forked from DGNum/infrastructure
feat(linkal): Start setting up DNS-01 verification on *.cal.dgnum.eu
This commit is contained in:
parent
10f16665b2
commit
d48a9bcc4b
5 changed files with 49 additions and 20 deletions
|
@ -1,11 +1,11 @@
|
||||||
_:
|
_:
|
||||||
|
|
||||||
let
|
let
|
||||||
host = "linkal.dgnum.eu";
|
host = "cal.dgnum.eu";
|
||||||
|
|
||||||
calendarGroups = {
|
calendarGroups = {
|
||||||
luj-current = {
|
luj-current = {
|
||||||
port = 8443;
|
port = 8444;
|
||||||
calendars = {
|
calendars = {
|
||||||
"https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
|
"https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
|
||||||
name = "Délégation Générale";
|
name = "Délégation Générale";
|
||||||
|
|
|
@ -47,25 +47,54 @@ in {
|
||||||
};
|
};
|
||||||
}) cfg.calendarGroups;
|
}) cfg.calendarGroups;
|
||||||
|
|
||||||
|
# Configure bind for DNS certificate validation on *.cal.dgnum.eu.
|
||||||
|
services.bind = {
|
||||||
|
enable = true;
|
||||||
|
ipv4Only = true;
|
||||||
|
extraConfig = ''
|
||||||
|
include "${config.age.secrets."named-bind_dnskeys_conf".path}";
|
||||||
|
'';
|
||||||
|
|
||||||
|
zones = [rec {
|
||||||
|
name = "cal.dgnum.eu";
|
||||||
|
file = "/var/db/bind/${name}";
|
||||||
|
master = true;
|
||||||
|
extraConfig = ''
|
||||||
|
allow-update { key "rfc2136key.cal.dgnum.eu"; };
|
||||||
|
'';
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 53 ];
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
|
||||||
|
|
||||||
|
# Configure ACME for DNS certificate validation
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
dnsProvider = "rfc2136";
|
||||||
|
credentialsFile = config.age.secrets."acme-certs_secret".path;
|
||||||
|
dnsPropagationCheck = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
virtualHosts.${cfg.domain} = {
|
virtualHosts = mapAttrs' (name:
|
||||||
enableACME = true;
|
{ port, ... }:
|
||||||
forceSSL = true;
|
nameValuePair "${name}.${cfg.domain}" {
|
||||||
|
enableACME = true;
|
||||||
|
acmeRoot = null; # Use DNS-01 validation
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
locations = mapAttrs' (name:
|
locations."/".proxyPass =
|
||||||
{ port, ... }:
|
"http://127.0.0.1:${builtins.toString port}/";
|
||||||
nameValuePair "^~ /${name}" {
|
}) cfg.calendarGroups;
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}/";
|
|
||||||
# extraConfig = ''
|
|
||||||
# proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
# proxy_set_header Host $host;
|
|
||||||
# proxy_redirect off;
|
|
||||||
# '';
|
|
||||||
}) cfg.calendarGroups;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
BIN
machines/web01/secrets/acme-certs_secret
Normal file
BIN
machines/web01/secrets/acme-certs_secret
Normal file
Binary file not shown.
BIN
machines/web01/secrets/named-bind_dnskeys_conf
Normal file
BIN
machines/web01/secrets/named-bind_dnskeys_conf
Normal file
Binary file not shown.
|
@ -1,9 +1,9 @@
|
||||||
let
|
let
|
||||||
lib = import ../../../lib { };
|
lib = import ../../../lib { };
|
||||||
publicKeys = lib.getNodeKeys "web01";
|
publicKeys = lib.getNodeKeys "web01";
|
||||||
in
|
in lib.setDefault { inherit publicKeys; } [
|
||||||
|
"acme-certs_secret"
|
||||||
lib.setDefault { inherit publicKeys; } [
|
"named-bind_dnskeys_conf"
|
||||||
"plausible_admin-user-password-file"
|
"plausible_admin-user-password-file"
|
||||||
"plausible_secret-key-base-file"
|
"plausible_secret-key-base-file"
|
||||||
"plausible_release-cookie-file"
|
"plausible_release-cookie-file"
|
||||||
|
|
Loading…
Reference in a new issue