forked from DGNum/infrastructure
feat(linkal): Start setting up DNS-01 verification on *.cal.dgnum.eu
This commit is contained in:
parent
10f16665b2
commit
d48a9bcc4b
5 changed files with 49 additions and 20 deletions
|
@ -1,11 +1,11 @@
|
|||
_:
|
||||
|
||||
let
|
||||
host = "linkal.dgnum.eu";
|
||||
host = "cal.dgnum.eu";
|
||||
|
||||
calendarGroups = {
|
||||
luj-current = {
|
||||
port = 8443;
|
||||
port = 8444;
|
||||
calendars = {
|
||||
"https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
|
||||
name = "Délégation Générale";
|
||||
|
|
|
@ -47,25 +47,54 @@ in {
|
|||
};
|
||||
}) cfg.calendarGroups;
|
||||
|
||||
# Configure bind for DNS certificate validation on *.cal.dgnum.eu.
|
||||
services.bind = {
|
||||
enable = true;
|
||||
ipv4Only = true;
|
||||
extraConfig = ''
|
||||
include "${config.age.secrets."named-bind_dnskeys_conf".path}";
|
||||
'';
|
||||
|
||||
zones = [rec {
|
||||
name = "cal.dgnum.eu";
|
||||
file = "/var/db/bind/${name}";
|
||||
master = true;
|
||||
extraConfig = ''
|
||||
allow-update { key "rfc2136key.cal.dgnum.eu"; };
|
||||
'';
|
||||
}];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
|
||||
dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
|
||||
|
||||
# Configure ACME for DNS certificate validation
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
dnsProvider = "rfc2136";
|
||||
credentialsFile = config.age.secrets."acme-certs_secret".path;
|
||||
dnsPropagationCheck = false;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.domain} = {
|
||||
virtualHosts = mapAttrs' (name:
|
||||
{ port, ... }:
|
||||
nameValuePair "${name}.${cfg.domain}" {
|
||||
enableACME = true;
|
||||
acmeRoot = null; # Use DNS-01 validation
|
||||
forceSSL = true;
|
||||
|
||||
locations = mapAttrs' (name:
|
||||
{ port, ... }:
|
||||
nameValuePair "^~ /${name}" {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}/";
|
||||
# extraConfig = ''
|
||||
# proxy_set_header X-Real-IP $remote_addr;
|
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# proxy_set_header Host $host;
|
||||
# proxy_redirect off;
|
||||
# '';
|
||||
locations."/".proxyPass =
|
||||
"http://127.0.0.1:${builtins.toString port}/";
|
||||
}) cfg.calendarGroups;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
BIN
machines/web01/secrets/acme-certs_secret
Normal file
BIN
machines/web01/secrets/acme-certs_secret
Normal file
Binary file not shown.
BIN
machines/web01/secrets/named-bind_dnskeys_conf
Normal file
BIN
machines/web01/secrets/named-bind_dnskeys_conf
Normal file
Binary file not shown.
|
@ -1,9 +1,9 @@
|
|||
let
|
||||
lib = import ../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "web01";
|
||||
in
|
||||
|
||||
lib.setDefault { inherit publicKeys; } [
|
||||
in lib.setDefault { inherit publicKeys; } [
|
||||
"acme-certs_secret"
|
||||
"named-bind_dnskeys_conf"
|
||||
"plausible_admin-user-password-file"
|
||||
"plausible_secret-key-base-file"
|
||||
"plausible_release-cookie-file"
|
||||
|
|
Loading…
Reference in a new issue