applications.server.acme: defaults + persists state

2024-08-08 19:38:02 +02:00 · 2024-08-08 19:38:02 +02:00 · f792e23584
commit f792e23584
parent 7cee029fff
3 changed files with 24 additions and 8 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -6,6 +6,7 @@ in {
  imports = [
    ./../shared
    ./../shared/applications/server/acme.nix
    ./../shared/applications/server/nginx.nix
    ./../shared/applications/state/ssh.nix
--- a/shared/applications/server/acme.nix
+++ b/shared/applications/server/acme.nix
@ -0,0 +1,23 @@
 { config, lib, ... }:
 {
  # default acme settings
  security.acme = {
    acceptTerms = true;
    defaults.email = "fricloudacme.cameo530@simplelogin.com";
  };
  # give Nginx access to our certs
  services.nginx.group = config.security.acme.defaults.group;
  # acme user
  users.groups."${config.security.acme.defaults.group}".members = [];
  # state
  environment.persistence = lib.optionalAttrs config.mine.state.enable {
    root.directories = [
      "/var/lib/acme"
    ];
  };
 }
--- a/shared/applications/server/nginx.nix
+++ b/shared/applications/server/nginx.nix
@ -10,9 +10,6 @@ let
      -out "$out/ca.pem" -keyout "$out/ca.key"
  '';
 in {
  security.acme.defaults.email = "fricloudacme.cameo530@simplelogin.com";
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
@ -25,9 +22,6 @@ in {
    # only allow PFS-enabled ciphers with AES256
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    # give Nginx access to our certs
    group = "acme";
    # setup a default site
    virtualHosts.default = {
      default = lib.mkDefault true;
@ -49,8 +43,6 @@ in {
    };
  };
  users.groups.acme = {};
  networking.firewall = {
    allowedTCPPorts = [80 443];
    allowedUDPPorts = [443];