all repos — nixfiles @ 91dcf6ef11bbcf1ecaf5666064657694860b163f

System and user configuration, managed by nix and home-manager

nanopi: enable local CA
Alan Pearce alan@alanpearce.eu
Thu, 27 Jun 2024 11:50:47 +0200
commit

91dcf6ef11bbcf1ecaf5666064657694860b163f

parent

47f590d853a959145ef7b860857740d11c0853b3

1 files changed, 41 insertions(+), 0 deletions(-)

jump to
M system/nanopi.nixsystem/nanopi.nix
@@ -506,6 +506,7 @@ ];       localise-queries = true;
       interface-name = [
         "nanopi.${domain},bridge0"
+        "ca.${domain},bridge0"
         "wan.${domain},wan0"
         "wlan.${domain},wlan0"
       ];
@@ -602,6 +603,46 @@ if [[ $IFACE == "wan0" && $OperationalState == "routable" ]]           then
             ${pkgs.ethtool}/bin/ethtool -K $IFACE rx-udp-gro-forwarding on rx-gro-list off
           fi
+        '';
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    globalConfig = ''
+      auto_https disable_redirects
+      pki {
+        ca home {
+          name "Home CA"
+        }
+      }
+    '';
+    virtualHosts = {
+      "nanopi.${domain}" = {
+        serverAliases = [ "nanopi.${ts_domain}" ];
+        extraConfig = ''
+          tls {
+            issuer internal {
+              ca home
+            }
+          }
+          root /var/lib/caddy/ca
+          file_server browse
+        '';
+      };
+      "ca.${domain}" = {
+        extraConfig = ''
+          tls {
+            issuer internal {
+              ca home
+            }
+          }
+          acme_server {
+            allow {
+              domains *.test *.${domain}
+            }
+          }
         '';
       };
     };