Give esphome a static v6 and get cert directly via chal. served over v6

Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
This commit is contained in:
June 2024-07-27 22:24:54 +02:00 committed by echtnurich
parent 744d17c0c7
commit b7acd9f65d
Signed by: echtnurich
SSH key fingerprint: SHA256:1eIkxME0VPeXC2WMl9Haus+q0SLFymSAWU7f6Z+A8Aw
3 changed files with 73 additions and 14 deletions

View file

@ -3,6 +3,7 @@
imports = [
./configuration.nix
./esphome.nix
./networking.nix
./nginx.nix
];
}

View file

@ -0,0 +1,30 @@
{ ... }:
{
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.24";
prefixLength = 23;
}
];
};
networking.defaultGateway = "10.31.208.1";
networking.nameservers = [ "10.31.208.1" ];
networking.search = [ "z9.ccchh.net" ];
networking.interfaces.net0 = {
ipv6.addresses = [
{
address = "2a07:c480:0:1d0::66";
prefixLength = 64;
}
];
};
networking.defaultGateway6 = "2a07:c480:0:1d0::1";
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
linkConfig.Name = "net0";
};
}

View file

@ -1,35 +1,34 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-esphome.ccchh.net" = {
enableACME = true;
serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"esphome.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
enableACME = true;
serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
locations."/" = {
@ -37,9 +36,38 @@
proxyWebsockets = true;
};
};
"esphome.z9.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
serverName = "esphome.z9.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
globalRedirect = "esphome.ccchh.net";
redirectCode = 307;
};
};
};
security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
}