Andromeda/conf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use nginx for acme

Browse Source
This commit is contained in:
andromeda
2026-01-02 20:21:46 +01:00
parent 6db05df6a7
commit 5366c48991
1 changed files with 9 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
machines/109-199-104-83/configuration.nix
View File

@@ -2,86 +2,36 @@
config, config,
modulesPath, modulesPath,
machine, machine,
pkgs,
... ...
}: { }: rec {
# mailserver config # mailserver config
mailserver = { mailserver = {
enable = true; enable = true;
stateVersion = 3; stateVersion = 3;
fqdn = "mail.galaxious.de"; fqdn = "mail.${networking.domain}";
domains = ["galaxious.de"]; domains = ["${networking.domain}"];
x509.useACMEHost = config.mailserver.fqdn; x509.useACMEHost = config.mailserver.fqdn;
loginAccounts = { loginAccounts = {
"test@galaxious.de" = { "test@${networking.domain}" = {
hashedPasswordFile = builtins.toString config.age.secrets.secret3.path; hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
}; };
}; };
}; };
# cert config # cert config
# systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "mtgmonket@gmail.com"; defaults.email = "mtgmonket@gmail.com";
certs."mail.galaxious.de" = {
domain = "mail.galaxious.de";
dnsProvider = "rfc2136";
environmentFile = "/var/lib/secrets/certs.secret";
dnsPropagationCheck = false;
}; };
}; services.nginx = {
services.bind = {
enable = true; enable = true;
extraConfig = '' virtualHosts."mail.${networking.domain}" = {
include "/var/lib/secrets/dnskeys.conf"; forceSSL = true;
''; enableACME = true;
zones = [
rec {
name = "galaxious.de";
file = "/var/db/bind/${name}";
master = true;
extraConfig = "allow-update { key rfc2136key.galaxious.de; };";
}
];
}; };
systemd.services.dns-rfc2136-conf = {
requiredBy = [
"acme-galaxious.de.service"
"bind.service"
];
before = [
"acme-galaxious.de.service"
"bind.service"
];
unitConfig = {
ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
};
serviceConfig = {
Type = "oneshot";
UMask = 77;
};
path = [pkgs.bind];
script = ''
mkdir -p /var/lib/secrets
chmod 755 /var/lib/secrets
tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf
chown named:root /var/lib/secrets/dnskeys.conf
chmod 400 /var/lib/secrets/dnskeys.conf
# extract secret value from the dnskeys.conf
while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
cat > /var/lib/secrets/certs.secret << EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.galaxious.de'
RFC2136_TSIG_SECRET='$secret'
EOF
chmod 400 /var/lib/secrets/certs.secret
'';
}; };
# system config
system.stateVersion = "25.11"; system.stateVersion = "25.11";
nix.settings.experimental-features = ["flakes" "nix-command"]; nix.settings.experimental-features = ["flakes" "nix-command"];
imports = [(modulesPath + "/profiles/qemu-guest.nix")]; imports = [(modulesPath + "/profiles/qemu-guest.nix")];