add media to ssl cert

2025-10-09 21:54:06 -05:00 · 2025-10-09 21:54:06 -05:00 · 160be6071e
commit 160be6071e
parent 24f6484496
5 changed files with 45 additions and 67 deletions
--- a/hosts/h001/containers/default.nix
+++ b/hosts/h001/containers/default.nix
@ -58,13 +58,6 @@
            proxyPass = "http://10.0.0.111";
          };
        };
-
-        "_" = {
-          default = true;
-          locations."/" = {
-            return = "404"; # or 444 for drop
-          };
-        };
      };
    };

--- a/hosts/h001/flake.lock
+++ b/hosts/h001/flake.lock
@ -67,22 +67,17 @@
        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "nix-flatpak": "nix-flatpak",
-        "nixpkgs": "nixpkgs_3",
        "ragenix": "ragenix"
      },
      "locked": {
-        "lastModified": 1760053007,
-        "narHash": "sha256-0csJRXdWM+ybfB41g6Ptndi0WRU33onQRH0SdNKZmio=",
-        "ref": "refs/heads/master",
-        "rev": "8e5e514b169b62833457d6d851bb1437fb8a8257",
-        "revCount": 711,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+        "path": "../../common",
+        "type": "path"
      },
      "original": {
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
-      }
+        "path": "../../common",
+        "type": "path"
+      },
+      "parent": []
    },
    "crane": {
      "locked": {
@ -537,7 +532,7 @@
    },
    "nixarr": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
        "vpnconfinement": "vpnconfinement",
        "website-builder": "website-builder"
      },
@ -588,22 +583,6 @@
      }
    },
    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1758690382,
-        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
      "locked": {
        "lastModified": 1741379970,
        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
@ -619,7 +598,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1748662220,
        "narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=",
@ -635,7 +614,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1759735786,
        "narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=",
@ -651,7 +630,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1759772810,
        "narHash": "sha256-8/sO67+Q6yNfFD39W5SXQHDbf/tQUHWFhCdxgRRGVCQ=",
@ -1607,7 +1586,7 @@
        "agenix": "agenix",
        "crane": "crane",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_3",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
@ -1629,7 +1608,7 @@
        "common": "common",
        "litellm-nixpkgs": "litellm-nixpkgs",
        "nixarr": "nixarr",
-        "nixpkgs": "nixpkgs_6",
+        "nixpkgs": "nixpkgs_5",
        "oauth2-proxy-nixpkgs": "oauth2-proxy-nixpkgs",
        "open-webui-nixpkgs": "open-webui-nixpkgs",
        "ros_neovim": "ros_neovim",
@ -1638,7 +1617,7 @@
    },
    "ros_neovim": {
      "inputs": {
-        "nixpkgs": "nixpkgs_7",
+        "nixpkgs": "nixpkgs_6",
        "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim",
        "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim",
        "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@ -8,8 +8,8 @@
    oauth2-proxy-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

    # Use relative to get current version for testing
-    # common.url = "path:../../common";
-    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
+    common.url = "path:../../common";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";

    ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";

--- a/hosts/h001/mods/nixarr.nix
+++ b/hosts/h001/mods/nixarr.nix
@ -47,39 +47,23 @@
    services.nginx = {
      virtualHosts = {
        "jellyfin.joshuabell.xyz" = {
-          enableACME = true;
-          # forceSSL = true;
+          addSSL = true;
+          sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
+          sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
          locations."/" = {
            proxyWebsockets = true;
            proxyPass = "http://localhost:8096";
          };
        };
        "media.joshuabell.xyz" = {
-          enableACME = true;
-          # forceSSL = true;
+          addSSL = true;
+          sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
+          sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
          locations."/" = {
            proxyWebsockets = true;
            proxyPass = "http://localhost:5055";
          };
        };
-        # "10.12.14.10" = {
-        #   locations."/" = {
-        #     proxyWebsockets = true;
-        #     proxyPass = "http://localhost:8096";
-        #   };
-        # };
-        # "jellyfin.h001.local.joshuabell.xyz" = {
-        #   locations."/" = {
-        #     proxyWebsockets = true;
-        #     proxyPass = "http://localhost:8096";
-        #   };
-        # };
-        # "media.h001.local.joshuabell.xyz" = {
-        #   locations."/" = {
-        #     proxyWebsockets = true;
-        #     proxyPass = "http://localhost:5055";
-        #   };
-        # };
      };
    };
  };
--- a/hosts/h001/nginx.nix
+++ b/hosts/h001/nginx.nix
@ -1,4 +1,5 @@
 {
+  config,
  ...
 }:
 let
@ -8,8 +9,21 @@ let
  };
 in
 {
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "admin@joshuabell.xyz";
+  # TODO transfer these to o001 to use same certs?
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@joshuabell.xyz";
+    certs."joshuabell.xyz" = {
+      domain = "joshuabell.xyz";
+      extraDomainNames = [ "*.joshuabell.xyz" ];
+      credentialFiles = {
+        LINODE_TOKEN_FILE = config.age.secrets.linode_rw_domains.path;
+      };
+      dnsProvider = "linode";
+      group = "nginx";
+    };
+  };
+
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@ -45,6 +59,14 @@ in
          "/" = homarr;
        };
      };
+
+      "_" = {
+        rejectSSL = true;
+        default = true;
+        locations."/" = {
+          return = "444"; # 404 for not found or 444 for drop
+        };
+      };
    };
  };
 }