From a5b51d43c117b0db69f8137bf3f539253a1bcd20 Mon Sep 17 00:00:00 2001 From: NullBite Date: Fri, 21 Jun 2024 22:55:06 -0400 Subject: [PATCH] rpi4: Configure ACME certificate provisioning --- hosts/rpi4/configuration.nix | 3 +-- hosts/rpi4/services.nix | 44 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 hosts/rpi4/services.nix diff --git a/hosts/rpi4/configuration.nix b/hosts/rpi4/configuration.nix index 7daaeb0..6b0dc46 100644 --- a/hosts/rpi4/configuration.nix +++ b/hosts/rpi4/configuration.nix @@ -8,10 +8,9 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./services.nix ]; - age.secrets.cloudflaredns.file = ../../secrets/cloudflare-dns.age; - fileSystems = let mounts = [ "/nix" "/" "/.btrfsroot" "/home" ]; fn = (x: { options = [ "compress=zstd" ];}); diff --git a/hosts/rpi4/services.nix b/hosts/rpi4/services.nix new file mode 100644 index 0000000..0a20b35 --- /dev/null +++ b/hosts/rpi4/services.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +{ + config = { + + users.groups.secrets = {}; + users.users.acme.extraGroups = [ "secrets" ]; + + age.secrets.cloudflaredns = { + file = ../../secrets/cloudflare-dns.age; + group = "secrets"; + }; + + + security.acme = { + acceptTerms = true; + maxConcurrentRenewals = 1; + defaults = { + }; + + certs = { + "protogen.io" = { + credentialFiles = { + CLOUDFLARE_EMAIL_FILE = pkgs.writeTextFile "cloudflare-email" '' + iancoguz@gmail.com + ''; + CLOUDFLARE_API_KEY_FILE = config.age.secrets.cloudflaredns.path; + }; + + dnsProvider = "cloudflare"; + domain = "protogen.io"; + extraDomainNames = [ + "*.protogen.io" + "nullbite.com" + "*.nullbite.com" + "nullbite.dev" + "*.nullbite.dev" + "nbt.sh" + "*.nbt.sh" + ]; + }; + }; + }; + }; +}