feat: step ca for nextcloud

2025-04-26 21:09:10 +08:00 · 2025-04-26 21:09:10 +08:00 · d6e8e23d3b
commit d6e8e23d3b
parent b655f6ad4e
7 changed files with 110 additions and 45 deletions
--- a/system/dev/dn-server/boot.nix
+++ b/system/dev/dn-server/boot.nix
@ -37,4 +37,21 @@
    ARRAY /dev/md126 metadata=1.2 name=stuff:0
    UUID=b75dc506-8f7c-4557-8b2f-adb5f1358dbc
  '';
+
+  fileSystems."/mnt/ssd" = {
+    device = "/dev/disk/by-uuid/4E21-0000";
+    fsType = "exfat";
+    options = [
+      "x-systemd.automount"
+      "noauto"
+      "x-systemd.idle-timeout=600"
+      "nofail"
+      "user"
+      "x-gvfs-show"
+      "gid=1000"
+      "uid=1000"
+      "dmask=000"
+      "fmask=000"
+    ];
+  };
 }
--- a/system/dev/dn-server/cerbot.nix
+++ b/system/dev/dn-server/cerbot.nix
@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  systemd.timers."certbot-renew" = {
+    enable = true;
+    description = "certbot renew";
+    timerConfig = {
+      OnCalendar = "*-*-* 03:00:00";
+      Persistent = true;
+      OnUnitActiveSec = "1d";
+      Unit = "certbot-renew.service";
+    };
+    wantedBy = [ "timers.target" ];
+  };
+
+  systemd.services."certbot-renew" = {
+    enable = true;
+    after = [
+      "nginx.service"
+      "network.target"
+    ];
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      "REQUESTS_CA_BUNDLE" = "/var/lib/step-ca/certs/root_ca.crt";
+    };
+    serviceConfig = {
+      ExecStart = "${pkgs.certbot}/bin/certbot renew";
+    };
+  };
+}
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@ -18,7 +18,8 @@
    ./services.nix
    ./nginx.nix
    ./nextcloud.nix
-    # ./step-ca.nix
+    ./step-ca.nix
+    ./cerbot.nix
    ../../modules/presets/minimal.nix
    ../../modules/bluetooth.nix
    ../../modules/cuda.nix
--- a/system/dev/dn-server/nextcloud.nix
+++ b/system/dev/dn-server/nextcloud.nix
@ -4,6 +4,19 @@
  lib,
  ...
 }:
+let
+  acmeWebRoot = "/var/www/nextcloud.net.dn/html/";
+
+  certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
+    ${pkgs.certbot}/bin/certbot certonly --webroot \
+    --webroot-path ${acmeWebRoot} -v \
+    -d nextcloud.net.dn \
+    --server https://ca.net.dn:8443/acme/acme/directory \
+    -m admin@mail.net.dn
+
+    chown nginx:nginx -R /etc/letsencrypt
+  '';
+in
 {
  imports = [
    "${
@ -97,6 +110,41 @@
    exiftool
  ];

+  services.nginx = {
+    virtualHosts = {
+      ${config.services.nextcloud.hostName} = {
+        listen = lib.mkForce [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+
+        locations."^~ /.well-known/acme-challenge/" = {
+          root = "/var/www/nextcloud.net.dn/html";
+          extraConfig = ''
+            default_type "text/plain";
+          '';
+        };
+
+        forceSSL = true;
+        sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem";
+        sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem";
+
+        extraConfig = ''
+          ssl_protocols TLSv1.2 TLSv1.3;
+          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
+          ssl_prefer_server_ciphers on;
+        '';
+      };
+    };
+  };
+
  systemd.timers."nextcloud-backup" = {
    enable = true;
    description = "Nextcloud backup";
@ -148,4 +196,5 @@
        "${script}/bin/backup";
    };
  };
+
 }
--- a/system/dev/dn-server/nginx.nix
+++ b/system/dev/dn-server/nginx.nix
@ -1,30 +1,8 @@
 {
-  config,
-  lib,
  ...
 }:
 {
  services.nginx = {
    enable = true;
-    virtualHosts = {
-      ${config.services.nextcloud.hostName} = {
-        listen = lib.mkForce [
-          {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-        ];
-        forceSSL = true;
-        sslCertificate = "/var/lib/acme/net.dn.crt";
-        sslCertificateKey = "/var/lib/acme/net.dn.key";
-        sslTrustedCertificate = "/var/lib/acme/net.dn.crt";
-        extraConfig = ''
-          ssl_protocols TLSv1.2 TLSv1.3;
-          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
-          ssl_prefer_server_ciphers on;
-        '';
-      };
-    };
  };
 }
--- a/system/dev/dn-server/step-ca.nix
+++ b/system/dev/dn-server/step-ca.nix
@ -28,8 +28,7 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
              kty = "EC";
              use = "sig";
              x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
-              y = "y5OFjciRMVg8ePaEsjSPWbKp_
-NjQ6U4CtbplRx7z3Bw";
+              y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw";
            };
            name = "danny@smallstep.net.dn";
            type = "JWK";
@ -46,8 +45,7 @@ NjQ6U4CtbplRx7z3Bw";
          }
        ];
      };
-      crt = "/var/lib/s
-tep-ca/certs/intermediate_ca.crt";
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
      db = {
        badgerFileLoadingMode = "";
        dataSource = "/var/lib/step-ca/db";
@ -67,8 +65,7 @@ tep-ca/certs/intermediate_ca.crt";
      tls = {
        cipherSuites = [
          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
-          "TLS_EC
-DHE_ECDSA_WITH_AES_128_GCM_SHA256"
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ];
        maxVersion = 1.3;
        minVersion = 1.2;
--- a/system/modules/ca.nix
+++ b/system/modules/ca.nix
@ -1,23 +1,17 @@
 {
  security.pki.certificates = [
+    # Step CA Root
    ''
      -----BEGIN CERTIFICATE-----
-      MIIC5TCCAc2gAwIBAgIUCxaWRHkKr2mQOW2cBzw+Ov9xJaQwDQYJKoZIhvcNAQEL
-      BQAwGzEZMBcGA1UEAwwQbmV4dGNsb3VkLm5ldC5kbjAeFw0yNTA0MjAxMDQ2MTVa
-      Fw0zNTA0MTgxMDQ2MTVaMBsxGTAXBgNVBAMMEG5leHRjbG91ZC5uZXQuZG4wggEi
-      MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY9TBCJoMJ0EREbiGdjLp2odJy
-      bpKqOyET1J8T/6nBwkgMDpTuAi2Pzp9gJ5lDdzmhhIN2B7f0XWnCNPHsUaHWKfZQ
-      gEX3LtDSOQrYt4ChMIuzioasJLhGqNyV+4XooIl6R/+2ycQ88I3FoamFDJ0sDkz9
-      2YtKM+UTKyEKSqThF3+W7SbFtHiohT79L5u6pRL2TE6zcqdcOOkqPTOnwbtuRP4+
-      bDbFKowBhWTwFSZPpkf010ol6tr5RS8+MqdldmB7NTv9NmyRj2JTNDiQWv7Koq67
-      UuDiL1ja+6TFNke47BwKEP1ykz6Ity59V364FljAol477urXNWgppRhOK/1tAgMB
-      AAGjITAfMB0GA1UdDgQWBBSJtl7lnYwXpMOz6PHjIx7QR9ra6DANBgkqhkiG9w0B
-      AQsFAAOCAQEAi6M16fhOWS3zi5SDV2KHxa9fJuZcqbgt7ITSr2ex7BpdbMQ17RDT
-      PyVOQsCVQGF6zY3KqP/+fRYoZzLxnXwPmO/4OXYZoR5UQmoc0VZ9vMTaALIYooYS
-      t5I/Q8xnH/CmVkt6cIRU4Ysjy4zp9+sobZM7u+Agl0yd2LExzMREjiNpK832hCyz
-      RZmCrkyekEG3MREuRAqk0vxO7yNTzHMNOG0SzKh49t8WCWWXHyUdxbTzaqXic+R+
-      E7dWCFQY5m8ExiqPrKusIMxeerPbs7cXew1mJDEtFqJxpSSa7Jz1XBaMPS3KfcbK
-      Vhgysawxfe0gSPXwIuOcB+DF8vz6ZdhQYQ==
+      MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw
+      EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew
+      HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw
+      LWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0EwWTATBgcqhkjOPQIB
+      BggqhkjOPQMBBwNCAAQT0Q5Zt9yRE6LGDGzMqxyzxDHH6yMcpRHxeam5QWNyBLT2
+      TLhQvH/xJSFxeolKbf+kQGlE1armOqOxVUuy1kbho0UwQzAOBgNVHQ8BAf8EBAMC
+      AQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU2Cr1FiPu24tU5Asobi0Z
+      t3R9HvUwCgYIKoZIzj0EAwIDSQAwRgIhAINLdkW3wqMSzIZro3JbYbX+T7MYVQFM
+      Weu1hXe28LWsAiEA371C55I6Dooe2hRZ1KaUAdZ5jh4hk63o7m0/B2xgFSc=
      -----END CERTIFICATE-----
    ''
  ];