80 lines
2.2 KiB
Nix
80 lines
2.2 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}: let
|
|
exDomain = (import ./ex-domain.nix) lib;
|
|
pubsolarDomain = import ./pubsolar-domain.nix;
|
|
|
|
hostingdeProviderConf = {
|
|
dnsProvider = "hostingde";
|
|
credentialsFile = "${pkgs.writeText "hostingde-creds" ''
|
|
HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api.key".path}
|
|
''}";
|
|
};
|
|
in {
|
|
age.secrets."hosting.de-api-key.age" = {
|
|
file = "${self}/secrets/hosting.de-api-key.age";
|
|
mode = "440";
|
|
group = "acme";
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '/data/acme' 0750 root acme - -"
|
|
];
|
|
|
|
users.groups.acme = {};
|
|
ids.uids.acme = 997;
|
|
ids.gids.acme = 997;
|
|
|
|
containers.acme = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.101.0";
|
|
localAddress = "192.168.106.0";
|
|
hostAddress6 = "fc00::1";
|
|
localAddress6 = "fc00::6";
|
|
|
|
bindMounts = {
|
|
"/var/lib/acme" = {
|
|
hostPath = "/data/acme";
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"${config.age.secrets."hosting.de-api-key.age".path}" = {
|
|
hostPath = "${config.age.secrets."hosting.de-api-key.age".path}";
|
|
isReadOnly = true;
|
|
};
|
|
};
|
|
|
|
config = {
|
|
networking.nameservers = ["1.1.1.1"];
|
|
users.groups.acme = config.users.groups.acme;
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "acme@benjaminbaedorf.eu";
|
|
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
defaults.group = "acme";
|
|
|
|
certs."b12f.io" = hostingdeProviderConf;
|
|
certs."mail.b12f.io" = hostingdeProviderConf;
|
|
certs."transmission.b12f.io" = hostingdeProviderConf;
|
|
|
|
certs."${exDomain}" = hostingdeProviderConf;
|
|
certs."mail.${exDomain}" = hostingdeProviderConf;
|
|
|
|
certs."${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."www.${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."auth.${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."git.${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."ci.${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
|
|
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
|
|
};
|
|
};
|
|
};
|
|
}
|