summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--modules/www/default.nix44
-rw-r--r--secrets/cloudflare-dns.agebin693 -> 803 bytes
-rw-r--r--secrets/secrets.nix5
-rw-r--r--services/cgit.nix2
4 files changed, 42 insertions, 9 deletions
diff --git a/modules/www/default.nix b/modules/www/default.nix
index 9a97522..ecc9b66 100644
--- a/modules/www/default.nix
+++ b/modules/www/default.nix
@@ -1,6 +1,16 @@
-{ me, pkgs, util, ... }:
+{
+  me,
+  config,
+  pkgs,
+  lib,
+  util,
+  ...
+}:
 
 let
+  inherit (lib) mergeAttrsList;
+  inherit (config.age) secrets;
+
   rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";
 
   base-index = pkgs.substituteAll {
@@ -13,15 +23,40 @@ let
     "favicon.png" = ../../assets/favicon.png;
   };
 
+  certificate = domain: {
+    ${domain} = {
+      domain = "*.${domain}";
+      extraDomainNames = [ domain ];
+
+      dnsProvider = "cloudflare";
+      credentialFiles = {
+        CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
+      };
+    };
+  };
 in
 {
   imports = [ ./tailnet.nix ];
 
+  age.secrets = {
+    cloudflare-dns.file = ../../secrets/cloudflare-dns.age;
+  };
+
   security.acme = {
     acceptTerms = true;
-    defaults.email = "mel@rnrd.eu";
     # causes issues with tailscale certificates
     preliminarySelfsigned = false;
+    defaults = {
+      email = "mel@rnrd.eu";
+      # our certificates are really only used with Nginx
+      group = config.services.nginx.group;
+      reloadServices = [ "nginx.service" ];
+    };
+
+    certs = mergeAttrsList [
+      (certificate "rnrd.eu")
+      (certificate "rnrd.fyi")
+    ];
   };
 
   services.nginx = {
@@ -57,9 +92,10 @@ in
       base = {
         default = true;
         serverName = rnrdUrl;
-        root = base;
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = "rnrd.eu";
+
+        root = base;
         extraConfig = ''
           access_log /var/log/nginx/base.access.log json_combined;
         '';
diff --git a/secrets/cloudflare-dns.age b/secrets/cloudflare-dns.age
index bd546a6..5eba203 100644
--- a/secrets/cloudflare-dns.age
+++ b/secrets/cloudflare-dns.age
Binary files differdiff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 823420b..8571672 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,10 +5,7 @@ let
   inherit (keys.system) renard lapin corsac;
 in
 {
-  "cloudflare-dns.age".publicKeys = [
-    lapin
-    corsac
-  ] ++ allAdmins;
+  "cloudflare-dns.age".publicKeys = allSystems ++ allAdmins;
 
   "pds-secrets.age".publicKeys = [
     lapin
diff --git a/services/cgit.nix b/services/cgit.nix
index 73bfbe4..125b920 100644
--- a/services/cgit.nix
+++ b/services/cgit.nix
@@ -65,7 +65,7 @@ in
   };
 
   services.nginx.virtualHosts."git.rnrd.eu" = {
-    enableACME = true;
+    useACMEHost = "rnrd.eu";
     forceSSL = true;
     locations = {
       "/" = {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-25 15:27:15 +0000