Give esphome a static v6 and get cert directly via chal. served over v6

Give the host a static v4 as well. Also let the nginx redirect from the hosts FQDN to the service domain.
2024-07-27 22:24:54 +02:00 · 2024-07-27 22:24:54 +02:00 · b7acd9f65d
commit b7acd9f65d
parent 744d17c0c7
3 changed files with 73 additions and 14 deletions
--- a/config/hosts/esphome/default.nix
+++ b/config/hosts/esphome/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./configuration.nix
    ./esphome.nix
+    ./networking.nix
    ./nginx.nix
  ];
 }
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@ -0,0 +1,30 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "10.31.208.24";
+        prefixLength = 23;
+      }
+    ];
+  };
+  networking.defaultGateway = "10.31.208.1";
+  networking.nameservers = [ "10.31.208.1" ];
+  networking.search = [ "z9.ccchh.net" ];
+
+  networking.interfaces.net0 = {
+    ipv6.addresses = [
+      {
+        address = "2a07:c480:0:1d0::66";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = "2a07:c480:0:1d0::1";
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
+    linkConfig.Name = "net0";
+  };
+}
--- a/config/hosts/esphome/nginx.nix
+++ b/config/hosts/esphome/nginx.nix
@ -1,35 +1,34 @@
 { config, ... }:
+
 {
  services.nginx = {
    enable = true;

    virtualHosts = {
-      "acme-esphome.ccchh.net" = {
-        enableACME = true;
-        serverName = "esphome.ccchh.net";
-
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 31820;
-          }
-        ];
-      };
-
      "esphome.ccchh.net" = {
        forceSSL = true;
-        useACMEHost = "esphome.ccchh.net";
+        enableACME = true;
+        serverName = "esphome.ccchh.net";

        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
        ];

        locations."/" = {
@ -37,9 +36,38 @@
          proxyWebsockets = true;
        };
      };
+      "esphome.z9.ccchh.net" = {
+        forceSSL = true;
+        useACMEHost = "esphome.ccchh.net";
+        serverName = "esphome.z9.ccchh.net";

+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "[::]";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+          }
+        ];
+
+        globalRedirect = "esphome.ccchh.net";
+        redirectCode = 307;
+      };
    };
  };
+  security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];

-  networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }