os/hosts/nougat-2/acme.nix
Benjamin Bädorf e4b236a4f0
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
fix: rekey all secrets
2023-07-30 03:04:01 +02:00

80 lines
2.2 KiB
Nix

{
config,
lib,
pkgs,
self,
...
}: let
exDomain = (import ./ex-domain.nix) lib;
pubsolarDomain = import ./pubsolar-domain.nix;
hostingdeProviderConf = {
dnsProvider = "hostingde";
credentialsFile = "${pkgs.writeText "hostingde-creds" ''
HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api-key.age".path}
''}";
};
in {
age.secrets."hosting.de-api-key.age" = {
file = "${self}/secrets/hosting.de-api-key.age";
mode = "440";
group = "acme";
};
systemd.tmpfiles.rules = [
"d '/data/acme' 0750 root acme - -"
];
users.groups.acme = {};
ids.uids.acme = 997;
ids.gids.acme = 997;
containers.acme = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.106.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::6";
bindMounts = {
"/var/lib/acme" = {
hostPath = "/data/acme";
isReadOnly = false;
};
"${config.age.secrets."hosting.de-api-key.age".path}" = {
hostPath = "${config.age.secrets."hosting.de-api-key.age".path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
users.groups.acme = config.users.groups.acme;
security.acme = {
acceptTerms = true;
defaults.email = "acme@benjaminbaedorf.eu";
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.group = "acme";
certs."b12f.io" = hostingdeProviderConf;
certs."mail.b12f.io" = hostingdeProviderConf;
certs."transmission.b12f.io" = hostingdeProviderConf;
certs."${exDomain}" = hostingdeProviderConf;
certs."mail.${exDomain}" = hostingdeProviderConf;
certs."${pubsolarDomain}" = hostingdeProviderConf;
certs."www.${pubsolarDomain}" = hostingdeProviderConf;
certs."auth.${pubsolarDomain}" = hostingdeProviderConf;
certs."git.${pubsolarDomain}" = hostingdeProviderConf;
certs."ci.${pubsolarDomain}" = hostingdeProviderConf;
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
};
};
};
}