auth not remote_ip private_ranges diff --git a/system/services/cockpit.nix b/system/services/cockpit.nix index 6c5319e..b16e588 100644 --- a/system/services/cockpit.nix +++ b/system/services/cockpit.nix @@ -15,7 +15,7 @@ in ]; services.nginx.virtualHosts."cockpit.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://0.0.0.0:9090"; @@ -23,6 +23,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ "cockpit.tigor.web.id" ]; + services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = # caddyfile '' @denied not remote_ip private_ranges diff --git a/system/services/forgejo.nix b/system/services/forgejo.nix index bbaa666..9048433 100644 --- a/system/services/forgejo.nix +++ b/system/services/forgejo.nix @@ -11,7 +11,7 @@ in { config = mkIf cfg.enable { services.nginx.virtualHosts."git.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "= /" = { @@ -30,6 +30,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ "git.tigor.web.id" ]; + services.caddy.virtualHosts."git.tigor.web.id".extraConfig = '' @home_not_login { not header_regexp Cookie gitea_incredible diff --git a/system/services/jellyfin.nix b/system/services/jellyfin.nix index d60599c..80976ec 100644 --- a/system/services/jellyfin.nix +++ b/system/services/jellyfin.nix @@ -17,7 +17,7 @@ in ''; services.nginx.virtualHosts."${domain}" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "= /metrics" = { @@ -30,7 +30,12 @@ in }; }; - services.caddy.virtualHosts.${domain}.extraConfig = '' + security.acme.certs."tigor.web.id".extraDomainNames = [ + domain + domain-jellyseerr + ]; + + services.caddy.virtualHosts."${domain}".extraConfig = '' @public not remote_ip private_ranges handle_path /metrics { @@ -53,14 +58,14 @@ in reverse_proxy 0.0.0.0:8096 } ''; - services.caddy.virtualHosts.${domain-jellyseerr} = mkIf cfg.jellyseerr.enable { + services.caddy.virtualHosts."${domain-jellyseerr}" = mkIf cfg.jellyseerr.enable { extraConfig = '' reverse_proxy 0.0.0.0:5055 ''; }; - services.nginx.virtualHosts.${domain-jellyseerr} = mkIf cfg.jellyseerr.enable { - enableACME = true; + services.nginx.virtualHosts."${domain-jellyseerr}" = mkIf cfg.jellyseerr.enable { + useACMEHost = "tigor.web.id"; forceSSL = true; locations."/" = { proxyPass = "http://0.0.0.0:5055"; diff --git a/system/services/kavita.nix b/system/services/kavita.nix index d5b3c5f..5224a95 100644 --- a/system/services/kavita.nix +++ b/system/services/kavita.nix @@ -25,7 +25,7 @@ in ''; services.nginx.virtualHosts."kavita.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "/" = { @@ -34,6 +34,8 @@ in }; }; }; + + security.acme.certs."tigor.web.id".extraDomainNames = [ "kavita.tigor.web.id" ]; services.kavita = { enable = true; tokenKeyFile = config.sops.secrets."kavita/token".path; diff --git a/system/services/navidrome.nix b/system/services/navidrome.nix index b282a22..386f878 100644 --- a/system/services/navidrome.nix +++ b/system/services/navidrome.nix @@ -11,7 +11,7 @@ in ''; services.nginx.virtualHosts."navidrome.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "/" = { @@ -21,6 +21,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ "navidrome.tigor.web.id" ]; + users.groups.navidrome.members = [ user.name ]; users.groups.${user.name}.members = [ "navidrome" ]; diff --git a/system/services/nginx.nix b/system/services/nginx.nix index 9deed85..c45bd6e 100644 --- a/system/services/nginx.nix +++ b/system/services/nginx.nix @@ -83,6 +83,7 @@ in }; services.nginx.virtualHosts."tigor.web.id" = { + # Enable ACME implies security.acme.certs."tigor.web.id" to be created. enableACME = true; forceSSL = true; locations."/" = { @@ -91,38 +92,39 @@ in }; }; + sops.secrets."nginx/htpasswd" = { + sopsFile = ../../secrets/nginx.yaml; + owner = "nginx"; + }; + # Enable Real IP from Cloudflare services.nginx.commonHttpConfig = - let - realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); - fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); - cfipv4 = fileToList ( - pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v4"; - sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; - } - ); - cfipv6 = fileToList ( - pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v6"; - sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; - } - ); - in + # let + # realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); + # fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); + # cfipv4 = fileToList ( + # pkgs.fetchurl { + # url = "https://www.cloudflare.com/ips-v4"; + # sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; + # } + # ); + # cfipv6 = fileToList ( + # pkgs.fetchurl { + # url = "https://www.cloudflare.com/ips-v6"; + # sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; + # } + # ); + # in #nginx '' geo $auth_ip { default "Password required"; - 10.0.0.0/8 "off"; - 172.16.0.0/12 "off"; - 192.168.0.0/16 "off"; + 10.0.0.0/8 off; + 172.16.0.0/12 off; + 192.168.0.0/16 off; } - auth_pam_service_name "nginx"; - - ${realIpsFromList cfipv4} - ${realIpsFromList cfipv6} - real_ip_header CF-Connecting-IP; + auth_basic_user_file ${config.sops.secrets."nginx/htpasswd".path}; ''; # This is needed for nginx to be able to read other processes diff --git a/system/services/ntfy-sh.nix b/system/services/ntfy-sh.nix index 1f09554..fe2004e 100644 --- a/system/services/ntfy-sh.nix +++ b/system/services/ntfy-sh.nix @@ -19,7 +19,7 @@ lib.mkMerge [ ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "/" = { @@ -29,6 +29,8 @@ lib.mkMerge [ }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + services.ntfy-sh = { enable = true; settings = diff --git a/system/services/photoprism.nix b/system/services/photoprism.nix index 00c04e9..acdb2df 100644 --- a/system/services/photoprism.nix +++ b/system/services/photoprism.nix @@ -22,7 +22,7 @@ in ''; services.nginx.virtualHosts.${domain} = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "/" = { @@ -32,6 +32,8 @@ in }; }; + security.acme.certs."tigor.web.id".extraDomainNames = [ domain ]; + sops.secrets."photoprism/admin_password" = { sopsFile = ../../secrets/photoprism.yaml; }; diff --git a/system/services/syncthing.nix b/system/services/syncthing.nix index 98b2c9a..aacb192 100644 --- a/system/services/syncthing.nix +++ b/system/services/syncthing.nix @@ -18,7 +18,7 @@ in ''; services.nginx.virtualHosts."syncthing.tigor.web.id" = { - enableACME = true; + useACMEHost = "tigor.web.id"; forceSSL = true; locations = { "/" = { @@ -27,6 +27,8 @@ in }; }; }; + + security.acme.certs."tigor.web.id".extraDomainNames = [ "syncthing.tigor.web.id" ]; sops.secrets = let opts = { diff --git a/system/services/telemetry/grafana.nix b/system/services/telemetry/grafana.nix index 5d4845e..3a33b5b 100644 --- a/system/services/telemetry/grafana.nix +++ b/system/services/telemetry/grafana.nix @@ -29,6 +29,19 @@ in reverse_proxy ${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port} ''; + services.nginx.virtualHosts.${grafanaDomain} = { + useACMEHost = "tigor.web.id"; + forceSSL = true; + locations."/" = { + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; + }; + + security.acme.certs."tigor.web.id".extraDomainNames = [ + grafanaDomain + ]; + services.grafana = { enable = true; package = pkgs.grafana;