Configure lan.disasm.us and enable wildcard acme SSL

Author: disassembler

.envrc

@@ -0,0 +1,5 @@
+if ! has nix_direnv_version || ! nix_direnv_version 1.4.0; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.4.0/direnvrc" "sha256-4XfVDjv75eHMWN4G725VW7BoOV4Vl3vAabK4YXIfPyE="
+fi
+
+use flake

.gitignore

@@ -1,2 +1,3 @@
 result*
 *.qcow2
+.direnv

flake.lock

@@ -55,6 +55,7 @@ in
     mpd_pw = { };
     mpd_icecast_pw = { };
     alertmanager = { };
+    lego-knot-credentials.owner = "acme";
   };
   imports =
     [
@@ -104,15 +105,15 @@ in
 
   networking = {
     hostName = "optina";
-    domain = "wedlake.lan";
+    domain = "lan.disasm.us";
     hostId = "1768b40b";
     interfaces.enp2s0.ipv4.addresses = [{ address = "10.40.33.20"; prefixLength = 24; }];
     defaultGateway = "10.40.33.1";
     nameservers = [ "10.40.33.1" "8.8.8.8" ];
     extraHosts =
       ''
         10.233.1.2 rtorrent.optina.local
-        10.40.33.20 crate.wedlake.lan
+        10.40.33.20 crate.lan.disasm.us
       '';
     nat = {
       enable = true;
@@ -157,6 +158,16 @@ in
     };
   };
 
+  security.acme.acceptTerms = true;
+  security.acme.email = "[email protected]";
+  security.acme.certs."lan.disasm.us" = {
+    domain = "*.lan.disasm.us";
+    postRun = "systemctl reload nginx.service";
+    group = "nginx";
+    keyType = "ec384";
+    dnsProvider = "rfc2136";
+    credentialsFile = config.sops.secrets.lego-knot-credentials.path;
+  };
   security.pki.certificates = [ shared.wedlake_ca_cert ];
 
   nixpkgs = {
@@ -209,26 +220,28 @@ in
     home-assistant = {
       enable = true;
       package = (pkgs.home-assistant.override {
-        extraComponents = [ "sense" "roku" "homekit" "sense_energy" ];
+        extraComponents = [ "sense" "roku" "homekit" ];
       }).overrideAttrs (oldAttrs: { doInstallCheck = false; });
       config = {
         default_config = { };
         met = { };
         sense = { };
+        roku = { };
+        homekit = { };
       };
     };
     matterbridge = {
       enable = true;
       configPath = "/etc/nixos/matterbridge.toml";
     };
     minecraft-bedrock-server.enable = true;
-    #vaultwarden = {
-    #  enable = true;
-    #  config = {
-    #    signupsAllowed = true;
-    #    domain = "http://optina.wedlake.lan:8085";
-    #  };
-    #};
+    vaultwarden = {
+      enable = true;
+      config = {
+        signupsAllowed = false;
+        domain = "https://vw.lan.disasm.us";
+      };
+    };
     udev.extraRules = ''
       ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="74:d4:35:9b:84:62", NAME="enp2s0"
     '';
@@ -240,7 +253,7 @@ in
       extraProperties = ''
         offsets.topic.replication.factor = 1
       '';
-      hostname = "optina.wedlake.lan";
+      hostname = "optina.lan.disasm.us";
       zookeeper = "localhost:2181";
     };
     elasticsearch = {
@@ -251,7 +264,7 @@ in
 
     kibana = {
       enable = false;
-      listenAddress = "optina.wedlake.lan";
+      listenAddress = "optina.lan.disasm.us";
       elasticsearch.url = "http://localhost:9200";
     };
 
@@ -263,7 +276,7 @@ in
     #  web = {
     #    enable = true;
     #    listenPort = "8002";
-    #    baseURL = "https://hledger.wedlake.lan/";
+    #    baseURL = "https://hledger.lan.disasm.us/";
     #  };
     #};
 
@@ -280,7 +293,7 @@ in
           move_metadata_to_field: journal
           default_type: journal
         output.kafka:
-          hosts: ["optina.wedlake.lan:9092"]
+          hosts: ["optina.lan.disasm.us:9092"]
           topic: KAFKA-LOGSTASH-ELASTICSEARCH
       '';
     };
@@ -323,10 +336,10 @@ in
     bitlbee.enable = true;
     gitea = {
       enable = false;
-      domain = "git.wedlake.lan";
+      domain = "git.lan.disasm.us";
       appName = "Personal Git Server";
       httpAddress = "127.0.0.1";
-      rootUrl = "https://git.wedlake.lan";
+      rootUrl = "https://git.lan.disasm.us";
       httpPort = 3001;
       database = {
         type = "postgres";
@@ -446,7 +459,7 @@ in
       };
       #unifi = {
       #  enable = false;
-      #  unifiAddress = "https://unifi.wedlake.lan";
+      #  unifiAddress = "https://unifi.lan.disasm.us";
       #  unifiUsername = "prometheus";
       #  unifiPassword = secrets.unifi_password_ro;
       #  openFirewall = true;
@@ -461,7 +474,7 @@ in
         scheme = "http";
         path_prefix = "/";
         static_configs = [{
-          targets = [ "optina.wedlake.lan:9093" ];
+          targets = [ "optina.lan.disasm.us:9093" ];
         }];
       }];
       rules = [
@@ -613,18 +626,18 @@ in
           static_configs = [
             {
               targets = [
-                "portal.wedlake.lan:9100"
+                "portal.lan.disasm.us:9100"
               ];
               labels = {
-                alias = "portal.wedlake.lan";
+                alias = "portal.lan.disasm.us";
               };
             }
             {
               targets = [
-                "optina.wedlake.lan:9100"
+                "optina.lan.disasm.us:9100"
               ];
               labels = {
-                alias = "optina.wedlake.lan";
+                alias = "optina.lan.disasm.us";
               };
             }
             {
@@ -657,7 +670,7 @@ in
         #        "localhost:9130"
         #      ];
         #      labels = {
-        #        alias = "unifi.wedlake.lan";
+        #        alias = "unifi.lan.disasm.us";
         #      };
         #    }
         #  ];
@@ -798,18 +811,49 @@ in
     nginx = {
       enable = true;
       virtualHosts = {
-        "netboot.wedlake.lan" = {
+        "netboot.lan.disasm.us" = {
           root = netboot_root;
           extraConfig = ''
             location ~ [^/]\.php(/|$) {
               fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
             }
           '';
         };
-        "hledger.wedlake.lan" = {
+        "hass.lan.disasm.us" = {
+          useACMEHost = "lan.disasm.us";
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://optina.lan.disasm.us:8123";
+            extraConfig = ''
+              proxy_set_header Host $host;
+              proxy_set_header X-Forwarded-Proto $scheme;
+            '';
+          };
+          locations."/api/websocket" = {
+            proxyPass = "http://optina.lan.disasm.us:8123";
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header Host $host;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "Upgrade";
+            '';
+          };
+        };
+        "vw.lan.disasm.us" = {
+          useACMEHost = "lan.disasm.us";
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://optina.lan.disasm.us:8000";
+            extraConfig = ''
+              proxy_set_header Host $host;
+              proxy_set_header X-Forwarded-Proto $scheme;
+            '';
+          };
+        };
+        "hledger.lan.disasm.us" = {
+          useACMEHost = "lan.disasm.us";
           forceSSL = true;
-          sslCertificate = "/data/ssl/hledger.wedlake.lan.crt";
-          sslCertificateKey = "/data/ssl/hledger.wedlake.lan.key";
           locations."/api".extraConfig = ''
             proxy_pass http://localhost:8001/api;
             proxy_set_header Host $host;
@@ -825,33 +869,14 @@ in
             proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
           '';
         };
-        "crate.wedlake.lan" = {
+        "stg.lan.disasm.us" = {
+          useACMEHost = "lan.disasm.us";
           forceSSL = true;
-          sslCertificate = "/data/ssl/nginx.crt";
-          sslCertificateKey = "/data/ssl/nginx.key";
-          locations."/".extraConfig = ''
-            proxy_pass http://localhost:8089/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header  X-Real-IP         $remote_addr;
-            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-          '';
-          #locations."/weechat" = {
-          #  proxyPass = "http://127.0.0.1:9001/weechat";
-          #  proxyWebsockets = true;
-          #  extraConfig = ''
-          #    proxy_read_timeout 4h;
-          #  '';
-          #};
-        };
-        "storage.wedlake.lan" = {
-          forceSSL = false;
           root = "/var/storage";
         };
-        "unifi.wedlake.lan" = {
+        "unifi.lan.disasm.us" = {
+          useACMEHost = "lan.disasm.us";
           forceSSL = true;
-          sslCertificate = "/data/ssl/unifi.wedlake.lan.crt";
-          sslCertificateKey = "/data/ssl/unifi.wedlake.lan.key";
           locations."/".extraConfig = ''
             proxy_set_header Referer "";
             proxy_pass https://localhost:8443/;
@@ -863,18 +888,18 @@ in
             proxy_set_header Connection "upgrade";
           '';
         };
-        "git.wedlake.lan" = {
-          forceSSL = true;
-          sslCertificate = "/data/ssl/git.wedlake.lan.crt";
-          sslCertificateKey = "/data/ssl/git.wedlake.lan.key";
-          locations."/".extraConfig = ''
-            proxy_pass http://localhost:3001/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header  X-Real-IP         $remote_addr;
-            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-          '';
-        };
+        #"git.lan.disasm.us" = {
+        #  forceSSL = true;
+        #  sslCertificate = "/data/ssl/git.lan.disasm.us.crt";
+        #  sslCertificateKey = "/data/ssl/git.lan.disasm.us.key";
+        #  locations."/".extraConfig = ''
+        #    proxy_pass http://localhost:3001/;
+        #    proxy_set_header Host $host;
+        #    proxy_set_header X-Forwarded-Proto $scheme;
+        #    proxy_set_header  X-Real-IP         $remote_addr;
+        #    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        #  '';
+        #};
       };
     };
 

nixos/optina/configuration.nix

@@ -2,14 +2,15 @@ gitea_dbpass: ENC[AES256_GCM,data:QqWVLBLqdg+2G1HGf84qmg==,iv:MD5LRy0o5Kwe2/pcxC
 mpd_pw: ENC[AES256_GCM,data:1Ee1,iv:k1mNPPTCA8Foe1B2rnf5u9v0Jc3Vf/wHiUgQ3gL4cHI=,tag:e5HcloSzNAkl6Fpd1VETVw==,type:str]
 mpd_icecast_pw: ENC[AES256_GCM,data:bb8l,iv:gzIH3mfjBxO5pn1k1rTD+dBNKQFEt7unBXMb/kjMk68=,tag:77Li7/5R6apqearBiAhCXA==,type:str]
 alertmanager: ENC[AES256_GCM,data:0We2OipaHQyyb5z1oGY+BkZ0TzDpL1f/V8z/MeIrHn0Z1nhPesdAk/XiDjspaag3uMmdNV9uk/YteW0D7JoV1+cAHqV4It+O8ug=,iv:Eb9CcYJkHWTJ5ktquNjxr86a9Kf4LM7TjWxE3VVlWcQ=,tag:fFnSjEb+ZXZVMh8Atyxjwg==,type:str]
+lego-knot-credentials: ENC[AES256_GCM,data:h92JPrEPu8KHz1H6lEOowXukFBwzrxW958nABKQwoNZdKBpaldrOGHRlSGrMQGCxbUVhTzFsPtZnmZshVTUsdTgdHKWu3XpLj/LuwFzFTpae3kENnyLWg2zBVLugpnYSArFoMbZlVQqBkUkDgnNMkymVL/3X2AHq/ZSIqJ6HC1AzhB6EigGUAS5aR7dV0hgCFvZdV5ijZiZZBE1/voLur5Z0ZwDcBNsIbCYWGZWlcTqf8Q==,iv:TqpTzZmglFnW97opog8S/OvtIWoM4UzbkQ065kiwbFc=,tag:mF8uQHjE/R7NtfY4W/xTPg==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-01-19T16:45:27Z"
-    mac: ENC[AES256_GCM,data:W481I7O6sDC7HaNLLnKegD0jWBn39gzR5OIrujPs+JB21tbeHCxypMpQ5Aq4/GGChGJvWIp/k5HI6h8JwOjcawe2HmxLkZyMcFyAHaFtn/+MNJ/SgqH32yxmul1Kd4L3dvhZXHM1zvvZKVUCnV7M4Jx0vSNO2Oos+rWGhrB9Wes=,iv:vvyFhPt1ABEfZTQHv0alyncvxixru6sI4hUvhH6mppo=,tag:rBhOUcaPvvZoF+lYVofEmA==,type:str]
+    lastmodified: "2022-01-28T17:04:45Z"
+    mac: ENC[AES256_GCM,data:Vvj299eiIaPkAqta2wkn+u1SSoi14jTbUoLhIMZ5UJMf9msZ283XU4nMKNPa7QFPvC6E/PFghEN017LDZjYcmRiKB093zjO3J1LhdQQIQ5BSwo/ErzdMXJIZjwUQGACmhyWhZTWifNwVL4Ml2kU1RaAbdXFJkvwXPAzrrSL+Qv8=,iv:LB1y38AlDrtpXiVa0kgPrkYmS/z/ZU6kyXTkzMLKnXo=,tag:ETkLNbFKFWVDgLRtrIKJSQ==,type:str]
     pgp:
         - created_at: "2022-01-19T04:05:43Z"
           enc: |-