all: use ACME DNS challenge only for internal domains

2024-10-27 20:50:37 +05:30 · 2024-10-27 20:50:37 +05:30 · 50032d4383
commit 50032d4383
parent 31289b53bc
15 changed files with 58 additions and 15 deletions
--- a/hosts/layne/services/apps/jackett.nix
+++ b/hosts/layne/services/apps/jackett.nix
@ -1,7 +1,12 @@
-_: {
+_:
+let
+  inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge;
+in
+{
  services = {
    caddy.virtualHosts."jackett.labs.adtya.xyz" = {
      extraConfig = ''
+        ${tlsDNSChallenge}
        reverse_proxy 127.0.0.1:9117
      '';
    };
--- a/hosts/layne/services/apps/jellyfin.nix
+++ b/hosts/layne/services/apps/jellyfin.nix
@ -1,6 +1,6 @@
 _:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "watch.acomputer.lol";
 in
 {
@ -10,12 +10,14 @@ in
        "jellyfin.local.adtya.xyz" = {
          logFormat = logFormat "jellyfin.local.adtya.xyz";
          extraConfig = ''
+            ${tlsDNSChallenge}
            reverse_proxy 127.0.0.1:8096
          '';
        };
        "jellyfin.labs.adtya.xyz" = {
          logFormat = logFormat "jellyfin.labs.adtya.xyz";
          extraConfig = ''
+            ${tlsDNSChallenge}
            reverse_proxy 127.0.0.1:8096
          '';
        };
--- a/hosts/layne/services/apps/radarr.nix
+++ b/hosts/layne/services/apps/radarr.nix
@ -1,7 +1,12 @@
-_: {
+_:
+let
+  inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge;
+in
+{
  services = {
    caddy.virtualHosts."radarr.labs.adtya.xyz" = {
      extraConfig = ''
+        ${tlsDNSChallenge}
        reverse_proxy 127.0.0.1:7878
      '';
    };
--- a/hosts/layne/services/apps/readarr.nix
+++ b/hosts/layne/services/apps/readarr.nix
@ -1,7 +1,12 @@
-_: {
+_:
+let
+  inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge;
+in
+{
  services = {
    caddy.virtualHosts."readarr.labs.adtya.xyz" = {
      extraConfig = ''
+        ${tlsDNSChallenge}
        reverse_proxy 127.0.0.1:8787
      '';
    };
--- a/hosts/layne/services/apps/sonarr.nix
+++ b/hosts/layne/services/apps/sonarr.nix
@ -1,7 +1,12 @@
-_: {
+_:
+let
+  inherit (import ../../../shared/caddy-helpers.nix) tlsDNSChallenge;
+in
+{
  services = {
    caddy.virtualHosts."sonarr.labs.adtya.xyz" = {
      extraConfig = ''
+        ${tlsDNSChallenge}
        reverse_proxy 127.0.0.1:8989
      '';
    };
--- a/hosts/layne/services/apps/transmission.nix
+++ b/hosts/layne/services/apps/transmission.nix
@ -1,6 +1,6 @@
 { pkgs, ... }:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
 in
 {
  services = {
@ -8,6 +8,7 @@ in
      virtualHosts."transmission.labs.adtya.xyz" = {
        logFormat = logFormat "transmission.labs.adtya.xyz";
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:9091
        '';
      };
--- a/hosts/rico0/services/default.nix
+++ b/hosts/rico0/services/default.nix
@ -1,4 +1,8 @@
-_: {
+_:
+let
+  inherit (import ../../shared/caddy-helpers.nix) tlsDNSChallenge;
+in
+{
  imports = [
    ./apps
    ./btrfs.nix
@ -11,26 +15,31 @@ _: {
    virtualHosts = {
      "gateway.labs.adtya.xyz" = {
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 192.168.0.1:80
        '';
      };
      "ap1.labs.adtya.xyz" = {
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 192.168.1.1:80
        '';
      };
      "ap2.labs.adtya.xyz" = {
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 192.168.1.2:80
        '';
      };
      "switch.labs.adtya.xyz" = {
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 192.168.1.3:80
        '';
      };
      "frp.labs.adtya.xyz" = {
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 10.10.10.1:7500
        '';
      };
--- a/hosts/rico1/services/apps/alertmanager.nix
+++ b/hosts/rico1/services/apps/alertmanager.nix
@ -1,6 +1,6 @@
 _:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "alertmanager.labs.adtya.xyz";
 in
 {
@ -9,6 +9,7 @@ in
      virtualHosts."${domainName}" = {
        logFormat = logFormat "${domainName}";
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:9093
        '';
      };
--- a/hosts/rico1/services/apps/blocky.nix
+++ b/hosts/rico1/services/apps/blocky.nix
@ -1,6 +1,6 @@
 { pkgs, ... }:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "blocky.labs.adtya.xyz";
 in
 {
@ -20,6 +20,7 @@ in
      virtualHosts."${domainName}" = {
        logFormat = logFormat domainName;
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:8080
        '';
      };
--- a/hosts/rico1/services/apps/grafana.nix
+++ b/hosts/rico1/services/apps/grafana.nix
@ -1,6 +1,6 @@
 _:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "grafana.labs.adtya.xyz";
 in
 {
@ -9,6 +9,7 @@ in
      virtualHosts."${domainName}" = {
        logFormat = logFormat domainName;
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:9091
        '';
      };
--- a/hosts/rico1/services/apps/loki/default.nix
+++ b/hosts/rico1/services/apps/loki/default.nix
@ -1,6 +1,6 @@
 _:
 let
-  inherit (import ../../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "loki.labs.adtya.xyz";
 in
 {
@ -9,6 +9,7 @@ in
      virtualHosts."${domainName}" = {
        logFormat = logFormat domainName;
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:3100
        '';
      };
--- a/hosts/rico1/services/apps/prometheus.nix
+++ b/hosts/rico1/services/apps/prometheus.nix
@ -1,6 +1,6 @@
 _:
 let
-  inherit (import ../../../shared/caddy-helpers.nix) logFormat;
+  inherit (import ../../../shared/caddy-helpers.nix) logFormat tlsDNSChallenge;
  domainName = "prometheus.labs.adtya.xyz";
 in
 {
@ -9,6 +9,7 @@ in
      virtualHosts."${domainName}" = {
        logFormat = logFormat domainName;
        extraConfig = ''
+          ${tlsDNSChallenge}
          reverse_proxy 127.0.0.1:9090
        '';
      };
--- a/hosts/shared/caddy-helpers.nix
+++ b/hosts/shared/caddy-helpers.nix
@ -4,4 +4,10 @@
    format json
    level DEBUG
  '';
+
+  tlsDNSChallenge = ''
+    tls {
+      dns digitalocean {env.DO_API_TOKEN}
+    }
+  '';
 }
--- a/hosts/shared/caddy.nix
+++ b/hosts/shared/caddy.nix
@ -17,9 +17,8 @@ in
    package = inputs.caddy.packages.${pkgs.system}.caddy;
    email = "admin@acomputer.lol";
    globalConfig = ''
-      acme_dns digitalocean {env.DO_API_TOKEN}
      servers {
-        trusted_proxies static private_ranges 10.10.10.0/24 fd7c:585c:c4ae::0/64
+        trusted_proxies static private_ranges 10.10.10.0/24
        client_ip_headers X-Forwarded-For X-Real-IP
        metrics
      }
--- a/hosts/shared/prometheus-exporters.nix
+++ b/hosts/shared/prometheus-exporters.nix
@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (import ./caddy-helpers.nix) logFormat;
+  inherit (import ./caddy-helpers.nix) logFormat tlsDNSChallenge;
 in
 {
  services = {
@ -12,6 +12,7 @@ in
        virtualHosts."${vHost}" = {
          logFormat = logFormat vHost;
          extraConfig = ''
+            ${tlsDNSChallenge}
            metrics /caddy-metrics
            handle /metrics {
              reverse_proxy ${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}