Create wildcard certificates for rnrd external and internal domain

Signed-off-by: Mel <mel@rnrd.eu>

1 files changed, 40 insertions, 4 deletions

diff --git a/modules/www/default.nix b/modules/www/default.nix
index 9a97522..ecc9b66 100644
--- a/modules/www/default.nix
+++ b/modules/www/default.nix
@@ -1,6 +1,16 @@
-{ me, pkgs, util, ... }:
+{
+  me,
+  config,
+  pkgs,
+  lib,
+  util,
+  ...
+}:
 
 let
+  inherit (lib) mergeAttrsList;
+  inherit (config.age) secrets;
+
   rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";
 
   base-index = pkgs.substituteAll {
@@ -13,15 +23,40 @@ let
     "favicon.png" = ../../assets/favicon.png;
   };
 
+  certificate = domain: {
+    ${domain} = {
+      domain = "*.${domain}";
+      extraDomainNames = [ domain ];
+
+      dnsProvider = "cloudflare";
+      credentialFiles = {
+        CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
+      };
+    };
+  };
 in
 {
   imports = [ ./tailnet.nix ];
 
+  age.secrets = {
+    cloudflare-dns.file = ../../secrets/cloudflare-dns.age;
+  };
+
   security.acme = {
     acceptTerms = true;
-    defaults.email = "mel@rnrd.eu";
     # causes issues with tailscale certificates
     preliminarySelfsigned = false;
+    defaults = {
+      email = "mel@rnrd.eu";
+      # our certificates are really only used with Nginx
+      group = config.services.nginx.group;
+      reloadServices = [ "nginx.service" ];
+    };
+
+    certs = mergeAttrsList [
+      (certificate "rnrd.eu")
+      (certificate "rnrd.fyi")
+    ];
   };
 
   services.nginx = {
@@ -57,9 +92,10 @@ in
       base = {
         default = true;
         serverName = rnrdUrl;
-        root = base;
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = "rnrd.eu";
+
+        root = base;
         extraConfig = ''
           access_log /var/log/nginx/base.access.log json_combined;
         '';