delta: acme cert

This commit is contained in:
Casper V. Kristensen 2024-04-06 01:21:46 +02:00
parent ec6d7555a4
commit cc2c5d86df
3 changed files with 11 additions and 8 deletions

7
hosts/delta/acme.nix Normal file
View file

@ -0,0 +1,7 @@
{...}: {
security.acme.certs."caspervk.net" = {
domain = "*.caspervk.net";
reloadServices = []; # unbound.service
};
users.groups.acme.members = []; # unbound
}

View file

@ -3,6 +3,7 @@
../../overlays ../../overlays
../../modules/base ../../modules/base
../../modules/server ../../modules/server
./acme.nix
./hardware.nix ./hardware.nix
./network.nix ./network.nix
]; ];

View file

@ -15,6 +15,9 @@ lib.mkIf (config.security.acme.certs != {}) {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
# For testing, Let's Encrypt's staging server should be used to avoid
# the strict rate limit on production. Default to production.
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
email = "admin@caspervk.net"; email = "admin@caspervk.net";
# The DNS challenge is passed by updating DNS records directly in the # The DNS challenge is passed by updating DNS records directly in the
# zone on the authoritative DNS server (Knot). # zone on the authoritative DNS server (Knot).
@ -42,12 +45,4 @@ lib.mkIf (config.security.acme.certs != {}) {
owner = "root"; owner = "root";
group = "root"; group = "root";
}; };
# TODO
# https://search.nixos.org/options?channel=23.11&show=services.caddy.virtualHosts.%3Cname%3E.useACMEHost&from=0&size=50&sort=relevance&type=packages&query=services.caddy
# security.acme.certs."caspervk.net" = {
# domain = "*.caspervk.net";
# group = "users";
# reloadServices = [];
# };
} }