os/hosts/nougat-2/acme.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

80 lines
2.2 KiB
Nix
Raw Normal View History

2023-07-02 10:48:34 +00:00
{
config,
lib,
pkgs,
self,
...
}: let
exDomain = (import ./ex-domain.nix) lib;
pubsolarDomain = import ./pubsolar-domain.nix;
hostingdeProviderConf = {
dnsProvider = "hostingde";
credentialsFile = "${pkgs.writeText "hostingde-creds" ''
HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api.key".path}
''}";
};
in {
age.secrets."hosting.de-api.key" = {
file = "${self}/secrets/hosting.de-api.key";
mode = "440";
2023-07-02 18:36:30 +00:00
group = "acme";
2023-07-02 10:48:34 +00:00
};
2023-07-02 18:36:30 +00:00
systemd.tmpfiles.rules = [
"d '/data/acme' 0750 root acme - -"
];
2023-07-02 10:48:34 +00:00
2023-07-02 18:36:30 +00:00
users.groups.acme = {};
ids.uids.acme = 997;
ids.gids.acme = 997;
2023-07-02 10:48:34 +00:00
2023-07-02 18:36:30 +00:00
containers.acme = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.106.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::6";
2023-07-02 10:48:34 +00:00
2023-07-02 18:36:30 +00:00
bindMounts = {
"/var/lib/acme" = {
hostPath = "/data/acme";
isReadOnly = false;
};
"${config.age.secrets."hosting.de-api.key".path}" = {
hostPath = "${config.age.secrets."hosting.de-api.key".path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
users.groups.acme = config.users.groups.acme;
security.acme = {
acceptTerms = true;
defaults.email = "acme@benjaminbaedorf.eu";
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.group = "acme";
certs."b12f.io" = hostingdeProviderConf;
certs."mail.b12f.io" = hostingdeProviderConf;
certs."transmission.b12f.io" = hostingdeProviderConf;
certs."${exDomain}" = hostingdeProviderConf;
certs."mail.${exDomain}" = hostingdeProviderConf;
certs."${pubsolarDomain}" = hostingdeProviderConf;
certs."www.${pubsolarDomain}" = hostingdeProviderConf;
certs."auth.${pubsolarDomain}" = hostingdeProviderConf;
certs."git.${pubsolarDomain}" = hostingdeProviderConf;
certs."ci.${pubsolarDomain}" = hostingdeProviderConf;
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
};
};
2023-07-02 10:48:34 +00:00
};
}