From 8f9ba274d385eced2d2955fefe4a24be8cc3234a Mon Sep 17 00:00:00 2001 From: Giovanni d'Amelio Date: Mon, 15 Apr 2024 11:23:40 -0700 Subject: [PATCH] Let Caddy handle the TLS certs itself --- src/nixosModules/core/caddy.nix | 48 +++++++++++++++++++ src/nixosModules/machines/carbon/default.nix | 3 ++ src/nixosModules/machines/carbon/homer.nix | 25 +--------- src/nixosModules/machines/carbon/miniflux.nix | 23 --------- .../machines/carbon/paperless.nix | 26 ---------- .../machines/zirconium/default.nix | 3 ++ .../machines/zirconium/defguard.nix | 31 +----------- src/nixosModules/machines/zirconium/gatus.nix | 26 ---------- .../machines/zirconium/monitoring.nix | 34 ------------- 9 files changed, 56 insertions(+), 163 deletions(-) create mode 100644 src/nixosModules/core/caddy.nix diff --git a/src/nixosModules/core/caddy.nix b/src/nixosModules/core/caddy.nix new file mode 100644 index 0000000..20df9a4 --- /dev/null +++ b/src/nixosModules/core/caddy.nix @@ -0,0 +1,48 @@ +{root, ...}: { + pkgs, + config, + ... +}: let + caddyDnsCloudflare = root.packages.caddy-dns-cloudflare {inherit pkgs;}; +in { + # Cloudflare Token Secret + age.secrets.cloudflare-token.file = ../../../secrets/cloudflare-token.age; + + services.caddy = { + enable = true; + package = caddyDnsCloudflare; + + globalConfig = '' + email admin@gio.ninja + acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} + ''; + }; + + systemd.services.caddy = { + serviceConfig = { + # I don't understand how Caddy is ever working without this... + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + + # Work around to load credendial from age into caddy env var + LoadCredential = "CLOUDFLARE_API_TOKEN:${config.age.secrets.cloudflare-token.path}"; + EnvironmentFile = "-%t/caddy/secrets.env"; + RuntimeDirectory = "caddy"; + ExecStartPre = [ + ((pkgs.writeShellApplication { + name = "caddy-secrets"; + text = '' + echo "CLOUDFLARE_API_TOKEN=$(<"$CREDENTIALS_DIRECTORY/CLOUDFLARE_API_TOKEN")" > "$RUNTIME_DIRECTORY/secrets.env" + ''; + }) + + "/bin/caddy-secrets") + ]; + }; + }; + + networking.firewall.interfaces."wg0" = { + allowedTCPPorts = [443 80]; + }; + networking.firewall.interfaces."wg9" = { + allowedTCPPorts = [443 80]; + }; +} diff --git a/src/nixosModules/machines/carbon/default.nix b/src/nixosModules/machines/carbon/default.nix index 2d7f5f7..3400b1d 100644 --- a/src/nixosModules/machines/carbon/default.nix +++ b/src/nixosModules/machines/carbon/default.nix @@ -19,6 +19,9 @@ root.nixosModules.basic-packages root.nixosModules.basic-settings + # Setup Caddy + root.nixosModules.core.caddy + # Wireguard Mesh super.wireguard-mesh diff --git a/src/nixosModules/machines/carbon/homer.nix b/src/nixosModules/machines/carbon/homer.nix index 7b9c86d..e12201f 100644 --- a/src/nixosModules/machines/carbon/homer.nix +++ b/src/nixosModules/machines/carbon/homer.nix @@ -1,8 +1,4 @@ -_: { - pkgs, - config, - ... -}: let +_: {pkgs, ...}: let homer = pkgs.stdenv.mkDerivation rec { pname = "homer"; version = "24.02.1"; @@ -93,28 +89,9 @@ _: { ]; }; in { - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."home.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://home.gio.ninja" = { - useACMEHost = "home.gio.ninja"; extraConfig = '' root * ${homer} file_server diff --git a/src/nixosModules/machines/carbon/miniflux.nix b/src/nixosModules/machines/carbon/miniflux.nix index 302fc82..88a5549 100644 --- a/src/nixosModules/machines/carbon/miniflux.nix +++ b/src/nixosModules/machines/carbon/miniflux.nix @@ -47,35 +47,12 @@ in { ''; }; - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."miniflux.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://miniflux.gio.ninja" = { - useACMEHost = "miniflux.gio.ninja"; extraConfig = '' reverse_proxy localhost:8080 ''; }; }; - - networking.firewall.interfaces."wg9" = { - allowedTCPPorts = [443 80]; - }; } diff --git a/src/nixosModules/machines/carbon/paperless.nix b/src/nixosModules/machines/carbon/paperless.nix index 7cfabe2..daf95fd 100644 --- a/src/nixosModules/machines/carbon/paperless.nix +++ b/src/nixosModules/machines/carbon/paperless.nix @@ -1,6 +1,4 @@ _: {config, ...}: { - environment.systemPackages = []; - services.paperless = { enable = true; @@ -15,35 +13,11 @@ _: {config, ...}: { age.secrets.paperless-oauth-config.file = ../../../../secrets/paperless-oauth-config.age; systemd.services.paperless-web.serviceConfig.EnvironmentFile = config.age.secrets.paperless-oauth-config.path; - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."paperless.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://paperless.gio.ninja" = { - useACMEHost = "paperless.gio.ninja"; extraConfig = '' reverse_proxy localhost:28981 ''; }; }; - - networking.firewall.interfaces."wg9" = { - allowedTCPPorts = [443 80]; - }; } diff --git a/src/nixosModules/machines/zirconium/default.nix b/src/nixosModules/machines/zirconium/default.nix index b6dbe61..88b062f 100644 --- a/src/nixosModules/machines/zirconium/default.nix +++ b/src/nixosModules/machines/zirconium/default.nix @@ -22,6 +22,9 @@ # Setup PostgreSQL on the server root.nixosModules.core.postgres + # Setup Caddy + root.nixosModules.core.caddy + # Security Platform (Identity/Overlay Network) super.defguard diff --git a/src/nixosModules/machines/zirconium/defguard.nix b/src/nixosModules/machines/zirconium/defguard.nix index 2404515..6c5c651 100644 --- a/src/nixosModules/machines/zirconium/defguard.nix +++ b/src/nixosModules/machines/zirconium/defguard.nix @@ -1,8 +1,4 @@ -{root, ...}: { - pkgs, - config, - ... -}: let +{root, ...}: {pkgs, ...}: let defguardPkgs = root.packages.defguard {inherit pkgs;}; in { # Setup database @@ -81,28 +77,9 @@ in { ''; }; - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."defguard.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://defguard.gio.ninja" = { - useACMEHost = "defguard.gio.ninja"; extraConfig = '' handle /api/* { reverse_proxy localhost:8000 @@ -118,10 +95,4 @@ in { enable = true; allowedUDPPorts = [50051]; }; - networking.firewall.interfaces."wg0" = { - allowedTCPPorts = [443 80]; - }; - networking.firewall.interfaces."wg9" = { - allowedTCPPorts = [443 80]; - }; } diff --git a/src/nixosModules/machines/zirconium/gatus.nix b/src/nixosModules/machines/zirconium/gatus.nix index 187115b..69634ef 100644 --- a/src/nixosModules/machines/zirconium/gatus.nix +++ b/src/nixosModules/machines/zirconium/gatus.nix @@ -124,38 +124,12 @@ _: { }; }; - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."status.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://status.gio.ninja" = { - useACMEHost = "status.gio.ninja"; extraConfig = '' reverse_proxy localhost:8080 ''; }; }; - - networking.firewall.interfaces."wg0" = { - allowedTCPPorts = [443 80]; - }; - networking.firewall.interfaces."wg9" = { - allowedTCPPorts = [443 80]; - }; } diff --git a/src/nixosModules/machines/zirconium/monitoring.nix b/src/nixosModules/machines/zirconium/monitoring.nix index 0887f78..e31ceee 100644 --- a/src/nixosModules/machines/zirconium/monitoring.nix +++ b/src/nixosModules/machines/zirconium/monitoring.nix @@ -81,51 +81,17 @@ in { }; }; - # Cloudflare Token Secret - age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age; - - # Get HTTPS Certificate from LetsEncrypt - security.acme = { - acceptTerms = true; - - certs."grafana.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - certs."prometheus.gio.ninja" = { - email = "gio@damelio.net"; - dnsProvider = "cloudflare"; - credentialFiles = { - CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path; - }; - }; - }; - # Use Caddy as a reverse proxy services.caddy = { - enable = true; - virtualHosts."https://grafana.gio.ninja" = { - useACMEHost = "grafana.gio.ninja"; extraConfig = '' reverse_proxy localhost:3000 ''; }; virtualHosts."https://prometheus.gio.ninja" = { - useACMEHost = "prometheus.gio.ninja"; extraConfig = '' reverse_proxy localhost:9090 ''; }; }; - - networking.firewall.interfaces."wg0" = { - allowedTCPPorts = [443 80]; - }; - networking.firewall.interfaces."wg9" = { - allowedTCPPorts = [443 80]; - }; }