feat: add acme module

2025-07-08 20:06:38 +03:00 · 2025-07-08 20:06:38 +03:00 · e8364fac08
commit e8364fac08
parent 91ed66d8fb
2 changed files with 40 additions and 0 deletions
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -103,6 +103,7 @@
  ];

  ataraxia.containers.tinyproxy.enable = true;
+  ataraxia.security.acme.enable = true;
  ataraxia.services.vaultwarden.enable = true;

  ataraxia.virtualisation.guests = {
--- a/modules/nixos/security/acme.nix
+++ b/modules/nixos/security/acme.nix
@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.ataraxia.security.acme;
+in
+{
+  options.ataraxia.security.acme = {
+    enable = mkEnableOption "Default acme settings";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.cf-dns-api = {
+      sopsFile = inputs.self.secretsDir + /misc.yaml;
+      owner = "acme";
+    };
+    security.acme = {
+      acceptTerms = true;
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
+      defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
+      defaults.email = "admin@ataraxiadev.com";
+      defaults.renewInterval = "weekly";
+      certs = {
+        "ataraxiadev.com" = {
+          extraDomainNames = [ "*.ataraxiadev.com" ];
+          dnsResolver = "1.1.1.1:53";
+          dnsProvider = "cloudflare";
+          credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
+        };
+      };
+    };
+    persist.state.directories = [ "/var/lib/acme" ];
+  };
+}