about summary refs log tree commit diff
path: root/profiles
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2023-05-07 13:45:04 -0700
committerFranck Cuny <franck@fcuny.net>2023-05-08 19:22:28 -0700
commit5d11f49ecf05048626227dfe6f758360775b300f (patch)
treeac86934f30f88b8749fcbf930a2660e3326d92c9 /profiles
parentmodule for homelab (diff)
downloadworld-5d11f49ecf05048626227dfe6f758360775b300f.tar.gz
profile/acme: default DNS provider is gandi
Add the API key for gandi to the secrest, create a profile for acme with
my defaults.

The profile is loaded by tahoe since that's where our services are
running on.

Update all the servers in nginx to listen on their wireguard interface.
Diffstat (limited to 'profiles')
-rw-r--r--profiles/acme.nix18
-rw-r--r--profiles/nas.nix2
2 files changed, 19 insertions, 1 deletions
diff --git a/profiles/acme.nix b/profiles/acme.nix
new file mode 100644
index 0000000..7fc62d3
--- /dev/null
+++ b/profiles/acme.nix
@@ -0,0 +1,18 @@
+{ pkgs, lib, config, ... }:
+let
+  secrets = config.age.secrets;
+in
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "le@fcuny.net";
+    dnsProvider = "gandiv5";
+    group = config.services.nginx.group;
+    credentialsFile = secrets."gandi/apikey".path;
+    dnsPropagationCheck = true;
+  };
+  security.acme.certs."${config.homelab.domain}" = {
+    domain = "*.${config.homelab.domain}";
+    extraDomainNames = [ config.homelab.domain ];
+  };
+}
diff --git a/profiles/nas.nix b/profiles/nas.nix
index d1033af..7dc92da 100644
--- a/profiles/nas.nix
+++ b/profiles/nas.nix
@@ -1,8 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./server.nix
     ./btrfs.nix
+    ./server.nix
   ];
 
   users.groups.nas.gid = 5000;