From 04f538164ce11ce977a851b6de2a9d2c5f7a9adb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Dec 2023 19:12:20 +0100 Subject: [PATCH] fix ssl cert for social.krebsco.de --- krebs/2configs/mastodon-proxy.nix | 12 ++---------- krebs/2configs/mastodon.nix | 11 ++--------- krebs/2configs/reaktor2.nix | 2 ++ 3 files changed, 6 insertions(+), 19 deletions(-) diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 35bf6020d..b579a5031 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -8,17 +8,9 @@ acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 - # recommendedProxySettings = true; - proxyPass = "http://hotdog.r"; + recommendedProxySettings = true; + proxyPass = "https://hotdog.r"; proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; }; }; }; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index ab400955e..ebc4207a0 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -19,18 +19,11 @@ smtp.fromAddress = "derp"; }; - services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { - forceSSL = lib.mkForce false; - enableACME = lib.mkForce false; - locations."@proxy".extraConfig = '' - proxy_redirect off; - proxy_pass_header Server; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - ''; - }; + security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; networking.firewall.allowedTCPPorts = [ 80 + 443 ]; environment.systemPackages = [ diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index db7b794f4..e84827656 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -526,6 +526,8 @@ in { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; }; services.nginx.virtualHosts."bedge.r" = {