dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: step ca for nextcloud

Browse source
This commit is contained in:
DACHXY 2025-04-26 21:09:10 +08:00
parent b655f6ad4e
commit d6e8e23d3b
7 changed files with 110 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

17
system/dev/dn-server/boot.nix
View file

@ -37,4 +37,21 @@
ARRAY /dev/md126 metadata=1.2 name=stuff:0 ARRAY /dev/md126 metadata=1.2 name=stuff:0
UUID=b75dc506-8f7c-4557-8b2f-adb5f1358dbc UUID=b75dc506-8f7c-4557-8b2f-adb5f1358dbc
''; '';
fileSystems."/mnt/ssd" = {
device = "/dev/disk/by-uuid/4E21-0000";
fsType = "exfat";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.idle-timeout=600"
"nofail"
"user"
"x-gvfs-show"
"gid=1000"
"uid=1000"
"dmask=000"
"fmask=000"
];
};
} }

29
system/dev/dn-server/cerbot.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
systemd.timers."certbot-renew" = {
enable = true;
description = "certbot renew";
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
OnUnitActiveSec = "1d";
Unit = "certbot-renew.service";
};
wantedBy = [ "timers.target" ];
};
systemd.services."certbot-renew" = {
enable = true;
after = [
"nginx.service"
"network.target"
];
wantedBy = [ "multi-user.target" ];
environment = {
"REQUESTS_CA_BUNDLE" = "/var/lib/step-ca/certs/root_ca.crt";
};
serviceConfig = {
ExecStart = "${pkgs.certbot}/bin/certbot renew";
};
};
}

3
system/dev/dn-server/default.nix
View file

@ -18,7 +18,8 @@
./services.nix ./services.nix
./nginx.nix ./nginx.nix
./nextcloud.nix ./nextcloud.nix
# ./step-ca.nix ./step-ca.nix
./cerbot.nix
../../modules/presets/minimal.nix ../../modules/presets/minimal.nix
../../modules/bluetooth.nix ../../modules/bluetooth.nix
../../modules/cuda.nix ../../modules/cuda.nix

49
system/dev/dn-server/nextcloud.nix
View file

@ -4,6 +4,19 @@
lib, lib,
... ...
}: }:
let
acmeWebRoot = "/var/www/nextcloud.net.dn/html/";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d nextcloud.net.dn \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
chown nginx:nginx -R /etc/letsencrypt
'';
in
{ {
imports = [ imports = [
"${ "${
@ -97,6 +110,41 @@
exiftool exiftool
]; ];
services.nginx = {
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/nextcloud.net.dn/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
};
systemd.timers."nextcloud-backup" = { systemd.timers."nextcloud-backup" = {
enable = true; enable = true;
description = "Nextcloud backup"; description = "Nextcloud backup";
@ -148,4 +196,5 @@
"${script}/bin/backup"; "${script}/bin/backup";
}; };
}; };
} }

22
system/dev/dn-server/nginx.nix
View file

@ -1,30 +1,8 @@
{ {
config,
lib,
... ...
}: }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = {
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
forceSSL = true;
sslCertificate = "/var/lib/acme/net.dn.crt";
sslCertificateKey = "/var/lib/acme/net.dn.key";
sslTrustedCertificate = "/var/lib/acme/net.dn.crt";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
};
};
}; };
} }

9
system/dev/dn-server/step-ca.nix
View file

@ -28,8 +28,7 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
kty = "EC"; kty = "EC";
use = "sig"; use = "sig";
x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI"; x = "o-Srd0v3IY7zU9U2COE9BOsjyIPjBvNT2WKPTo8ePZI";
y = "y5OFjciRMVg8ePaEsjSPWbKp_ y = "y5OFjciRMVg8ePaEsjSPWbKp_NjQ6U4CtbplRx7z3Bw";
NjQ6U4CtbplRx7z3Bw";
}; };
name = "danny@smallstep.net.dn"; name = "danny@smallstep.net.dn";
type = "JWK"; type = "JWK";
@ -46,8 +45,7 @@ NjQ6U4CtbplRx7z3Bw";
} }
]; ];
}; };
crt = "/var/lib/s crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
tep-ca/certs/intermediate_ca.crt";
db = { db = {
badgerFileLoadingMode = ""; badgerFileLoadingMode = "";
dataSource = "/var/lib/step-ca/db"; dataSource = "/var/lib/step-ca/db";
@ -67,8 +65,7 @@ tep-ca/certs/intermediate_ca.crt";
tls = { tls = {
cipherSuites = [ cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_EC "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
DHE_ECDSA_WITH_AES_128_GCM_SHA256"
]; ];
maxVersion = 1.3; maxVersion = 1.3;
minVersion = 1.2; minVersion = 1.2;

26
system/modules/ca.nix
View file

@ -1,23 +1,17 @@
{ {
security.pki.certificates = [ security.pki.certificates = [
# Step CA Root
'' ''
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIC5TCCAc2gAwIBAgIUCxaWRHkKr2mQOW2cBzw+Ov9xJaQwDQYJKoZIhvcNAQEL MIIBqDCCAU2gAwIBAgIQBnU3DLmknEy9zgvkjtIhEjAKBggqhkjOPQQDAjAyMRMw
BQAwGzEZMBcGA1UEAwwQbmV4dGNsb3VkLm5ldC5kbjAeFw0yNTA0MjAxMDQ2MTVa EQYDVQQKEwpzdGVwLWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0Ew
Fw0zNTA0MTgxMDQ2MTVaMBsxGTAXBgNVBAMMEG5leHRjbG91ZC5uZXQuZG4wggEi HhcNMjUwNDE4MTQ1NjU1WhcNMzUwNDE2MTQ1NjU1WjAyMRMwEQYDVQQKEwpzdGVw
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY9TBCJoMJ0EREbiGdjLp2odJy LWNhLWRuMRswGQYDVQQDExJzdGVwLWNhLWRuIFJvb3QgQ0EwWTATBgcqhkjOPQIB
bpKqOyET1J8T/6nBwkgMDpTuAi2Pzp9gJ5lDdzmhhIN2B7f0XWnCNPHsUaHWKfZQ BggqhkjOPQMBBwNCAAQT0Q5Zt9yRE6LGDGzMqxyzxDHH6yMcpRHxeam5QWNyBLT2
gEX3LtDSOQrYt4ChMIuzioasJLhGqNyV+4XooIl6R/+2ycQ88I3FoamFDJ0sDkz9 TLhQvH/xJSFxeolKbf+kQGlE1armOqOxVUuy1kbho0UwQzAOBgNVHQ8BAf8EBAMC
2YtKM+UTKyEKSqThF3+W7SbFtHiohT79L5u6pRL2TE6zcqdcOOkqPTOnwbtuRP4+ AQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU2Cr1FiPu24tU5Asobi0Z
bDbFKowBhWTwFSZPpkf010ol6tr5RS8+MqdldmB7NTv9NmyRj2JTNDiQWv7Koq67 t3R9HvUwCgYIKoZIzj0EAwIDSQAwRgIhAINLdkW3wqMSzIZro3JbYbX+T7MYVQFM
UuDiL1ja+6TFNke47BwKEP1ykz6Ity59V364FljAol477urXNWgppRhOK/1tAgMB Weu1hXe28LWsAiEA371C55I6Dooe2hRZ1KaUAdZ5jh4hk63o7m0/B2xgFSc=
AAGjITAfMB0GA1UdDgQWBBSJtl7lnYwXpMOz6PHjIx7QR9ra6DANBgkqhkiG9w0B
AQsFAAOCAQEAi6M16fhOWS3zi5SDV2KHxa9fJuZcqbgt7ITSr2ex7BpdbMQ17RDT
PyVOQsCVQGF6zY3KqP/+fRYoZzLxnXwPmO/4OXYZoR5UQmoc0VZ9vMTaALIYooYS
t5I/Q8xnH/CmVkt6cIRU4Ysjy4zp9+sobZM7u+Agl0yd2LExzMREjiNpK832hCyz
RZmCrkyekEG3MREuRAqk0vxO7yNTzHMNOG0SzKh49t8WCWWXHyUdxbTzaqXic+R+
E7dWCFQY5m8ExiqPrKusIMxeerPbs7cXew1mJDEtFqJxpSSa7Jz1XBaMPS3KfcbK
Vhgysawxfe0gSPXwIuOcB+DF8vz6ZdhQYQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----
'' ''
]; ];