From 396925364b5409e9b36db0c0268d5d8c47c5880c Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Thu, 12 Jun 2025 13:41:41 +0800 Subject: [PATCH] feat(server/web-servers): change acme validation to DNS-01 --- modules/nixos/server/web-servers/default.nix | 77 +++---------------- .../server/web-servers/nginx/default.nix | 65 ++++++++++++++++ 2 files changed, 75 insertions(+), 67 deletions(-) create mode 100644 modules/nixos/server/web-servers/nginx/default.nix diff --git a/modules/nixos/server/web-servers/default.nix b/modules/nixos/server/web-servers/default.nix index 4154a0b..7739cc8 100644 --- a/modules/nixos/server/web-servers/default.nix +++ b/modules/nixos/server/web-servers/default.nix @@ -1,72 +1,15 @@ -{ config, lib, ... }: -let - cfg = config.server.web-servers; - proxyPasses = builtins.listToAttrs ( - builtins.map (proxy: { - name = proxy.source; - value = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = proxy.target; - } // proxy.extraConfig; - }; - }) cfg.nginx.proxies - ); -in +{ config, ... }: { - options.server.web-servers = { - nginx = { - enable = lib.mkEnableOption "the Nginx server"; - proxies = lib.mkOption { - type = - with lib.types; - listOf (submodule { - options = { - source = lib.pantheon.mkStrOption; - target = lib.pantheon.mkStrOption; - extraConfig = lib.mkOption { - type = attrs; - default = { }; - description = "Will be added to locations.\"/\""; - }; - }; - }); - default = [ ]; - example = [ - { - source = "chat.bwfiq.com"; - target = "http://helios:3080"; - extraConfig = { }; - } - ]; + config = { + security.acme = { + acceptTerms = true; + defaults = { + email = "rafiq@rrv.sh"; + dnsProvider = "cloudflare"; + credentialFiles = { + "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; + }; }; }; }; - config = lib.mkMerge [ - { - security.acme = { - acceptTerms = true; - defaults.email = "rafiq@rrv.sh"; - }; - } - (lib.mkIf cfg.nginx.enable { - networking.firewall.allowedTCPPorts = [ - 443 - 80 - ]; - services.nginx = { - enable = true; - virtualHosts = { - "_" = { - default = true; - rejectSSL = true; - locations."/" = { - return = "444"; - }; - }; - } // proxyPasses; - }; - }) - ]; } diff --git a/modules/nixos/server/web-servers/nginx/default.nix b/modules/nixos/server/web-servers/nginx/default.nix new file mode 100644 index 0000000..810b69a --- /dev/null +++ b/modules/nixos/server/web-servers/nginx/default.nix @@ -0,0 +1,65 @@ +{ config, lib, ... }: +let + cfg = config.server.web-servers.nginx; +in +{ + options.server.web-servers.nginx = { + enable = lib.mkEnableOption "the Nginx server"; + proxies = lib.mkOption { + type = + with lib.types; + listOf (submodule { + options = { + source = lib.pantheon.mkStrOption; + target = lib.pantheon.mkStrOption; + extraConfig = lib.mkOption { + type = attrs; + default = { }; + description = "Will be added to locations.\"/\""; + }; + }; + }); + default = [ ]; + example = [ + { + source = "chat.bwfiq.com"; + target = "http://helios:3080"; + extraConfig = { }; + } + ]; + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ + 443 + 80 + ]; + services.nginx = { + enable = true; + virtualHosts = + { + "_" = { + default = true; + rejectSSL = true; + locations."/" = { + return = "444"; + }; + }; + } + // (builtins.listToAttrs ( + builtins.map (proxy: { + name = proxy.source; + value = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = proxy.target; + } // proxy.extraConfig; + }; + }) cfg.proxies + )); + }; + }; +}