From 54aeb48839f1d0a3c59f075d579e9592b812e042 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Sun, 2 Jun 2024 12:27:03 +0200 Subject: [PATCH] hosts: dmz: acme: increase propagation timeout, use wildcard --- hosts/dmz/hardware-configuration.nix | 5 ++- modules/services/dmz/hydra.nix | 25 +++++++++------ secrets/services/acme/opel-online.age | 44 ++++++++++++++------------- 3 files changed, 43 insertions(+), 31 deletions(-) diff --git a/hosts/dmz/hardware-configuration.nix b/hosts/dmz/hardware-configuration.nix index 4261254..c89475e 100644 --- a/hosts/dmz/hardware-configuration.nix +++ b/hosts/dmz/hardware-configuration.nix @@ -83,11 +83,14 @@ "10-lan" = { matchConfig.Name = "enp6s18"; ntp = [ "192.168.101.1" ]; - domains = [ "home.opel-online.de" ]; + #domains = [ "home.opel-online.de" ]; networkConfig = { DHCP = "yes"; IPv6AcceptRA = true; }; + dns = [ + "1.1.1.1" + ]; }; }; }; diff --git a/modules/services/dmz/hydra.nix b/modules/services/dmz/hydra.nix index de247b4..777d54c 100644 --- a/modules/services/dmz/hydra.nix +++ b/modules/services/dmz/hydra.nix @@ -5,7 +5,7 @@ hydra = { enable = true; hydraURL = "https://hydra.home.opel-online.de"; - listenHost = "localhost"; + listenHost = "127.0.0.1"; notificationSender = "hydra@localhost"; useSubstitutes = true; minimumDiskFree = 30; @@ -19,13 +19,19 @@ nginx = { enable = true; virtualHosts = { - "hydra.home.opel-online.de" = { + "home.opel-online.de" = { enableACME = true; forceSSL = true; + default = true; + locations."/".return = "503"; + }; + "hydra.home.opel-online.de" = { + useACMEHost = "home.opel-online.de"; + forceSSL = true; locations."/".proxyPass = "http://localhost:3000"; }; "cache.home.opel-online.de" = { - enableACME = true; + useACMEHost = "home.opel-online.de"; forceSSL = true; locations."/".proxyPass = "http://localhost:5001"; }; @@ -38,17 +44,18 @@ defaults = { email = "webmaster@kabtop.de"; #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsResolver = "1.1.1.1:53"; }; certs = { - "hydra.home.opel-online.de" = { - dnsProvider = "netcup"; - environmentFile = config.age.secrets."services/acme/opel-online".path; - webroot = null; - }; - "cache.home.opel-online.de" = { + "home.opel-online.de" = { + domain = "*.home.opel-online.de"; dnsProvider = "netcup"; environmentFile = config.age.secrets."services/acme/opel-online".path; webroot = null; + #extraDomainNames = [ + # "hydra.home.opel-online.de" + # "cache.home.opel-online.de" + #]; }; }; }; diff --git a/secrets/services/acme/opel-online.age b/secrets/services/acme/opel-online.age index ef30e2b..96d5815 100644 --- a/secrets/services/acme/opel-online.age +++ b/secrets/services/acme/opel-online.age @@ -1,23 +1,25 @@ age-encryption.org/v1 --> ssh-ed25519 Xp6AuQ GDUg4ymZcGVdruoQ8cy2SUcjqPUQQA2oHoKr/CZwA14 -Vip1RTbOImXRTv7jx4zEJUcS9V03AdrnwLXJEhn34eM --> ssh-ed25519 NNXygQ tNmkd4SvTC78Bwi+4dA++UEUMbc3Y5oM3VYqznP5D14 -0IZQRYyfbEbdoVSR3rtQ72lr3h4wtwL1kSfFL+Ks/f0 +-> ssh-ed25519 Xp6AuQ 1d8fbSV7Nq4TKI3ZHuHaLJNGbCpizLFjV+jZCLQ7iBM +I/UaqBunMAxfFw5O1s1ErONzxngUitDPZWzLtX9NpSo +-> ssh-ed25519 NNXygQ h9RG7RHwH8uLqcf0bJW3WogmKMD7IE1K90Q6cvfsjTE +C18TXsszMAW5N6iEumnwM1j4SdgCVvO2LGkVufMynNg -> ssh-rsa VtjGpQ -AitcLLK7eCthBM35iTTE52r6Q1IBoZbaTfONL0X9z9FkjMYwMRUTgN2u5BjpX+/o -+MWbucqF3P4iVifP512FFjQc4TLw++9Or5jrb8xmX2fmkHhqul9+DZPoSvMv+ES8 -GWrBn4yDaJlLz2hZJoRAb4avv9sSsG1zyeKfEe7JnMAp5AYgTfN8I6MBygcvhML9 -BL5MDg8m3DP1pXy7BF+oNKKfBuXbWY2z5qvsdg8PQacHpuNY59js3TEYJxoimh5T -+s6O33Cw+yY2cQstu0XzakT8lMtO9VluolPm/ieuFOYu/BnnxwAfqzklT7ZbAcjd -gmEAVQuIVvIPKR/L9RF1KIurdKaTgBKvdvSciSmw44aOzOYC0fhpeuzCotpsUcTl -CfA07Hx4J6j/hRwjYejeuVy5U0FAW8+v84/iUoS633jeO1+VEOzsUBA9ZwTt8x5c -Um+lfQCJtx5yE1Rche1sWgU7TFmVZMM4tjoK37evljjiWtHT+kUockmB38373SmD -GIkEWhbvzPKmNbRUHlrkTZXSectJqNr7MsWaNlXso1QPrjE1gQgJSeSDFGbGYGOT -/FR+zuG3SX9holTXWhRSQYCDX5XtttUu5vWUF8CvjKZ6VMvJqpMd8uNs8hyUGmT/ -8xjVnFX/CHuKC7zRFmSrx8hnGdsSquZ34AVOPjB2L2o --> piv-p256 grR75w Arw2jl+0E+V3LnHBTG2iZ8SbJT8HQVTiWOR39kE6AkD1 -5fnmuwRkoMmG5f9CyWYysD8vWXVGrD9PCckTYjFI+3w --> piv-p256 RQguQQ Ay2CALWl7y1zkitf04a62/ZSD1KCcKM1zhPDUKzZmMGn -qeNzMgAPBYLRLYQb5AoEllg2psVUqlxUPrUKoULP41E ---- eE3KDFWIrqpgAH73oO2xDm5czR3ZhyqEWnOU9nNMt2s -/ss;$B':PvHtY2YvF(wjkT3n|[ 7rԉy <^5aC{_2٦߀e#+˓H, cqm昅toxԒ#o+H?0Ʊ:u籤z^#NK@`BXf$F,R6ՙR!zr0GʃawV͌RO,؈tKcTG@/C+[Qn(8 \ No newline at end of file +LvvWrwRMIZAQrGc6s6kiZktOxB6eWFFy8muSfaADqqjO7fxuxXxPEhFMxJbmn8Kp +BxsyLX49x9Vi58gw7fXIth+JbNWYctlmJqdu80GKv2R9Rz8eqDs43UoDb+WK2VV3 +vdlN21fpBDiptkPOX3wI0d+HB5cZ7Tr+0tXx0vl2k1t6Iu06iguMs4ktaIaneoHI +8paaUWhw6z4aWZNsPAQfKrqZHsLSovLnQKes0Zc9zYIL1mSVwg321L2pOt0RBtQW +nJ77qqWxOz1sEj7Y+zOyGNqm7qD5a7VLXwfC0aYdmOkimoSJFjsWpepVJWcN9kJD +CPnQrXPCFxiknkUN9tL/7kblcSoIYxx9qSy38t4KHW+4K0AOkldvU6PZH1B0dKdJ +Umjn2GFEkZNtGBcm/WRn0ev3yyJa1TIRyRS3T/VmCymPBaemrxr8wxHnJYxmaFYx +EolY3mUTSSUTYcFZRLuK+hjjD/Ls6H5XwtXpbZQqk2uZm7h2eK7saoHFdcx+nK7B +IEkDrZE9tgNpveLlz8AEtURfzGR1pJGHDAfKK5S5BhN3u3jI427gRUguXAm0yVtO +AK1WGB6z3+u4MbyzNdHvhQs3BjZqBY1TDiY4pFdr2tj37aB37wVnBjsSAJaJpjig ++no4L+xkd2Z8f+BJX626gryP6v27djKuw8CePaQhsiU +-> piv-p256 grR75w A93nyaSpxiRRpgyetogeq0KjMqUBtdwS+E2dJ+qiNd62 +njWb3eP8hHbe5CPMGGYh8QZZgZO5WeveauZ/2mRVqV8 +-> piv-p256 RQguQQ AuLFlBwCHPmV+0tkqbptuOZ7aJllEEvw8WstFEc9BCXq +HKcdL3w58mxGaraMuAxAdmaKRZ/mdZ9wLWuHDWZvQ2U +--- viFLZLrT8PDCcNXs7MiX7E2TvGB4evP4S3GNSzU0Gq0 +p}BO&K3E?dTY[Xpw3r{S]$^ f+ O7''Wպ5q|_BiXb,i|ዕ`-?Nǀ߽v +qz]sw7|6"vÆCS&SHDRg,.5&vfOZ5ȽbvFMΙ,.xw9s+x +(PB3R0 負 |TF߿Jf-F_\? \ No newline at end of file