Use DNS-01 for ACME

2025-02-28 04:15:14 +01:00 · 2025-02-28 04:15:14 +01:00 · 45562df6cf
commit 45562df6cf
parent 0b3e10fd70
4 changed files with 11 additions and 6 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -209,6 +209,11 @@ with pkgs;
      owner = "matrix-as-signal";
      group = "matrix-as-signal";
    };
+    secrets.acme = {
+      file = secrets/acme.age;
+      owner = "acme";
+      group = "nginx";
+    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };

--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@ -175,14 +175,13 @@
    acceptTerms = true;
    defaults = {
      email = "akasroua@disroot.org";
-      dnsResolver = "127.0.0.1:53";
      group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      ocspMustStaple = true;
    };
-    certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
-      name: value: "${name}"
-    ) config.services.nginx.virtualHosts;
+    certs."coolneng.duckdns.org" = {
+      domain = "*.coolneng.duckdns.org";
+      dnsProvider = "duckdns";
+      environmentFile = config.age.secrets.acme.path;
+    };
  };

  # Generate dhparams
--- a/secrets/acme.age
+++ b/secrets/acme.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -16,4 +16,5 @@ in
  "mqtt-receiver.age".publicKeys = [ zion ];
  "facebook.age".publicKeys = [ zion ];
  "signal.age".publicKeys = [ zion ];
+  "acme.age".publicKeys = [ zion ];
 }