From f8cec37ed3fda24dd3e834120b0f6dbcf95e54d2 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 27 Feb 2022 16:48:35 +0100 Subject: surtr: synapse-admin --- hosts/surtr/dns/default.nix | 2 +- hosts/surtr/dns/zones/li.synapse.soa | 6 +++++- hosts/surtr/matrix/default.nix | 24 ++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 0a754a86..0115412c 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -171,7 +171,7 @@ in { addACLs = { "xmpp.li" = ["ymir_acme_acl"]; }; } { domain = "synapse.li"; - acmeDomains = ["element.synapse.li" "turn.synapse.li" "synapse.li"]; + acmeDomains = ["element.synapse.li" "turn.synapse.li" "admin.synapse.li" "synapse.li"]; } { domain = "dirty-haskell.org"; addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; }; diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index 44d4e22e..8991b8ea 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa @@ -1,7 +1,7 @@ $ORIGIN synapse.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022022602 ; serial + 2022022700 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -27,6 +27,10 @@ element IN A 202.61.241.61 element IN AAAA 2a03:4000:52:ada:: _acme-challenge.element IN NS ns.yggdrasil.li. +admin IN A 202.61.241.61 +admin IN AAAA 2a03:4000:52:ada:: +_acme-challenge.admin IN NS ns.yggdrasil.li. + turn IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" turn IN CAA 128 issue "sectigo.com; validationmethods=dns-01" turn IN CAA 128 iodef "mailto:caa@yggdrasil.li" diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 01ea2aee..a5811612 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -138,6 +138,18 @@ }; }; }; + + virtualHosts."admin.synapse.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/admin.synapse.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/admin.synapse.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/admin.synapse.li.chain.pem"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + + root = pkgs.synapse-admin; + }; }; security.acme.domains = { @@ -149,6 +161,14 @@ ''; }; }; + "admin.synapse.li" = { + zone = "synapse.li"; + certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; "turn.synapse.li" = { zone = "synapse.li"; certCfg = { @@ -178,6 +198,10 @@ "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" + + "admin.synapse.li.key.pem:${config.security.acme.certs."admin.synapse.li".directory}/key.pem" + "admin.synapse.li.pem:${config.security.acme.certs."admin.synapse.li".directory}/fullchain.pem" + "admin.synapse.li.chain.pem:${config.security.acme.certs."admin.synapse.li".directory}/chain.pem" ]; }; }; -- cgit v1.2.3