use dns-01 challenge

2024-02-09 21:21:14 +03:00 · 2024-02-09 21:21:14 +03:00 · 66b156e23b
commit 66b156e23b
parent 4fc7d2bc8a
3 changed files with 17 additions and 56 deletions
--- a/profiles/servers/acme.nix
+++ b/profiles/servers/acme.nix
@ -1,13 +1,22 @@
-{ ... }: {
+{ config, inputs, ... }: {
+  sops.secrets.cf-dns-api = {
+    sopsFile = inputs.self.secretsDir + /misc.yaml;
+    owner = "acme";
+  };
  security.acme = {
    acceptTerms = true;
    # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
    defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
    defaults.email = "admin@ataraxiadev.com";
    defaults.renewInterval = "weekly";
+    certs = {
+      "ataraxiadev.com" = {
+        extraDomainNames = [ "*.ataraxiadev.com" ];
+        dnsResolver = "1.1.1.1:53";
+        dnsProvider = "cloudflare";
+        credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
+      };
+    };
  };
-
-  persist.state.directories = [
-    "/var/lib/acme"
-  ];
+  persist.state.directories = [ "/var/lib/acme" ];
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -55,55 +55,6 @@ let
    };
  };
 in {
-  security.acme.certs = {
-    "ataraxiadev.com" = {
-      webroot = "/var/lib/acme/acme-challenge";
-      extraDomainNames = [
-        "api.ataraxiadev.com"
-        "auth.ataraxiadev.com"
-        # "bathist.ataraxiadev.com"
-        # "browser.ataraxiadev.com"
-        "cache.ataraxiadev.com"
-        "cal.ataraxiadev.com"
-        # "cocalc.ataraxiadev.com"
-        "code.ataraxiadev.com"
-        "docs.ataraxiadev.com"
-        # "fb.ataraxiadev.com"
-        "file.ataraxiadev.com"
-        # "fsync.ataraxiadev.com"
-        "home.ataraxiadev.com"
-        "jackett.ataraxiadev.com"
-        "jellyfin.ataraxiadev.com"
-        "joplin.ataraxiadev.com"
-        "kavita.ataraxiadev.com"
-        "ldap.ataraxiadev.com"
-        "lib.ataraxiadev.com"
-        "lidarr.ataraxiadev.com"
-        "medusa.ataraxiadev.com"
-        "office.ataraxiadev.com"
-        "openbooks.ataraxiadev.com"
-        "pdf.ataraxiadev.com"
-        "qbit.ataraxiadev.com"
-        "radarr.ataraxiadev.com"
-        "s3.ataraxiadev.com"
-        "sonarr.ataraxiadev.com"
-        # "startpage.ataraxiadev.com"
-        "tools.ataraxiadev.com"
-        "vault.ataraxiadev.com"
-        "vw.ataraxiadev.com"
-        "wg.ataraxiadev.com"
-        "wiki.ataraxiadev.com"
-        "wopi.ataraxiadev.com"
-        # "webmail.ataraxiadev.com"
-
-        # "matrix.ataraxiadev.com"
-        # "dimension.ataraxiadev.com"
-        # "stats.ataraxiadev.com"
-        # "element.ataraxiadev.com"
-      ];
-    };
-  };
-
  services.nginx = {
    enable = true;
    group = "acme";
--- a/secrets/misc.yaml
+++ b/secrets/misc.yaml
@ -1,6 +1,7 @@
 attic-token: ENC[AES256_GCM,data:mO5g45uO9fMh9EakmjmdClVkhquKurjXmwnc3Qenj0Wq4QCUvQrOUa9xNcOpQPJsnGnVFH9qFF1X26kGqgUtX3vy4pibvgyoEi5EWVMw8d6tZ/OOKqm4UHlnbG1uEHq5VN5o+IRkk5P0pxXSXiWHNh1aUmW2NrQ8+Wcx7izH01rG5rAZ0hrPZAm/a66W882p6fRdGGvVo4KJBUx8T5n4MD8UNPlafGRKPiloZbXbNAb4NFPnvDLvSPn3VNM659AvDkweMUIQuLvsV0dXB2tOc9ZTkoYHqdYqVMDN/vy+sN+QpKJx0vL5x7e4bSbSCQ7ZP1tJHknuod0DKZqMjg==,iv:Fj35Z4G6jscv8hpcASmoTGc6TUWl/wbebMkQeYoEDeQ=,tag:Y0L5NrA0MKFE+/Fa+eL8oA==,type:str]
 headscale-api: ENC[AES256_GCM,data:oTVPF4ZwvXEle6R7WyNFTkOgbEEaCVumC2fXtWwSCOpWezCYPNpN1Jwtu+JHDiSCgn8zKu9H,iv:iSkHmcCLBHzeWc3r2GPEM2y+nxPCSDK2rVdcatkEtao=,tag:XBCLGwwbYR3YpLDR957hqg==,type:str]
 headscale-api-env: ENC[AES256_GCM,data:YdXBG+jYWOMpzMQvga+LOI7C/plmsxhDdhwkCSUzQGkv383KSPFM/KK+tVaEL2/9r4HaO8flnjGKYGPPC9IaPrrJbiNolcjzyBbIYA==,iv:61h8KDlhEUtOCyS+5FKmFdCuXYe3BQ+nNjpPKEgkenw=,tag:V27Dg0jQQSgrLYXORLzxrQ==,type:str]
+cf-dns-api: ENC[AES256_GCM,data:Y1NYeX6YzOyWkXDlqgv1KFV1rjpkEqTQz1MZC4qKI5zJ7SuXNUqc8w==,iv:mbaJHKJxoNGqSe425UyrGMWa/QT1uiapLccIqzTC11M=,tag:CdMFS6NMLKhH/WLmvgNJ7Q==,type:str]
 git-ssh-key: ENC[AES256_GCM,data:TfQzwqjWNSYZ/x2f6nSlhzRJ+LEzsY8pP/je0Y9wW64oVVyYOJnJsFyu/6TruZKWbCpf0kw9aRyali4ztKoGo6/RR7PiH1EvI/+V55+cwAtUBlTUBadrT1Ed1SHj0hKOLmSoo9M7L4TvOMQjqLr69BxkDIX8LBG/Fp1Hk2dpblqCdG3710o+R6wHMLUURPrMCb8ff953FLVOcCSBi2G34BV+rbuPXV2H3aS3kerMY3XXKeII4a7PKwyk1P+v5Fore2sVxQ8tWa+xfuzgC5pugKZrrkX9CldDA0wb3fBufk6YkBNNGG+EqqFq7IBP8jnZxZ8Gr7XLpXNSTwZ8Vkkhw8ebt0+f60uoxgHbor9m6Vi71k8+yy0HsTfbCbDToi25G094qOTHAINv+36X3KLl+Ea19+53BhYor675bziMBUiZ4o4YE2Da8Wu369lrHXTzPNncOCYwVV4UnxCrmeLV1yPJ4w0LFKpAeyo+v5tqZy9L/0xHZHVfUJq7i6jgpjx+ll4ACxV+V8xxFuFZ8pybY9tcH0VSTk/PZjmjbg0U2LlOa8n8KtywXgkWG+HZjQN+LylyBgaVQjOOuCEPG6NVerIE7N41r1GI0kdPlvg6ituA9umAEWFA1vmJ+s6e1WqUt2+webIi24zPrEUbdZGmmkgRLRJ9hXT0WOS35vtHQtZJYdz8fWKkId9jKVNgXNyrTzp5yFY4ySBfHGR0JxCjmAxVpaq7TQUh+c5qpu9+6wsQhi31t11TrJMoZ09DKJEWJ/lAuGsGvyAI6E2qqxK0lRaHIDZWbyCzf51+aOYlNRK5Z4OCeDahx08iFuA3CbZB981D6PQTLZ+40a6Xi2CeLGC3aL6hyBV4t/+btHad6u4SNGFD09AZkSHB9kKiJ8gMJw3iPwdbOnNTi6ExIuEY/Hcafq+8GFc0nT9aeaef3hFrThWhvmoXZMDWllwFRYWrKZL3IhsNTLIdWNWsV+huDiwmPeYMBVX3dX+SxQ31DRjSxr1ybUrb3JgrsrnJ1nDZcJxKHGtqKlv3bsKooZq2Lgoq2o5lvv3xIlfNSt4w+ehIM/9VzcYI48vvWl/tiHXAxzbD9qOFH7Y4agNn7lTtb/9kF70qDFUguUOk/GX+ec65b9SassmTTdQw7wREaTThF+v88HAez30A8ZzWHVKh0pfacnNAZZqdy3EYiUUkxmTQbnS/ASCNruFEyekAF0v5sGTKe7tgXZRoZB0T0Iy9lDT8IkEYOBTPn4qFjUq2v3Sg12zB5qs5ghnvBG9JW4SqXP0yx5s5Nzc4lZvcPsuEPzMA0GQM+iDU6AUw5sjE2PSsaarflLStotayU5fAQBJGOV/Oo1tsZWqhWlbIOXiky1xo3S1XTaV523MvChY0h3TbjVRDcP41BNgVQ7Q2SiF3j5WAxj6ry8vvR2RBcgglQXZMq+RYHZD81vU4JUFtV9QMDhlI3X53jnbOkignGq5gk3Pv1jV9C8SXXGqgtm8cH2LkNG1JRwt+IEGbKcL6XPAs/mUaT4m0bTE3Wl2HeGjEWHklEFaS0Kl5+m+wwTmO/qspJc8ap+ilQ7dFcyGlPFVl8ddyIPnUYSPND7OLd4OvvIA4+Dga9ngVFNKgQb1eho6gtQQRiO6J/y956uks98OmdOwkf/cZq3O/9GHamHoF5N2eN4okrvnsgF5rANN24ufVo7K+vSqVrCYqxCwcZwtrBqit5eKDceyhiM9MVm1iV2JolIiL3c7gHc3KG4l8LuQ2ET3ijI2eulsHbqssloB8wGNG/iihfMRYH9lNSSaRDMG5BBXWAz0hJp08CqqVnuEnlFagOAqHg4VfArkZE+0e34ybjq6gw0X/8L5ULQg1sICsjad/wT8DTLuaNT1/uvBDeG/V+OIycM/HYg8x2eqfBClQ3YMR4OfLzXNcwQAFjFHTLuuiHY8PXWtVDpfRUAA90lr/YfGqa4mHwcvvd3WyyrMoWkNyQ7jhsPtwF0qVQUZUAIsv3NbucRNfocE1CyeeQxyffkN2stMhZLJUJEDrIE4IRQV/qdgtFnaUC5OcCQ/z3P5dIueAKOUCynu7r/jImLaS4Bdeyh2VS5bQjBAVXoN30fk+E6JmRnfnvgN/5xvkK8ycCmt5j40Msbn68hXYLmxJnflpJHLeTwY2rS7JBLRHc1jNmUhi8QIWD9FeUrtWF875/5ZTo48KH1Ny2aQM26GHOhcGlJb2BCvieXsawtIDFtEw6T9q,iv:3Q2gIetHriabpmTvw7D4+TnKWCTQaKYWmLCMuj1RK0g=,tag:S7T/CgPyu9BwVB550BALmQ==,type:str]
 sops:
    kms: []
@ -8,8 +9,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2024-02-06T19:46:55Z"
-    mac: ENC[AES256_GCM,data:3ym1NPnMnkad+vOIfqX5ibJ2cn79ed8j+jA94yRv3WDugyq7bUvZTNLEHbOijhPQlVMxYxLD5CG8ms8LxoEDhjfYHI4Ahpl+oHlPZ+pTsvoe7vkSoMhk84OiOTs3f2WJfc0xeejuyOa7TYr9ayzxauaDIBYtrMXFcPa99jq/j/0=,iv:92L7ylr+nvN1KraUxsPQGE5IB374TnFKausD/aHaF9I=,tag:ifbqxe60Heq9a6S7R3lg8g==,type:str]
+    lastmodified: "2024-02-09T18:13:35Z"
+    mac: ENC[AES256_GCM,data:NQKG8hz0PWWb0eYC+OTz6pY6bFXhMIxPk8aOh+GX9BsUO4o9gb/ElzuIkVXVhQMETXb85c09JggIbVpx+eagvQt2roVouzDBDWohNwhI++q16I5RwbDrSM+AgiGPzIs6a1fTVQV6wJWIH6tpWw9NpJuSrIXKtdlR8y28KLy4I+M=,iv:izUDLBCSLHo3Qofj4GoUyEwSlDL1gv1O2qjPifIPRXo=,tag:+7k5CmSTtR1Xm61vv5Y5kA==,type:str]
    pgp:
        - created_at: "2024-02-06T20:12:44Z"
          enc: |-