From 45562df6cfd99271c0071c6f6119145f976139e0 Mon Sep 17 00:00:00 2001
From: coolneng <akasroua@gmail.com>
Date: Fri, 28 Feb 2025 04:15:14 +0100
Subject: [PATCH] Use DNS-01 for ACME

---
 configuration.nix    |   5 +++++
 modules/webstack.nix |  11 +++++------
 secrets/acme.age     | Bin 0 -> 263 bytes
 secrets/secrets.nix  |   1 +
 4 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 secrets/acme.age

diff --git a/configuration.nix b/configuration.nix
index da29410..2bd6e64 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -209,6 +209,11 @@ with pkgs;
       owner = "matrix-as-signal";
       group = "matrix-as-signal";
     };
+    secrets.acme = {
+      file = secrets/acme.age;
+      owner = "acme";
+      group = "nginx";
+    };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
 
diff --git a/modules/webstack.nix b/modules/webstack.nix
index 5463d46..e60c673 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -175,14 +175,13 @@
     acceptTerms = true;
     defaults = {
       email = "akasroua@disroot.org";
-      dnsResolver = "127.0.0.1:53";
       group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      ocspMustStaple = true;
     };
-    certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
-      name: value: "${name}"
-    ) config.services.nginx.virtualHosts;
+    certs."coolneng.duckdns.org" = {
+      domain = "*.coolneng.duckdns.org";
+      dnsProvider = "duckdns";
+      environmentFile = config.age.secrets.acme.path;
+    };
   };
 
   # Generate dhparams
diff --git a/secrets/acme.age b/secrets/acme.age
new file mode 100644
index 0000000000000000000000000000000000000000..7eb7f09feb559020dd7ee8eae1325547d4db50d4
GIT binary patch
literal 263
zcmV+i0r>u5XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LX;ooTM`s{P
zd1+cQW=wN0c~vz|YFR{6b9q&6VM=u}VPjEQW==$IVnb|nc1KP}L3av4LupwsNLprB
zVs1?<abrzcFi~_>T0(edZ8TR|dS*pTbW=rkS66UyGD!+8EiE8zX?jj@dQ(<xVm5J5
zIYe(zXJj#9L2Wj9ZaFzaZfA0HD@$T+LrF6*Ok)Z@F+!LlAgks_qkh0#T;JNZ0}A=e
zP;+#!Oo;Im=%np=Hcvz(KF1FS^-$*jcG^y@E+%p_UMGd4l|ZTsA19At@}k{D)Db2(
N1RwLrHs(yvb^z#3VY>hT

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 220ef45..f50ee03 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,4 +16,5 @@ in
   "mqtt-receiver.age".publicKeys = [ zion ];
   "facebook.age".publicKeys = [ zion ];
   "signal.age".publicKeys = [ zion ];
+  "acme.age".publicKeys = [ zion ];
 }