delta: acme cert

2024-04-06 01:21:46 +02:00 · 2024-04-06 01:21:46 +02:00 · cc2c5d86df
parent ec6d7555a4
commit cc2c5d86df
3 changed files with 11 additions and 8 deletions
--- a/hosts/delta/acme.nix
+++ b/hosts/delta/acme.nix
@ -0,0 +1,7 @@
+{...}: {
+  security.acme.certs."caspervk.net" = {
+    domain = "*.caspervk.net";
+    reloadServices = [];  # unbound.service
+  };
+  users.groups.acme.members = [];  # unbound
+}
--- a/hosts/delta/default.nix
+++ b/hosts/delta/default.nix
@ -3,6 +3,7 @@
    ../../overlays
    ../../modules/base
    ../../modules/server
+    ./acme.nix
    ./hardware.nix
    ./network.nix
  ];
--- a/modules/server/acme.nix
+++ b/modules/server/acme.nix
@ -15,6 +15,9 @@ lib.mkIf (config.security.acme.certs != {}) {
  security.acme = {
    acceptTerms = true;
    defaults = {
+      # For testing, Let's Encrypt's staging server should be used to avoid
+      # the strict rate limit on production. Default to production.
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
      email = "admin@caspervk.net";
      # The DNS challenge is passed by updating DNS records directly in the
      # zone on the authoritative DNS server (Knot).
@ -42,12 +45,4 @@ lib.mkIf (config.security.acme.certs != {}) {
    owner = "root";
    group = "root";
  };
-
-  # TODO
-  # https://search.nixos.org/options?channel=23.11&show=services.caddy.virtualHosts.%3Cname%3E.useACMEHost&from=0&size=50&sort=relevance&type=packages&query=services.caddy
-  # security.acme.certs."caspervk.net" = {
-  #   domain = "*.caspervk.net";
-  #   group = "users";
-  #   reloadServices = [];
-  # };
 }