diff options
| author | seth <[email protected]> | 2023-08-03 03:31:35 -0400 |
|---|---|---|
| committer | seth <[email protected]> | 2023-08-03 03:33:16 -0400 |
| commit | 527cea875ab37a7469975cd09906f424b988175c (patch) | |
| tree | 87bb66dbc454cd2ac2657e3216af34d2c3e01062 | |
| parent | 234801e89d681c2206ac17f00707ed76ea7bf725 (diff) | |
hosts/atlas+p-body: use cloudflare dns for acme
| -rw-r--r-- | hosts/atlas/nginx.nix | 7 | ||||
| -rw-r--r-- | hosts/p-body/nginx.nix | 6 | ||||
| -rw-r--r-- | modules/nixos/server/acme.nix | 2 | ||||
| -rw-r--r-- | secrets/secrets.nix | 1 | ||||
| -rw-r--r-- | secrets/shared/cloudflareApiKey.age | 15 |
5 files changed, 24 insertions, 7 deletions
diff --git a/hosts/atlas/nginx.nix b/hosts/atlas/nginx.nix index b6b2fe7..1e2a349 100644 --- a/hosts/atlas/nginx.nix +++ b/hosts/atlas/nginx.nix @@ -1,9 +1,14 @@ {config, ...}: { + getchoo.server.acme.enable = true; networking.firewall.allowedTCPPorts = [443]; security.acme = { acceptTerms = true; - defaults.email = "[email protected]"; + defaults = { + email = "[email protected]"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; }; services.nginx = { diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix index 3390f89..b2dae30 100644 --- a/hosts/p-body/nginx.nix +++ b/hosts/p-body/nginx.nix @@ -1,13 +1,9 @@ {config, ...}: let inherit (config.networking) domain; in { + getchoo.server.acme.enable = true; networking.firewall.allowedTCPPorts = [443]; - security.acme = { - acceptTerms = true; - defaults.email = "[email protected]"; - }; - services.nginx = { enable = true; diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix index a28e713..8646fa2 100644 --- a/modules/nixos/server/acme.nix +++ b/modules/nixos/server/acme.nix @@ -12,7 +12,7 @@ in { }; config = mkIf cfg.enable { - age.secrets.cloudflareApiKey = "${self}/secrets/shared/cloudflareApiKey.age"; + age.secrets.cloudflareApiKey.file = "${self}/secrets/shared/cloudflareApiKey.age"; security.acme = { acceptTerms = true; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f74dabc..40a4e79 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,6 +8,7 @@ let in { "shared/rootPassword.age".publicKeys = main; "shared/sethPassword.age".publicKeys = main; + "shared/cloudflareApiKey.age".publicKeys = atlas ++ (builtins.filter (v: !(builtins.elem v main)) p-body); "hosts/atlas/rootPassword.age".publicKeys = atlas; "hosts/atlas/userPassword.age".publicKeys = atlas; diff --git a/secrets/shared/cloudflareApiKey.age b/secrets/shared/cloudflareApiKey.age new file mode 100644 index 0000000..fe5c627 --- /dev/null +++ b/secrets/shared/cloudflareApiKey.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBjT2Zq +ZytlRmNWd2FkeGZDNVhiYmVIUDJnbDRXNC9EZmxqQi94Z2RGTjNJCnNjMlFhaDk3 +K2kvbGdqeGdRdUhpM2NNSmpxVzFrcTJzZGtGSXRla2dheVUKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIGErS3Z5QVA2aHdOeU5DMmJ2ckYxRFVBRWJ0bEtJTldQUDlQQTVn +N2RZU0EKTlVOQ28yWmRrWGZ0d2wvWkk3K3pnekNmZDRjaGEyUWRjL1lFSW05M0Ix +ZwotPiBzc2gtZWQyNTUxOSAycm0zd2cgSUF2M2pha2tNYzVSLzc4aTFMWnNxZDRG +Y1RxdVBhcUhMa2hvU29LRmprSQpMbDgrSVExUHdnZDFnNUYzRmROQS83UjJST2d6 +cUFsNDdFTko4c2ttUHlVCi0+IDdBUnktZ3JlYXNlIGwlIDMgej44SAo2MCtVaWcx +UTF3TjRjaW9OQm9sditmVk11NFovRU15c3BLWWRSaWZVQitEOVhKcFJlMmlhYXIy +TGs3Y3BrTFdoCkRmZ2FST01EMFU5d1FmaW5rdwotLS0gL0FGbGVPeS8vb04xL3Fp +c0svWlhyd01wUGtsQnFCaXZKTTNPWGdUcGhJawpjjDLxuRcErDZQ9tkuJfdQ65DB +xUBLRG9FmxwlJZAMSa8086qDW82skUhQuBybbWASbayrReMS9TFwVyx0tFcAYscz +3vb5cwgv76uN/intcd4J24QfuDqdGugrgQ== +-----END AGE ENCRYPTED FILE----- |