summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorAlan Pearce2024-06-27 11:50:47 +0200
committerAlan Pearce2024-06-27 11:50:47 +0200
commit91dcf6ef11bbcf1ecaf5666064657694860b163f (patch)
tree9275850745bbc00a139a88a81e838566305fb6b0
parent47f590d853a959145ef7b860857740d11c0853b3 (diff)
downloadnixfiles-91dcf6ef11bbcf1ecaf5666064657694860b163f.tar.lz
nixfiles-91dcf6ef11bbcf1ecaf5666064657694860b163f.tar.zst
nixfiles-91dcf6ef11bbcf1ecaf5666064657694860b163f.zip
nanopi: enable local CA
-rwxr-xr-xsystem/nanopi.nix41
1 files changed, 41 insertions, 0 deletions
diff --git a/system/nanopi.nix b/system/nanopi.nix
index b0253554..3c49ec8f 100755
--- a/system/nanopi.nix
+++ b/system/nanopi.nix
@@ -506,6 +506,7 @@ in
       localise-queries = true;
       interface-name = [
         "nanopi.${domain},bridge0"
+        "ca.${domain},bridge0"
         "wan.${domain},wan0"
         "wlan.${domain},wlan0"
       ];
@@ -607,6 +608,46 @@ in
     };
   };
 
+  services.caddy = {
+    enable = true;
+    globalConfig = ''
+      auto_https disable_redirects
+      pki {
+        ca home {
+          name "Home CA"
+        }
+      }
+    '';
+    virtualHosts = {
+      "nanopi.${domain}" = {
+        serverAliases = [ "nanopi.${ts_domain}" ];
+        extraConfig = ''
+          tls {
+            issuer internal {
+              ca home
+            }
+          }
+          root /var/lib/caddy/ca
+          file_server browse
+        '';
+      };
+      "ca.${domain}" = {
+        extraConfig = ''
+          tls {
+            issuer internal {
+              ca home
+            }
+          }
+          acme_server {
+            allow {
+              domains *.test *.${domain}
+            }
+          }
+        '';
+      };
+    };
+  };
+
   system.stateVersion = "23.05";
 
   programs.fish = {