constants.nix

@@ -30,7 +30,7 @@ rec {
       port = 8085;
     };
     netdata = {
-      fqdn = "mon." + domain;
+      # fqdn = "mon." + domain;
       port = 19999;
     };
     open-webui-oci = {

hosts/rx4/services/nginx.nix

@@ -7,6 +7,8 @@
 
 let
   cfg = config.services.nginx;
+
+  inherit (constants) domain;
 in
 {
   imports = [
@@ -34,4 +36,21 @@ in
       };
     };
   };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "admin@${domain}";
+      dnsProvider = "hetzner";
+      credentialFiles = {
+        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      };
+    };
+  };
+
+  sops.secrets.hetzner-api-key = {
+    mode = "0400";
+    owner = "acme";
+    group = "acme";
+  };
 }

hosts/rx4/services/vaultwarden.nix

@@ -62,19 +62,11 @@ in
     };
   };
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@${domain}";
-    certs."pw-custom" = {
+  security.acme.certs."pw-custom" = {
     domain = fqdn;
-      dnsProvider = "hetzner";
-      dnsResolver = "1.1.1.1:53";
-      credentialFiles = {
-        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
-      };
+    postRun = "systemctl restart vaultwarden.service";
     group = "nginx";
   };
-  };
 
   sops =
     let
@@ -90,11 +82,6 @@ in
         "vaultwarden/smtp-password" = {
           inherit owner group mode;
         };
-        hetzner-api-key = {
-          inherit mode;
-          owner = "acme";
-          group = "acme";
-        };
       };
       templates = {
         "vaultwarden/env-file" = {

hosts/sid/services/coredns.nix

@@ -1,31 +0,0 @@
-{ constants, ... }:
-
-{
-  services.resolved.enable = false;
-  networking.resolvconf.enable = false;
-
-  networking.nameservers = [ "127.0.0.1" ];
-
-  services.coredns = {
-    enable = true;
-    config = with constants; ''
-      .:53 {
-        bind 0.0.0.0
-        hosts {
-          ${hosts.sid.ip} ${ca-fqdn} 
-
-          ${hosts.sid.ip} ${services.netdata.fqdn}
-
-          fallthrough
-        }
-        forward . 1.1.1.1 8.8.8.8
-        cache 30
-        log
-        errors
-      }
-    '';
-  };
-
-  networking.firewall.allowedUDPPorts = [ 53 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
-}

hosts/sid/services/default.nix

@@ -17,8 +17,5 @@
     ./nginx.nix
     ./radicale.nix
     ./rss-bridge.nix
-
-    # ./coredns.nix
-    # ./step-ca.nix
   ];
 }

hosts/sid/services/headscale.nix

@@ -31,11 +31,6 @@
         type = "A";
         value = constants.hosts.rx4.ip;
       }
-      {
-        name = constants.services.netdata.fqdn;
-        type = "A";
-        value = constants.hosts.sid.ip;
-      }
     ];
   };
 }

hosts/sid/services/step-ca.nix

@@ -1,105 +0,0 @@
-{
-  constants,
-  config,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.services.step-ca;
-in
-{
-  services.step-ca = {
-    enable = true;
-    address = "0.0.0.0";
-    port = 8443;
-    openFirewall = true;
-    intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
-    # nix-shell -p step-cli --run "step ca init"
-    settings = {
-      # FIXME: nix-store paths do not work
-      # root = ../../../certs/root_ca.crt;
-      # crt = ../../../certs/intermediate_ca.crt;
-      # FIXME: not reproducible
-      root = "/var/lib/step-ca/certs/root_ca.crt";
-      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
-      key = config.sops.secrets."step-ca/intermediate-key".path;
-      dnsNames = [
-        constants.ca-fqdn
-        constants.hosts.sid.ip
-      ];
-      logger = {
-        format = "text";
-      };
-      db = {
-        type = "badgerv2";
-        dataSource = "/var/lib/step-ca/db";
-      };
-      authority = {
-        provisioners = [
-          {
-            type = "ACME";
-            name = "acme";
-          }
-          {
-            type = "JWK";
-            name = "sid@sid.ovh";
-            key = {
-              use = "sig";
-              kty = "EC";
-              kid = "w3fV4U-frlyTnBMg4yNYrLsn8_mY98H8HthoscpoVrg";
-              crv = "P-256";
-              alg = "ES256";
-              x = "KZCDecn4sb87T3UO6JsIzJVtr4Aa0UcYzYDNBUM6F7M";
-              y = "CbGHn9tXQbV0Ur2VuXITLnWgfxCRmKEoUdMUmrP9Qkw";
-            };
-            encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiZS1MUDhDYlE4dzVuMF9nUGhXOWtGdyJ9.rgsqo58rJFWaociSqiPg3E1alAeqoHWubJi4n2uoUFYp3YTWaYZzqA.6P6oimHsKGdCWruo.fNaDr50IXCtCe7W7VIXuS3rlfin_R0nogNpIJ9C6szYg8k10UylircUs14Zl1EHQ9lFeJovb1y1uljzBajMGkOAGlMvashrphVkXiSxHWKDhzbrItJx3qChLtSLJJtXiXPbJQKCAeBjztqPuTw6dI4Z6IR9---kiTvzF6I9KE8afGFlMSubGjr9FnqgiOb2JiZuTfcBGDx78puxdWzUrEEVlliHdv2agbKhY0b13x-obaTIWwlqLFbasv7kPneJ8Ggp7IHHr5uDcUrqVKkTfBrD0lelXm6SwJTHGMkty6inlwSflT9mxvkNq7OGV9triPQc8AGVv0c7t7dHoX_E.tSjJqttCS6zLI_-7zPdXNQ";
-          }
-        ];
-      };
-      tls = {
-        cipherSuites = [
-          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
-          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
-        ];
-        renegotiation = false;
-      };
-    };
-  };
-
-  environment.systemPackages = [
-    pkgs.step-cli
-  ];
-
-  systemd.tmpfiles.rules = [
-    "d /var/lib/acme/acme-challenge 0755 acme nginx"
-  ];
-
-  security.acme = {
-    certs."sid-internal" = {
-      # domain = constants.intranet;
-      domain = constants.services.netdata.fqdn;
-      extraDomainNames = [
-      ];
-      server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
-      group = "nginx";
-    };
-  };
-
-  sops =
-    let
-      owner = "step-ca";
-      group = "step-ca";
-      mode = "0400";
-    in
-    {
-      secrets = {
-        "step-ca/password" = {
-          inherit owner group mode;
-        };
-        "step-ca/intermediate-key" = {
-          inherit owner group mode;
-        };
-      };
-    };
-}