Give esphome a static v6 and get cert directly via chal. served over v6

Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
This commit is contained in:
June 2024-07-27 22:24:54 +02:00 committed by echtnurich
parent 744d17c0c7
commit b7acd9f65d
Signed by: echtnurich
SSH key fingerprint: SHA256:1eIkxME0VPeXC2WMl9Haus+q0SLFymSAWU7f6Z+A8Aw
3 changed files with 73 additions and 14 deletions

View file

@ -3,6 +3,7 @@
imports = [ imports = [
./configuration.nix ./configuration.nix
./esphome.nix ./esphome.nix
./networking.nix
./nginx.nix ./nginx.nix
]; ];
} }

View file

@ -0,0 +1,30 @@
{ ... }:
{
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.24";
prefixLength = 23;
}
];
};
networking.defaultGateway = "10.31.208.1";
networking.nameservers = [ "10.31.208.1" ];
networking.search = [ "z9.ccchh.net" ];
networking.interfaces.net0 = {
ipv6.addresses = [
{
address = "2a07:c480:0:1d0::66";
prefixLength = 64;
}
];
};
networking.defaultGateway6 = "2a07:c480:0:1d0::1";
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
linkConfig.Name = "net0";
};
}

View file

@ -1,35 +1,34 @@
{ config, ... }: { config, ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"acme-esphome.ccchh.net" = {
enableACME = true;
serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"esphome.ccchh.net" = { "esphome.ccchh.net" = {
forceSSL = true; forceSSL = true;
useACMEHost = "esphome.ccchh.net"; enableACME = true;
serverName = "esphome.ccchh.net";
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "[::]";
port = 80;
}
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 443; port = 443;
ssl = true; ssl = true;
} }
{
addr = "[::]";
port = 443;
ssl = true;
}
]; ];
locations."/" = { locations."/" = {
@ -37,9 +36,38 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
"esphome.z9.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
serverName = "esphome.z9.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
globalRedirect = "esphome.ccchh.net";
redirectCode = 307;
}; };
}; };
};
security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
networking.firewall.allowedTCPPorts = [ 80 443 31820 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
} }