feat: use ACME and nginx instead of caddy

2023-11-14 18:44:46 +01:00 · 2023-11-14 18:44:46 +01:00 · 29e183b0c7
parent 5cf48868b0
commit 29e183b0c7
26 changed files with 359 additions and 428 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -58,6 +58,7 @@
          inputs.nixos-hardware.nixosModules.raspberry-pi-4
          ./pie
          self.nixosModules.yule
          self.nixosModules.acme
          self.nixosModules.docker
          self.nixosModules.invoiceplane
        ];
@ -69,6 +70,7 @@
          self.nixosModules.base
          ./frikandel
          self.nixosModules.yule
          self.nixosModules.acme
          self.nixosModules.docker
        ];
      };
--- a/hosts/frikandel/default.nix
+++ b/hosts/frikandel/default.nix
@ -4,6 +4,7 @@
    ./configuration.nix
    ./networking.nix
    ./nginx.nix
    ./wireguard.nix
    ./email.nix
    ./website.nix
--- a/hosts/frikandel/email.nix
+++ b/hosts/frikandel/email.nix
@ -5,16 +5,16 @@
  lib,
  ...
 }: let
-  restartMaddyOnCertRenewal = pkgs.writeShellScriptBin "restart-maddy-on-cert-renewal" ''
+  dkimDNSb12fio = ''
-    if [ "$1" == "mail.b12f.io"]; then
+  default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
-      ${pkgs.systemd}/bin/systemctl restart maddy.service;
+    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
    fi
  '';
 in {
  age.secrets."b12f.io-dkim-private-rsa" = {
    file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
    path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
    mode = "400";
-    owner = "rspamd";
+    owner = "maddy";
  };
  age.secrets."mail@b12f.io-password" = {
@ -23,23 +23,20 @@ in {
    owner = "maddy";
  };
-  services.caddy = {
+  security.acme.certs = {
-    globalConfig = ''
+    "mail.b12f.io" = {
-      events {
+      reloadServices = [ "maddy" ];
-        on cert_obtained exec ${restartMaddyOnCertRenewal}/bin/restart-maddy-on-cert-renewal {event.data.name}
+      group = "maddy";
-      }
+    };
-    '';
+    "mta-sts.b12f.io" = {};
  };
-    virtualHosts = {
+  services.nginx.virtualHosts = {
-      "mail.b12f.io".extraConfig = ''
+    "mta-sts.b12f.io" = {
-        respond "404 Not Found"
+      forceSSL = true;
-      '';
+      useACMEHost = "mta-sts.b12f.io";
-
+      locations."/" = {
-      "mta-sts.b12f.io".extraConfig = ''
+        root = pkgs.runCommand "create-well-known-mta-sts" {} ''
        encode gzip
        file_server
        root * ${
          pkgs.runCommand "testdir" {} ''
          mkdir -p "$out/.well-known"
          echo "
            version: STSv1
@ -47,53 +44,183 @@ in {
            max_age: 604800
            mx: mail.b12f.io
          " > "$out/.well-known/mta-sts.txt"
          ''
        }
        '';
        tryFiles = "$uri $uri/ =404";
      };
    };
  };
  systemd.tmpfiles.rules = [
    "d '/run/maddy' 0750 maddy maddy - -"
  ];
  system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
    mkdir -p /var/lib/maddy/dkim_keys
    echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
  '';
  services.maddy = {
-    enable = false;
+    enable = true;
    openFirewall = true;
    hostname = "mail.b12f.io";
    primaryDomain = "b12f.io";
    ensureAccounts = [
      "mail@b12f.io"
    ];
    ensureCredentials = {
      # Do not use this in production. This will make passwords world-readable
      # in the Nix store
      "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
    };
    tls = {
      loader = "file";
      certificates = [
        {
-          keyPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.key";
+          keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
-          certPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.crt";
+          certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
        }
      ];
    };
    config = ''
      # Minimal configuration with TLS disabled, adapted from upstream example
      # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
      # Do not use this in production!
-    config = (builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
+      auth.pass_table local_authdb {
        table sql_table {
          driver sqlite3
          dsn credentials.db
          table_name passwords
        }
      }
      storage.imapsql local_mailboxes {
        driver sqlite3
        dsn imapsql.db
      }
      table.chain local_rewrites {
        optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
        optional_step static {
          entry postmaster postmaster@$(primary_domain)
        }
        optional_step file /etc/maddy/aliases
      }
      msgpipeline local_routing {
        check {
          rspamd {
            api_path http://localhost:11334
          }
-    }''] config.services.maddy.config.default) ++ ''
+        }
        destination b12f.io {
            modify {
-          domains b12f.io
+                replace_rcpt regexp ".*" "mail@b12f.io"
-          selector default
+            }
-          key_path ${config.age.secrets."b12f.io-dkim-private-rsa".path}
+            deliver_to &local_mailboxes
        }
        destination postmaster $(local_domains) {
          modify {
            replace_rcpt &local_rewrites
          }
          deliver_to &local_mailboxes
        }
        default_destination {
          reject 550 5.1.1 "User doesn't exist"
        }
      }
      smtp tcp://0.0.0.0:25 {
        limits {
          all rate 20 1s
          all concurrency 10
        }
        dmarc yes
        check {
          require_mx_record
          dkim
          spf
        }
        source $(local_domains) {
          reject 501 5.1.8 "Use Submission for outgoing SMTP"
        }
        default_source {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
            reject 550 5.1.1 "User doesn't exist"
          }
        }
      }
      submission tcp://0.0.0.0:587 {
        limits {
          all rate 50 1s
        }
        auth &local_authdb
        source $(local_domains) {
          check {
              authorize_sender {
                  prepare_email &local_rewrites
                  user_to_email identity
              }
          }
          destination postmaster $(local_domains) {
              deliver_to &local_routing
          }
          default_destination {
              modify {
                  dkim $(primary_domain) $(local_domains) default
              }
              deliver_to &remote_queue
          }
        }
        default_source {
          reject 501 5.1.8 "Non-local sender domain"
        }
      }
      target.remote outbound_delivery {
        limits {
          destination rate 20 1s
          destination concurrency 10
        }
        mx_auth {
          dane
          mtasts {
            cache fs
            fs_dir mtasts_cache/
          }
          local_policy {
              min_tls_level encrypted
              min_mx_level none
          }
        }
      }
      target.queue remote_queue {
        target &outbound_delivery
        autogenerated_msg_domain $(primary_domain)
        bounce {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
              reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
          }
        }
      }
      imap tcp://0.0.0.0:143 {
        auth &local_authdb
        storage &local_mailboxes
      }
    '';
  };
  services.rspamd = {
--- a/hosts/frikandel/networking.nix
+++ b/hosts/frikandel/networking.nix
@ -32,15 +32,4 @@
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  # Caddy reverse proxy for local services like cups
  services.caddy = {
    enable = true;
    globalConfig = ''
      default_bind 128.140.109.213 2a01:4f8:c2c:b60::
      # auto_https off
      email acme@benjaminbaedorf.eu
      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    '';
  };
 }
--- a/hosts/frikandel/nginx.nix
+++ b/hosts/frikandel/nginx.nix
@ -0,0 +1,23 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }: {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    defaultListenAddresses = [
      "128.140.109.213"
      "[2a01:4f8:c2c:b60::]"
    ];
  };
 }
--- a/hosts/frikandel/website.nix
+++ b/hosts/frikandel/website.nix
@ -22,25 +22,27 @@
    '';
  };
 in {
-  services.caddy.virtualHosts = {
+  security.acme.certs = {
    "benjaminbaedorf.eu" = {};
    "b12f.io" = {};
  };
  services.nginx.virtualHosts = {
    "benjaminbaedorf.eu" = {
-      extraConfig = ''
+      forceSSL = true;
-          redir https://b12f.io{uri} temporary
+      useACMEHost = "benjaminbaedorf.eu";
-      '';
+      locations."/".return = "302 https://b12f.io$request_uri";
    };
    "b12f.io" = {
-      extraConfig = ''
+      forceSSL = true;
-        handle {
+      useACMEHost = "b12f.io";
          root * ${bbeu}
          try_files {path}.html {path}
          file_server
        }
-        handle_errors {
+      locations."/" = {
-          respond "{http.error.status_code} {http.error.status_text}"
+        root = bbeu;
-        }
+        index = "index.html";
-      '';
+        tryFiles = "$uri $uri/ =404";
      };
    };
  };
 }
--- a/hosts/pie/ddclient.nix
+++ b/hosts/pie/ddclient.nix
@ -1,44 +0,0 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }:
 with lib; let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
  getIP4 = with pkgs; writeShellScriptBin "getIP" ''
    ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
  '';
  getIP6 = with pkgs; writeShellScriptBin "getIP" ''
    echo "2a02:908:5b1:e3c0:2::"
  '';
 in {
  imports = [
    flake.self.nixosModules.ddclient
  ];
  services.ddclient = {
    enable = true;
    protocol = "dyndns1";
    domains = [
      "pie.b12f.io"
      "droppie.b12f.io"
    ];
    server = "ddns.hosting.de";
    username = "b12f";
    usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP";
    usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP";
    verbose = true;
    passwordFile = "/run/agenix/dyndns.key";
    interval = "1min";
  };
  age.secrets."dyndns.key" = {
    file = "${flake.self}/secrets/dyndns.key.age";
    mode = "400";
    owner = "root";
  };
 }
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -4,12 +4,12 @@
    ./configuration.nix
    ./networking.nix
    ./nginx.nix
    ./wireguard.nix
    ./backup.nix
    ./unbound.nix
    ./dhcpd.nix
    ./wake-droppie.nix
    ./ddclient.nix
    ./paperless.nix
    ./firefly.nix
    ./invoiceplane.nix
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@ -29,24 +29,22 @@ in {
    mode = "400";
  };
-  services.caddy = {
+  security.acme.certs = {
-    enable = true;
+    "firefly.b12f.io" = {};
-    extraConfig = ''
+    "firefly-importer.b12f.io" = {};
-      firefly.b12f.io {
+  };
        reverse_proxy 127.0.0.1:8080
-        basicauth * {
+  services.nginx.virtualHosts = {
-          b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
+    "firefly.b12f.io" = {
-        }
+      forceSSL = true;
-      }
+      useACMEHost = "firefly.b12f.io";
-      firefly-importer.b12f.io {
+      locations."/".proxyPass = "http://127.0.0.1:8080";
-        reverse_proxy 127.0.0.1:8081
+    };
-
+    "firefly-importer.b12f.io" = {
-        basicauth * {
+      forceSSL = true;
-          b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
+      useACMEHost = "firefly.b12f.io";
-        }
+      locations."/".proxyPass = "http://127.0.0.1:8081";
-      }
+    };
    '';
  };
  systemd.services."docker-network-firefly" = let
--- a/hosts/pie/invoiceplane.nix
+++ b/hosts/pie/invoiceplane.nix
@ -20,7 +20,20 @@ in {
    mode = "400";
  };
  security.acme.certs = {
    "invoicing.b12f.io" = {};
  };
  services.nginx.virtualHosts = {
    "invoicing.b12f.io" = {
      forceSSL = true;
      useACMEHost = "invoicing.b12f.io";
    };
  };
  services.invoiceplane.webserver = "nginx";
  services.invoiceplane.sites."invoicing.b12f.io" = {
    # nginx is not supported
    enable = true;
    database = {
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -24,17 +24,5 @@
    ];
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.openssh.openFirewall = true;
  # Caddy reverse proxy for local services like cups
  services.caddy = {
    globalConfig = ''
      default_bind 192.168.178.2 2a02:908:5b1:e3c0:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
      # auto_https off
      email acme@benjaminbaedorf.eu
      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    '';
  };
 }
--- a/hosts/pie/nginx.nix
+++ b/hosts/pie/nginx.nix
@ -0,0 +1,25 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }: {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    defaultListenAddresses = [
      "192.168.178.2"
      # "2a02:908:5b1:e3c0:2::"
      "10.0.1.2"
      "[fd00:b12f:acab:1312:acab:2::]"
    ];
  };
 }
--- a/hosts/pie/paperless.nix
+++ b/hosts/pie/paperless.nix
@ -47,18 +47,16 @@ in {
    };
  };
-  services.caddy = {
+  security.acme.certs = {
-    enable = true;
+    "paperless.b12f.io" = {};
-    extraConfig = ''
+  };
      paperless.b12f.io {
        request_header Host localhost:${builtins.toString config.services.paperless.port}
        reverse_proxy 127.0.0.1:${builtins.toString config.services.paperless.port}
-        basicauth * {
+  services.nginx.virtualHosts = {
-          b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
+    "paperless.b12f.io" = {
-        }
+      forceSSL = true;
-      }
+      useACMEHost = "paperless.b12f.io";
-    '';
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
    };
  };
  systemd.tmpfiles.rules = [
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -61,16 +61,13 @@
          "fd00:b12f:acab:1312::/64 allow"
        ];
        local-zone = [
-          "\"b12f.io\" static"
+          "\"b12f.io\" transparent"
          "\"local\" static"
          "\"box\" static"
        ];
        local-data = [
          "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\""
          "\"droppie.local. 10800 IN A 192.168.178.3\""
          "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3::\""
          "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
          "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
          "\"backup.b12f.io. 10800 IN A 10.0.1.3\""
@ -102,6 +99,7 @@
        tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
      };
      forward-zone = [
        {
          name = ".";
@ -111,7 +109,7 @@
            "185.253.5.0#dns0.eu"
            "2a0f:fc81::#dns0.eu"
          ];
-          # forward-tls-upstream = "yes";
+          forward-tls-upstream = "yes";
        }
      ];
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@ -0,0 +1,27 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }: {
  age.secrets."hosting-de-acme-secrets" = {
    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
    mode = "400";
    owner = "acme";
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "acme@benjaminbaedorf.eu";
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      dnsProvider = "hostingde";
      dnsPropagationCheck = true;
      credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
      group = "nginx";
      webroot = null;
    };
  };
 }
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -9,7 +9,7 @@
  systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
  systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
-  networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
+  networking.hosts = {
    "128.140.109.213" = [ "vpn.b12f.io" ];
    "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
    "2a02:908:5b1:e3c0:2::" = [ "pie-wg.b12f.io" ];
--- a/modules/ddclient/default.nix
+++ b/modules/ddclient/default.nix
@ -1,245 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.ddclient;
  boolToStr = bool: if bool then "yes" else "no";
  dataDir = "/var/lib/ddclient";
  StateDirectory = builtins.baseNameOf dataDir;
  RuntimeDirectory = StateDirectory;
  usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
  usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
  configFile' = pkgs.writeText "ddclient.conf" ''
    # This file can be used as a template for configFile or is automatically generated by Nix options.
    use=no
    ${usev4}
    ${usev6}
    cache=${dataDir}/ddclient.cache
    foreground=yes
    login=${cfg.username}
    password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
    protocol=${cfg.protocol}
    ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
    ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
    ${lib.optionalString (cfg.zone != "")   "zone=${cfg.zone}"}
    ssl=${boolToStr cfg.ssl}
    wildcard=yes
    quiet=${boolToStr cfg.quiet}
    verbose=${boolToStr cfg.verbose}
    ${cfg.extraConfig}
    ${lib.concatStringsSep "," cfg.domains}
  '';
  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
  preStart = ''
    install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
    ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
      install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
    '' else if (cfg.passwordFile != null) then ''
      "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
    '' else ''
      sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
    '')}
  '';
 in with lib; {
  disabledModules = [
    "services/networking/ddclient.nix"
  ];
  imports = [
    (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]
      (config:
        let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
        in if value != "" then [ value ] else []))
    (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
  ];
  ###### interface
  options = {
    services.ddclient = with lib.types; {
      enable = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
        '';
      };
      package = mkOption {
        type = package;
        default = pkgs.ddclient;
        defaultText = lib.literalExpression "pkgs.ddclient";
        description = lib.mdDoc ''
          The ddclient executable package run by the service.
        '';
      };
      domains = mkOption {
        default = [ "" ];
        type = listOf str;
        description = lib.mdDoc ''
          Domain name(s) to synchronize.
        '';
      };
      username = mkOption {
        # For `nsupdate` username contains the path to the nsupdate executable
        default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate";
        defaultText = "";
        type = str;
        description = lib.mdDoc ''
          User name.
        '';
      };
      passwordFile = mkOption {
        default = null;
        type = nullOr str;
        description = lib.mdDoc ''
          A file containing the password or a TSIG key in named format when using the nsupdate protocol.
        '';
      };
      interval = mkOption {
        default = "10min";
        type = str;
        description = lib.mdDoc ''
          The interval at which to run the check and update.
          See {command}`man 7 systemd.time` for the format.
        '';
      };
      configFile = mkOption {
        default = null;
        type = nullOr path;
        description = lib.mdDoc ''
          Path to configuration file.
          When set this overrides the generated configuration from module options.
        '';
        example = "/root/nixos/secrets/ddclient.conf";
      };
      protocol = mkOption {
        default = "dyndns2";
        type = str;
        description = lib.mdDoc ''
          Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
        '';
      };
      server = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          Server address.
        '';
      };
      ssl = mkOption {
        default = true;
        type = bool;
        description = lib.mdDoc ''
          Whether to use SSL/TLS to connect to dynamic DNS provider.
        '';
      };
      quiet = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Print no messages for unnecessary updates.
        '';
      };
      script = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          script as required by some providers.
        '';
      };
      usev4 = mkOption {
        default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
        type = str;
        description = lib.mdDoc ''
          Method to determine the IP address to send to the dynamic DNS provider.
        '';
      };
      usev6 = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          Method to determine the IP address to send to the dynamic DNS provider.
        '';
      };
      verbose = mkOption {
        default = false;
        type = bool;
        description = lib.mdDoc ''
          Print verbose information.
        '';
      };
      zone = mkOption {
        default = "";
        type = str;
        description = lib.mdDoc ''
          zone as required by some providers.
        '';
      };
      extraConfig = mkOption {
        default = "";
        type = lines;
        description = lib.mdDoc ''
          Extra configuration. Contents will be added verbatim to the configuration file.
          ::: {.note}
          `daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
          :::
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.services.ddclient.enable {
    systemd.services.ddclient = {
      description = "Dynamic DNS Client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      restartTriggers = optional (cfg.configFile != null) cfg.configFile;
      serviceConfig = {
        DynamicUser = true;
        RuntimeDirectoryMode = "0700";
        inherit RuntimeDirectory;
        inherit StateDirectory;
        Type = "oneshot";
        ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
        ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
      };
    };
    systemd.timers.ddclient = {
      description = "Run ddclient";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = cfg.interval;
        OnUnitInactiveSec = cfg.interval;
      };
    };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -5,13 +5,13 @@
 }: {
  flake = {
    nixosModules = rec {
      acme = import ./acme;
      adb = import ./adb;
      arduino = import ./arduino;
      audio = import ./audio;
      bluetooth = import ./bluetooth;
      core = import ./core;
      crypto = import ./crypto;
      ddclient = import ./ddclient;
      desktop-extended = import ./desktop-extended;
      docker = import ./docker;
      gaming = import ./gaming;
--- a/modules/invoiceplane/default.nix
+++ b/modules/invoiceplane/default.nix
@ -226,7 +226,7 @@ in
        };
        options.webserver = mkOption {
-          type = types.enum [ "caddy" ];
+          type = types.enum [ "caddy" "nginx" ];
          default = "caddy";
          description = lib.mdDoc ''
            Which webserver to use for virtual host management. Currently only
@ -358,5 +358,25 @@ in
    };
  })
  (mkIf (cfg.webserver == "nginx") {
    services.nginx = {
      enable = true;
      virtualHosts = mapAttrs' (hostName: cfg: (
        nameValuePair "${hostName}" {
          locations."/" = {
            root = "${pkg hostName cfg}";
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
              fastcgi_pass unix:${config.services.phpfpm.pools."invoiceplane-${hostName}".socket};
              include ${pkgs.nginx}/conf/fastcgi_params;
              include ${pkgs.nginx}/conf/fastcgi.conf;
            '';
          };
        }
      )) eachSite;
    };
  })
  ]);
 }
--- a/modules/printing/default.nix
+++ b/modules/printing/default.nix
@ -21,16 +21,4 @@
  ] ++ (if (pkgs.system == "x86_64-linux")
  then [ pkgs.cups-brother-hl3140cw ]
  else []);
  networking.hosts = flake.self.lib.addLocalHostname ["cups.local"];
  services.caddy = {
    enable = true;
    extraConfig = ''
      cups.local {
        request_header Host localhost:631
        reverse_proxy unix//run/cups/cups.sock
      }
    '';
  };
 }
--- a/pkgs/caddy/default.nix
+++ b/pkgs/caddy/default.nix
@ -36,7 +36,6 @@ in buildGoModule rec {
  src = fetchFromGitHub {
    owner = "caddyserver";
    repo = pname;
    # https://github.com/NixOS/nixpkgs/blob/nixos-21.11/pkgs/servers/caddy/default.nix
    rev = "v${version}";
    sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY=";
  };
--- a/secrets/hosting-de-acme-secrets.age
+++ b/secrets/hosting-de-acme-secrets.age
@ -0,0 +1,22 @@
 age-encryption.org/v1
 -> ssh-ed25519 8bHz7g 0fwjxxgvY3S/2oKgc+RxTWA9AuA7oS1MnMAqG0AZ2x4
 LReuCNO8r5UMlipXheXT1SLQKlwGMC8Gpu8VtAUI3/4
 -> ssh-ed25519 n71/yQ fiv1s9XA/ATrK/s8OkenXCCp3mUhn8gzp3I3S8h7BG4
 XhzPW7aFm41nzr7ZaBSzS2qfQoVttgODXUqPaF+FvPY
 -> ssh-rsa kFDS0A
 gLhS2ce3jBP1UbJJt9dJ/4SmkNiL7LBuUik8Zq1WflxHlMqrRslb56Uuc4BJHTlp
 KGt2zrzRRNEdSJgzJfK+AT1AHCza++C96ZZsxfhDexL/Gx7Lm6Bwp+D/XR9KYxEn
 UF511OWWjoCbDWldUQr17y5cbiG4z+VlMMOuKox8RWHymG0ABe+kZEOg1GBZ/bLj
 tUwgxdK/uGGI2/AJIs4tiiemiNo2cMup7fe+wBPqq1b/TcxxTGHfWuJopp3ISl5G
 Ov7o7/HVCyemFSlBQTF1K3t68rw4a0ZkMcX86RpEtbiRFrEhS2IuGXnwteEnypER
 OiafhbdIh56TnTvCKuxnTJdG1JobM1c15l9FhownRjKMwVjeQb39LKvQlJAkzGOr
 eBtkGu42p8UGNpltTawKgWNOTsZNy5BYHvHvS73SXDcuwGVhhP5fbeImUgeBRUyT
 2DWoK+vethjGL+tX+NNqeKM/Xr+k8QUGq+qehB6UoiTLL4NiwujeO230b9Afsh2/
 xtzDTMueqTUVTzxA0GbIRSXCKCfDNifdJh6+ebnvizx5NarANvMNlP6sfBQ5gANf
 N20IhtgnOxQ5l5URWqK/A5vk+cpP2GGkAGoW40m31gyug9AtuguNpEVRpLHJVtRn
 DpHh5k0EMzWz7iQhYIVavLTh3AtxofLg4wp/cQEkcQg
 -> OC`4fNF7-grease
 YhGHL0+BVF6h6InKVlS3
 --- NXJPtlRt28CuwumxjLQI8qY6i5GSbBPbBANxLpHmsHE
 ‹×€aqê802.æ–´"R=SÙÚÈ³ ËŽlhª@ÄK¢¨F-³ö=;ž @ìåúiÕ°+àÚr¸£àð;4wI}ÕiËÑèõ1o—™
 „¼¬ƒN¼ÂÜòG>Tõ3–Œ7
--- a/secrets/hosting.de-api.key.age
+++ b/secrets/hosting.de-api.key.age
--- a/secrets/mail@b12f.io-password.age
+++ b/secrets/mail@b12f.io-password.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -42,7 +42,7 @@ let
  ];
 in {
  "dyndns.key.age".publicKeys = pieKeys ++ baseKeys;
-  "hosting.de-api.key.age".publicKeys = baseKeys;
+  "hosting-de-acme-secrets.age".publicKeys = pieKeys ++ frikandelKeys ++ baseKeys;
  "droppie-ssh-root.key.age".publicKeys = droppieKeys ++ baseKeys;
--- a/terraform/b12f.io.tf
+++ b/terraform/b12f.io.tf
@ -112,7 +112,7 @@ resource "hostingde_record" "b12f-dkim" {
  zone_id = hostingde_zone.b12f.id
  name = "default._domainkey.b12f.io"
  type = "TXT"
-  content = "\"v=DKIM1; k=rsa;\" \"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8Wr\" \"nxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB\""
+  content = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB"
  ttl = 300
 }