moving off cloudflare tunnel

2026-04-17 21:18:18 -04:00 · 2026-04-13 13:25:41 -04:00
parent a0bbc2896a
commit 95c6ade154
4 changed files with 82 additions and 32 deletions
--- a/systems/jeeves/services/acme.nix
+++ b/systems/jeeves/services/acme.nix
@@ -0,0 +1,63 @@
+{
+  users.users.haproxy.extraGroups = [ "acme" ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "Richie@tmmworkshop.com";
+
+    certs."gitea.tmmworkshop.com" = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+
+    certs."audiobookshelf.tmmworkshop.com" = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+
+    certs."cache.tmmworkshop.com" = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+
+    certs."jellyfin.tmmworkshop.com" = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+
+    certs."share.tmmworkshop.com" = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
+  services.nginx = {
+    enable = true;
+    virtualHosts."acme-challenge" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 8402;
+        }
+      ];
+      locations."/.well-known/acme-challenge/" = {
+        root = "/var/lib/acme/.challenges";
+      };
+    };
+  };
+
+  # Ensure the challenge directory exists with correct permissions
+  systemd.tmpfiles.rules = [
+    "d /var/lib/acme/.challenges 0750 acme acme - -"
+    "d /var/lib/acme/.challenges/.well-known 0750 acme acme - -"
+    "d /var/lib/acme/.challenges/.well-known/acme-challenge 0750 acme acme - -"
+  ];
+
+  users.users.nginx.extraGroups = [ "acme" ];
+}