fae: switch to nginx, use acme with hosting.de DNS

hosts/default.nix

@@ -42,6 +42,7 @@
           inputs.nixos-hardware.nixosModules.raspberry-pi-4
           ./fae
           self.nixosModules.pub-solar
+          self.nixosModules.acme
         ];
       };
 

hosts/fae/paperless.nix

@@ -51,7 +51,7 @@ in {
       PAPERLESS_OCR_LANGUAGE = "nld+deu";
       PAPERLESS_ADMIN_USER = psCfg.user.name;
       PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
-      PAPERLESS_URL = "https://paperless.local";
+      PAPERLESS_URL = "https://paperless.faenix.eu";
     };
   };
 
@@ -74,23 +74,32 @@ in {
     };
   };
 
-  #security.acme.certs = {
-  #  "paperless.b12f.io" = {};
-  #};
-  services.caddy = {
-    enable = true;
-    globalConfig = ''
-      local_certs
-    '';
-    virtualHosts = {
-      "paperless.fritz.box" = {
-        extraConfig = ''
-          reverse_proxy :${builtins.toString config.services.paperless.port}
-        '';
-      };
+  security.acme.certs = {
+    "paperless.faenix.eu" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "paperless.faenix.eu" = {
+      forceSSL = true;
+      useACMEHost = "paperless.faenix.eu";
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
     };
   };
 
+  #services.caddy = {
+  #  enable = true;
+  #  globalConfig = ''
+  #    local_certs
+  #  '';
+  #  virtualHosts = {
+  #    "paperless.fritz.box" = {
+  #      extraConfig = ''
+  #        reverse_proxy :${builtins.toString config.services.paperless.port}
+  #      '';
+  #    };
+  #  };
+  #};
+
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   systemd.tmpfiles.rules = [

modules/acme/default.nix

@@ -0,0 +1,27 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  age.secrets."hosting-de-acme-secrets" = {
+    file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
+    mode = "400";
+    owner = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      email = "jfw@miom.space";
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      dnsProvider = "hostingde";
+      dnsPropagationCheck = true;
+      environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
+      group = "nginx";
+      webroot = null;
+    };
+  };
+}

modules/default.nix

@@ -5,6 +5,7 @@
 }: {
   flake = {
     nixosModules = rec {
+      acme = import ./acme;
       audio = import ./audio;
       bluetooth = import ./bluetooth;
       core = import ./core;

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
   machines = {
     dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
     ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
+    fae = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP3xI8c8+SI5QPTHqR0YIwKvG8x2MJGC/arBu4BkCP0 root@fae";
   };
   users = {
     teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
@@ -19,4 +20,5 @@ in {
   "mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
   "docker-ci-runner-secrets.age".publicKeys = allKeys;
   "test-secret.age".publicKeys = [users.teutat3s-5-nfc];
+  "hosting-de-acme-secrets.age".publicKeys = [machines.fae users.teutat3s users.teutat3s-5-nfc];
 }