feat(linkal): Start setting up DNS-01 verification on *.cal.dgnum.eu

This commit is contained in:
Tom Hubrecht 2023-09-29 13:27:27 +02:00
parent 10f16665b2
commit d48a9bcc4b
5 changed files with 49 additions and 20 deletions

View file

@ -1,11 +1,11 @@
_:
let
host = "linkal.dgnum.eu";
host = "cal.dgnum.eu";
calendarGroups = {
luj-current = {
port = 8443;
port = 8444;
calendars = {
"https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
name = "Délégation Générale";

View file

@ -47,25 +47,54 @@ in {
};
}) cfg.calendarGroups;
# Configure bind for DNS certificate validation on *.cal.dgnum.eu.
services.bind = {
enable = true;
ipv4Only = true;
extraConfig = ''
include "${config.age.secrets."named-bind_dnskeys_conf".path}";
'';
zones = [rec {
name = "cal.dgnum.eu";
file = "/var/db/bind/${name}";
master = true;
extraConfig = ''
allow-update { key "rfc2136key.cal.dgnum.eu"; };
'';
}];
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
# Configure ACME for DNS certificate validation
security.acme = {
acceptTerms = true;
defaults = {
dnsProvider = "rfc2136";
credentialsFile = config.age.secrets."acme-certs_secret".path;
dnsPropagationCheck = false;
};
};
services.nginx = {
enable = true;
virtualHosts.${cfg.domain} = {
virtualHosts = mapAttrs' (name:
{ port, ... }:
nameValuePair "${name}.${cfg.domain}" {
enableACME = true;
acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations = mapAttrs' (name:
{ port, ... }:
nameValuePair "^~ /${name}" {
proxyPass = "http://127.0.0.1:${builtins.toString port}/";
# extraConfig = ''
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# '';
locations."/".proxyPass =
"http://127.0.0.1:${builtins.toString port}/";
}) cfg.calendarGroups;
};
};
};
}

Binary file not shown.

Binary file not shown.

View file

@ -1,9 +1,9 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "web01";
in
lib.setDefault { inherit publicKeys; } [
in lib.setDefault { inherit publicKeys; } [
"acme-certs_secret"
"named-bind_dnskeys_conf"
"plausible_admin-user-password-file"
"plausible_secret-key-base-file"
"plausible_release-cookie-file"