Infini-OPTIPLEX: refactor nginx config and use acme certs

hosts/Infini-OPTIPLEX/default.nix

@@ -8,6 +8,7 @@
     ./thelounge.nix
     ./vaultwarden.nix
     ./jellyfin.nix
+    ./web.nix
   ];
 
   system.stateVersion = "23.05";
@@ -59,30 +60,17 @@
 
   services.fail2ban.enable = true;
 
-  services.nginx = {
-    enable = true;
+  services.nginx.enable = true;
 
-    virtualHosts =
-      let
-        cfg = config.services.nginx;
-        inherit (config.common.nginx) ssl ssl-optional;
-      in
-      {
-        "*.inx.moe" = ssl // {
-          globalRedirect = "inx.moe";
-        };
-        "blahaj.inx.moe" = ssl-optional // {
-          locations."/" = {
-            tryFiles = "/Blahaj.png =404";
-            root = ./static;
-          };
-        };
-        "nitter.inx.moe" = ssl // {
-          globalRedirect = "twitter.com";
-        };
-        "ponder.inx.moe" = ssl // {
-          locations."/".root = pkgs.ponder;
-        };
-      };
+  security.acme.certs."inx.moe" = {
+    group = "nginx";
+    extraDomainNames = [ "*.inx.moe" ];
+  };
+
+  services.nginx.virtualHosts."*.inx.moe" = {
+    useACMEHost = "inx.moe";
+    addSSL = true;
+    default = true;
+    globalRedirect = "inx.moe";
   };
 }

hosts/Infini-OPTIPLEX/web.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+let
+  inherit (config.common.nginx) ssl ssl-optional;
+in
+{
+  services.nginx.virtualHosts = {
+    "blahaj.inx.moe" = ssl-optional // {
+      locations."/" = {
+        tryFiles = "/Blahaj.png =404";
+        root = ./static;
+      };
+    };
+
+    "ponder.inx.moe" = ssl // {
+      locations."/".root = pkgs.ponder;
+    };
+    "nitter.inx.moe" = ssl // {
+      globalRedirect = "twitter.com";
+    };
+  };
+}

modules/global/security.nix

@@ -8,7 +8,11 @@ with lib;
     '';
     acme = {
       acceptTerms = true;
-      defaults.email = "infinidoge@inx.moe";
+      defaults = {
+        email = "infinidoge@inx.moe";
+        dnsProvider = "cloudflare";
+        environmentFile = config.secrets.cloudflare;
+      };
     };
 
     pam.sshAgentAuth = {
@@ -87,8 +91,8 @@ with lib;
   common = {
     nginx = rec {
       ssl-cert = {
-        sslCertificate = config.secrets."inx.moe.pem";
-        sslCertificateKey = config.secrets."inx.moe.key";
+        enableACME = true;
+        acmeRoot = null;
       };
       ssl-optional = ssl-cert // {
         addSSL = true;

secrets/cloudflare.age

@@ -0,0 +1,41 @@
+age-encryption.org/v1
+-> ssh-ed25519 sQ/0YA bdZLrpAhgDR1cGuqvtygU/g7qz44celBMfdgdKs5pVU
+u4MR7cphuJPrXxE4O4KxHKe5hA+yfpAIXCtLdFW4X7g
+-> ssh-ed25519 i9xGKA ApbIyzP1obW6xTIc3k2yCAzu7OS9GL06PFfq+7eWUBo
+4MLF/wXnyZKT5oW6w1KnyGs0CMpwRiF45uUPPeTipUk
+-> ssh-ed25519 ydxrGg 1wE5Lzoe2WFqd4b3U40eZKirZDZFplYcvDEQRK8ZaFY
+Fgb8zdH1nPhylAiZisJcCjhcXkFDiyvtjE1+9lHL2JY
+-> ssh-ed25519 gIJNbA nay7hM7gy/4ttHKSGFBX3M8Pgk0/mV7hQct1iYbFEVw
+rTsEOXxeS0uodDKl5umZWShsm1Wmix+yYSo1ClvVL/w
+-> ssh-ed25519 hjL/yw 0yvxOOCOp1ro1GhWIGI5FlAuwhzJGGjlGO2gIvT8508
+i5NhIa6RV92PCc2BkZc3IK3E3O9ijX9bAQE+r3wMvAk
+-> ssh-ed25519 fUfJ3w 7CoXChndV4w6ABTmurE/utz6YF/u5UJYRB24I+oJszc
+9Cjmu5lxhBvjrp9TUlLQv1D8kmSc/RrbDKU7BrbHqhA
+-> ssh-ed25519 GT2Stg f47FuTxMHH/276mt+ZPyxqy8EWAFjbmJuQ1c7+7v4ho
+AyaTVIjz6wYasq5jC25I04rELuzPxH1dd+toK0YcmWs
+-> ssh-ed25519 oAMyvg A163J4rwX4GpeRXsSAh6yPMGYwKbV1sFxV7+7hIFXlw
+1xCZcpxMa+paeetDRrBzUCt1IyUovqKrcy6yoy+I3hY
+-> ssh-ed25519 VIHjXg 2buiXKx7aS1wSKIVNGraweUR31yYLsVUTd26uHepElY
+SoXaUi1v3XoTWiNCVT6JXaJZ+p0gS6LSNiRiqNGK3wY
+-> ssh-ed25519 VEv3zg V+S6jInBcxRA2fwlxjhl7Bu0HqbNWi2EHS7d3v5dXH8
+t+3xDF/9B3lgD8pczmK/b9ElQnuPlWRPdQQkhkjNiuk
+-> ssh-ed25519 6ZS9Zw e/aOo/WXzxRY9CRh3IlkBeMr/tN/kgmX2DdsIXtcQXc
+4knjs6vhjd5anSGiVU8Xkw49pKTTh+mmUhQZx+Tm2ic
+-> ssh-ed25519 2S7Wcg DMp9L3D184vO4blhskKVWeqYBFxwRMPOgapcw+iGHFA
+o6v23rnOrDIKpTbk7bi2+GEsgD9NfGRgyRJrN8nlPuE
+-> ssh-ed25519 izZ3FQ +CqAN8J9OvdBdoz0AAoLSP81NPCp/iPxEzgelyz5zmo
+ynqnOYuKTqA6+FgqTzojd+UYyonU2c7obcVAkD/gZoY
+-> ssh-ed25519 GB2MZQ toUuXPu0EFlgHgnESSG4J0s/ChMoa82Zqkz1kwlkGCs
+z38Z4tTTjQw5840vkMuKQChHeKS3r6+9o0p+puB0Xck
+-> ssh-ed25519 FelIjw QtRURTihkW0eL6FPar1Q6Y76xFj67kMCEUr5XQ1Usww
+Gak8ABMc44e+YEVPgmlaGEhGWABChtZI2YwK2oug5t8
+-> ssh-ed25519 TRpHkw ilJeOrPo7n/iM/XgN2sD24n/o8fneML+GJVMFVNOuBQ
+Ew/321uCIjFYoribgxExiJFJLrDv/fF+Kks3zQc527M
+-> ssh-ed25519 rKpRzQ hLsDhwmTjPa1jiLEtzh96bZBN3FJtr+YsiYGqQmtknQ
+BFOzDQntC7GMV76gIP+gVaOn4SdLqstvk5JpbPz2Zgc
+-> ssh-ed25519 8/Dzqw VEwMGvZBHXWmdRtpZLC2W3DlqjMl5ijLNPp0SgXiPz0
+kj/pFxZmhLsuBR3IkXXRzVx2XiGvIF8W1McWe8EQ+5c
+-> ssh-ed25519 tJyugw lqgZqyfXbFz5YtethmfvQF22KBze5lVBS14M05Q2DlE
+jU7DD9p8XyNiLLtDocAJv1pUd8WwJCRsF0e/FjmfRXg
+--- qMZs4WoAlwA3d4LeyqTZfMxSDDWagtEn0HtVUiZ2fJI
+„¨w«äÝòÕW×'Õ–e°)‡Ž"uÛ¢øæƒ0¶˜ËdV%‹š1ì^±yµ?ó<©V}ö(Øå,ê&¯€¾huš6µTñ˜RáÌì‚W2Ðø¯þøú¿«<C2BF>Ú|êl›Òz¤+µMõsÜö4ŠDYãõ±î€„Ü/ÚS˜>§«¬ 2X&°’÷×› hÚ$h>™d‡qöV{:~‰˜}éUæ

secrets/default.nix

@@ -33,8 +33,7 @@ in
         "borg-password" = secrets."borg-password" // { group = "borg"; mode = "440";};
       }
       (mkIf config.services.nginx.enable {
-        "inx.moe.pem" = withOwnerGroup "nginx" secrets."inx.moe.pem";
-        "inx.moe.key" = withOwnerGroup "nginx" secrets."inx.moe.key";
+        inherit (secrets) "cloudflare";
       })
       (mkIf config.services.vaultwarden.enable {
         "vaultwarden" = withOwnerGroup "vaultwarden" secrets."vaultwarden";

secrets/secrets.nix

@@ -27,10 +27,9 @@ in
   "infinidoge-password.age".publicKeys = allKeys;
   "root-password.age".publicKeys = allKeys;
   "binary-cache-private-key.age".publicKeys = allKeys;
-  "inx.moe.pem.age".publicKeys = allKeys;
-  "inx.moe.key.age".publicKeys = allKeys;
   "vaultwarden.age".publicKeys = allKeys;
   "freshrss.age".publicKeys = allKeys;
   "borg-password.age".publicKeys = allKeys;
   "borg-ssh-key.age".publicKeys = allKeys;
+  "cloudflare.age".publicKeys = allKeys;
 }