summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-02-27 16:48:35 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-02-27 16:48:35 +0100
commitf8cec37ed3fda24dd3e834120b0f6dbcf95e54d2 (patch)
tree77338195b6b24ec50bd7ecaef57b80b982795b0e
parent11b6a36595e360aa5115a2765df68c6065945e26 (diff)
downloadnixos-f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2.tar
nixos-f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2.tar.gz
nixos-f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2.tar.bz2
nixos-f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2.tar.xz
nixos-f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2.zip
surtr: synapse-admin
-rw-r--r--hosts/surtr/dns/default.nix2
-rw-r--r--hosts/surtr/dns/zones/li.synapse.soa6
-rw-r--r--hosts/surtr/matrix/default.nix24
3 files changed, 30 insertions, 2 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 0a754a86..0115412c 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -171,7 +171,7 @@ in {
171 addACLs = { "xmpp.li" = ["ymir_acme_acl"]; }; 171 addACLs = { "xmpp.li" = ["ymir_acme_acl"]; };
172 } 172 }
173 { domain = "synapse.li"; 173 { domain = "synapse.li";
174 acmeDomains = ["element.synapse.li" "turn.synapse.li" "synapse.li"]; 174 acmeDomains = ["element.synapse.li" "turn.synapse.li" "admin.synapse.li" "synapse.li"];
175 } 175 }
176 { domain = "dirty-haskell.org"; 176 { domain = "dirty-haskell.org";
177 addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; }; 177 addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index 44d4e22e..8991b8ea 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
1$ORIGIN synapse.li. 1$ORIGIN synapse.li.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( 3@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4 2022022602 ; serial 4 2022022700 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -27,6 +27,10 @@ element IN A 202.61.241.61
27element IN AAAA 2a03:4000:52:ada:: 27element IN AAAA 2a03:4000:52:ada::
28_acme-challenge.element IN NS ns.yggdrasil.li. 28_acme-challenge.element IN NS ns.yggdrasil.li.
29 29
30admin IN A 202.61.241.61
31admin IN AAAA 2a03:4000:52:ada::
32_acme-challenge.admin IN NS ns.yggdrasil.li.
33
30turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" 34turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01"
31turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" 35turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01"
32turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" 36turn IN CAA 128 iodef "mailto:caa@yggdrasil.li"
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 01ea2aee..a5811612 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -138,6 +138,18 @@
138 }; 138 };
139 }; 139 };
140 }; 140 };
141
142 virtualHosts."admin.synapse.li" = {
143 forceSSL = true;
144 sslCertificate = "/run/credentials/nginx.service/admin.synapse.li.pem";
145 sslCertificateKey = "/run/credentials/nginx.service/admin.synapse.li.key.pem";
146 sslTrustedCertificate = "/run/credentials/nginx.service/admin.synapse.li.chain.pem";
147 extraConfig = ''
148 add_header Strict-Transport-Security "max-age=63072000" always;
149 '';
150
151 root = pkgs.synapse-admin;
152 };
141 }; 153 };
142 154
143 security.acme.domains = { 155 security.acme.domains = {
@@ -149,6 +161,14 @@
149 ''; 161 '';
150 }; 162 };
151 }; 163 };
164 "admin.synapse.li" = {
165 zone = "synapse.li";
166 certCfg = {
167 postRun = ''
168 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
169 '';
170 };
171 };
152 "turn.synapse.li" = { 172 "turn.synapse.li" = {
153 zone = "synapse.li"; 173 zone = "synapse.li";
154 certCfg = { 174 certCfg = {
@@ -178,6 +198,10 @@
178 "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" 198 "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
179 "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" 199 "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
180 "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" 200 "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
201
202 "admin.synapse.li.key.pem:${config.security.acme.certs."admin.synapse.li".directory}/key.pem"
203 "admin.synapse.li.pem:${config.security.acme.certs."admin.synapse.li".directory}/fullchain.pem"
204 "admin.synapse.li.chain.pem:${config.security.acme.certs."admin.synapse.li".directory}/chain.pem"
181 ]; 205 ];
182 }; 206 };
183 }; 207 };