2026-05-17 23:06:07 +02:00
7 changed files with 24 additions and 162 deletions
--- a/constants.nix
+++ b/constants.nix
@ -30,7 +30,7 @@ rec {
      port = 8085;
    };
    netdata = {
-      fqdn = "mon." + domain;
+      # fqdn = "mon." + domain;
      port = 19999;
    };
    open-webui-oci = {
--- a/hosts/rx4/services/nginx.nix
+++ b/hosts/rx4/services/nginx.nix
@ -7,6 +7,8 @@
 let
  cfg = config.services.nginx;
  inherit (constants) domain;
 in
 {
  imports = [
@ -34,4 +36,21 @@ in
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "admin@${domain}";
      dnsProvider = "hetzner";
      credentialFiles = {
        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
      };
    };
  };
  sops.secrets.hetzner-api-key = {
    mode = "0400";
    owner = "acme";
    group = "acme";
  };
 }
--- a/hosts/rx4/services/vaultwarden.nix
+++ b/hosts/rx4/services/vaultwarden.nix
@ -62,18 +62,10 @@ in
    };
  };
-  security.acme = {
+  security.acme.certs."pw-custom" = {
-    acceptTerms = true;
+    domain = fqdn;
-    defaults.email = "admin@${domain}";
+    postRun = "systemctl restart vaultwarden.service";
-    certs."pw-custom" = {
+    group = "nginx";
      domain = fqdn;
      dnsProvider = "hetzner";
      dnsResolver = "1.1.1.1:53";
      credentialFiles = {
        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
      };
      group = "nginx";
    };
  };
  sops =
@ -90,11 +82,6 @@ in
        "vaultwarden/smtp-password" = {
          inherit owner group mode;
        };
        hetzner-api-key = {
          inherit mode;
          owner = "acme";
          group = "acme";
        };
      };
      templates = {
        "vaultwarden/env-file" = {
--- a/hosts/sid/services/coredns.nix
+++ b/hosts/sid/services/coredns.nix
@ -1,31 +0,0 @@
 { constants, ... }:
 {
  services.resolved.enable = false;
  networking.resolvconf.enable = false;
  networking.nameservers = [ "127.0.0.1" ];
  services.coredns = {
    enable = true;
    config = with constants; ''
      .:53 {
        bind 0.0.0.0
        hosts {
          ${hosts.sid.ip} ${ca-fqdn} 
          ${hosts.sid.ip} ${services.netdata.fqdn}
          fallthrough
        }
        forward . 1.1.1.1 8.8.8.8
        cache 30
        log
        errors
      }
    '';
  };
  networking.firewall.allowedUDPPorts = [ 53 ];
  networking.firewall.allowedTCPPorts = [ 53 ];
 }
--- a/hosts/sid/services/default.nix
+++ b/hosts/sid/services/default.nix
@ -17,8 +17,5 @@
    ./nginx.nix
    ./radicale.nix
    ./rss-bridge.nix
    # ./coredns.nix
    # ./step-ca.nix
  ];
 }
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@ -31,11 +31,6 @@
        type = "A";
        value = constants.hosts.rx4.ip;
      }
      {
        name = constants.services.netdata.fqdn;
        type = "A";
        value = constants.hosts.sid.ip;
      }
    ];
  };
 }
--- a/hosts/sid/services/step-ca.nix
+++ b/hosts/sid/services/step-ca.nix
@ -1,105 +0,0 @@
 {
  constants,
  config,
  pkgs,
  ...
 }:
 let
  cfg = config.services.step-ca;
 in
 {
  services.step-ca = {
    enable = true;
    address = "0.0.0.0";
    port = 8443;
    openFirewall = true;
    intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
    # nix-shell -p step-cli --run "step ca init"
    settings = {
      # FIXME: nix-store paths do not work
      # root = ../../../certs/root_ca.crt;
      # crt = ../../../certs/intermediate_ca.crt;
      # FIXME: not reproducible
      root = "/var/lib/step-ca/certs/root_ca.crt";
      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
      key = config.sops.secrets."step-ca/intermediate-key".path;
      dnsNames = [
        constants.ca-fqdn
        constants.hosts.sid.ip
      ];
      logger = {
        format = "text";
      };
      db = {
        type = "badgerv2";
        dataSource = "/var/lib/step-ca/db";
      };
      authority = {
        provisioners = [
          {
            type = "ACME";
            name = "acme";
          }
          {
            type = "JWK";
            name = "sid@sid.ovh";
            key = {
              use = "sig";
              kty = "EC";
              kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
              crv = "P-256";
              alg = "ES256";
              x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
              y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
            };
            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
          }
        ];
      };
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        renegotiation = false;
      };
    };
  };
  environment.systemPackages = [
    pkgs.step-cli
  ];
  systemd.tmpfiles.rules = [
    "d /var/lib/acme/acme-challenge 0755 acme nginx"
  ];
  security.acme = {
    certs."sid-internal" = {
      # domain = constants.intranet;
      domain = constants.services.netdata.fqdn;
      extraDomainNames = [
      ];
      server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
      group = "nginx";
    };
  };
  sops =
    let
      owner = "step-ca";
      group = "step-ca";
      mode = "0400";
    in
    {
      secrets = {
        "step-ca/password" = {
          inherit owner group mode;
        };
        "step-ca/intermediate-key" = {
          inherit owner group mode;
        };
      };
    };
 }