fix: nginx and acme config

2025-05-14 15:25:46 +02:00 · 2025-05-14 15:25:46 +02:00 · d2ace8d73a
commit d2ace8d73a
parent dad5fb17ec
1 changed files with 41 additions and 9 deletions
--- a/machines/moritz-server/reverse-proxy.nix
+++ b/machines/moritz-server/reverse-proxy.nix
@ -1,4 +1,4 @@
-{
+{config, ...}: {
  services.fail2ban = {
    enable = true;
    bantime-increment.enable = true;
@ -49,9 +49,10 @@
    '';
  };

-  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedTCPPorts = [80 1443 443];
  services.nginx = {
    enable = true;
+    logError = "stderr info";
    recommendedProxySettings = true;
    virtualHosts = {
      "moritzboeh.me" = {
@ -61,8 +62,20 @@
        };
      };
      "moritz.foo" = {
+        forceSSL = true;
+        useACMEHost = "moritz.foo";
        locations."/" = {
-          return = "200 'Hello World!'";
+          return = "301 https://www.moritz.foo";
+        };
+      };
+      "www.moritz.foo" = {
+        forceSSL = true;
+        useACMEHost = "any.moritz.foo";
+        locations."/" = {
+          extraConfig = ''
+            add_header Content-Type text/html;
+          '';
+          return = "200 '<html><body>Hello World</body></html>'";
        };
      };
    };
@ -76,18 +89,37 @@
      }

      map $ssl_preread_server_name $name {
-          *.moritz.foo self;
-          moritz.foo self;
-          *.moritzboeh.me diskstation;
-          moritzboeh.me diskstation;
-          default diskstation;
+          hostnames;
+          .moritz.foo self;
+          .moritzboeh.me diskstation;
      }

      server {
-          listen 443;
+          listen 1443;
          ssl_preread on;
          proxy_pass $name;
      }
    '';
  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@moritzboeh.me";
+    defaults.dnsResolver = "1.1.1.1:53";
+    certs."moritz.foo" = {
+      dnsProvider = "cloudflare";
+      group = "nginx";
+      environmentFile = config.clan.core.vars.generators.acme.files.vars.path;
+    };
+    certs."any.moritz.foo" = {
+      domain = "*.moritz.foo";
+      dnsProvider = "cloudflare";
+      group = "nginx";
+      environmentFile = config.clan.core.vars.generators.acme.files.vars.path;
+    };
+  };
+  clan.core.vars.generators.acme.prompts.vars = {
+    persist = true;
+    type = "multiline";
+  };
 }