diff --git a/machines/web01/linkal/default.nix b/machines/web01/linkal/default.nix index 4e0b99c..e67fb89 100644 --- a/machines/web01/linkal/default.nix +++ b/machines/web01/linkal/default.nix @@ -1,11 +1,11 @@ _: let - host = "linkal.dgnum.eu"; + host = "cal.dgnum.eu"; calendarGroups = { luj-current = { - port = 8443; + port = 8444; calendars = { "https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = { name = "Délégation Générale"; diff --git a/machines/web01/linkal/module.nix b/machines/web01/linkal/module.nix index a584337..9162607 100644 --- a/machines/web01/linkal/module.nix +++ b/machines/web01/linkal/module.nix @@ -47,25 +47,54 @@ in { }; }) cfg.calendarGroups; + # Configure bind for DNS certificate validation on *.cal.dgnum.eu. + services.bind = { + enable = true; + ipv4Only = true; + extraConfig = '' + include "${config.age.secrets."named-bind_dnskeys_conf".path}"; + ''; + + zones = [rec { + name = "cal.dgnum.eu"; + file = "/var/db/bind/${name}"; + master = true; + extraConfig = '' + allow-update { key "rfc2136key.cal.dgnum.eu"; }; + ''; + }]; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; + + dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }]; + + # Configure ACME for DNS certificate validation + security.acme = { + acceptTerms = true; + defaults = { + dnsProvider = "rfc2136"; + credentialsFile = config.age.secrets."acme-certs_secret".path; + dnsPropagationCheck = false; + }; + }; + services.nginx = { enable = true; - virtualHosts.${cfg.domain} = { - enableACME = true; - forceSSL = true; + virtualHosts = mapAttrs' (name: + { port, ... }: + nameValuePair "${name}.${cfg.domain}" { + enableACME = true; + acmeRoot = null; # Use DNS-01 validation + forceSSL = true; - locations = mapAttrs' (name: - { port, ... }: - nameValuePair "^~ /${name}" { - proxyPass = "http://127.0.0.1:${builtins.toString port}/"; - # extraConfig = '' - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header Host $host; - # proxy_redirect off; - # ''; - }) cfg.calendarGroups; - }; + locations."/".proxyPass = + "http://127.0.0.1:${builtins.toString port}/"; + }) cfg.calendarGroups; }; }; } diff --git a/machines/web01/secrets/acme-certs_secret b/machines/web01/secrets/acme-certs_secret new file mode 100644 index 0000000..4e46046 Binary files /dev/null and b/machines/web01/secrets/acme-certs_secret differ diff --git a/machines/web01/secrets/named-bind_dnskeys_conf b/machines/web01/secrets/named-bind_dnskeys_conf new file mode 100644 index 0000000..773ae35 Binary files /dev/null and b/machines/web01/secrets/named-bind_dnskeys_conf differ diff --git a/machines/web01/secrets/secrets.nix b/machines/web01/secrets/secrets.nix index 384b505..5ab0979 100644 --- a/machines/web01/secrets/secrets.nix +++ b/machines/web01/secrets/secrets.nix @@ -1,9 +1,9 @@ let lib = import ../../../lib { }; publicKeys = lib.getNodeKeys "web01"; -in - -lib.setDefault { inherit publicKeys; } [ +in lib.setDefault { inherit publicKeys; } [ + "acme-certs_secret" + "named-bind_dnskeys_conf" "plausible_admin-user-password-file" "plausible_secret-key-base-file" "plausible_release-cookie-file"