11 files changed, 64 insertions, 36 deletions
diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index cfa3717..6fb5fcb 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -9,6 +9,7 @@ in
     ./networking.nix
     ./services.nix
     "${self}/profiles/nas.nix"
+    "${self}/profiles/acme.nix"
     "${self}/profiles/hardware/amd.nix"
   ];
 
diff --git a/hosts/tahoe/secrets/gandi/apikey.age b/hosts/tahoe/secrets/gandi/apikey.age
new file mode 100644
index 0000000..3f35522
--- /dev/null
+++ b/hosts/tahoe/secrets/gandi/apikey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 jMYhTKmWi5riTgT9QQVOlzlIegqM1MI2QtJbOonsL2E
+bM9xqcJc41bKs0as9lIQQQGZhB5cmaZtO1fHCsrMR9M
+-> X25519 3xMvuIuRGXBp/gbv+aZpjkp6wLw6hyRAqBIe/Pf+Szo
+2X45mDvLNcDOntT4JgZUFHpnlShm3UYv7gCpHGaj4Fo
+-> X25519 xemfO0+4pS8WG/7QoIIqULZ/xN+C0l+LbBgv4QIdcQU
+VfoMT93/3hTZdPo4ALCaEZrIO3bHhsoxCwf6DyXPwvI
+-> s06@-grease .@\9Og@9 7yCI nS'`(65/
+W1seHOnAnPFF8BB6uqQKv8JwpmoNCU93i06VtxuuHiaeGrlXNPiF0ikD/mysdA
+--- dpDFFk5ZPUwQZp96fpS85eZCVELD4GB1uwl/8ev5moA
+ËÆâ‡¼ô?äZÙu¡¾•ãç>ÅÏx²ï3d[sÃLÙµ®¼)°|[™½z¢Á1#‡cŽÑ¨‹–3BÞHLwÒ‚¼]$ù.
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index 34b955b..0560a57 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -28,6 +28,11 @@ in
     owner = "unpoller-exporter";
   };
 
+  "gandi/apikey.age" = {
+    publicKeys = all;
+    owner = "acme";
+  };
+
   "restic/repo-systems.age".publicKeys = all;
   "rsync.net/ssh-key.age".publicKeys = all;
 
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index a04225e..0227f4c 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -1,8 +1,7 @@
-{ config, ... }:
+{ self, config, ... }:
 let secrets = config.age.secrets;
 in
 {
-
   # this unit is broken and useless. I don't know how to not install
   # it, so let's mask it.
   systemd.services.mdmonitor.enable = false;
@@ -14,12 +13,12 @@ in
     };
     navidrome = {
       enable = true;
-      vhostName = "music.fcuny.xyz";
+      vhostName = "music.${config.homelab.domain}";
       musicFolder = "/data/fast/music";
     };
     unifi = {
       enable = true;
-      vhostName = "unifi.fcuny.xyz";
+      vhostName = "unifi.${config.homelab.domain}";
     };
 
     monitoring = {
@@ -33,7 +32,7 @@ in
       };
       grafana = {
         enable = true;
-        vhostName = "dash.fcuny.xyz";
+        vhostName = "dash.${config.homelab.domain}";
       };
       promtail.enable = true;
       node-exporter.enable = true;
diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix
index 5108e42..e00790c 100644
--- a/modules/services/cgit/default.nix
+++ b/modules/services/cgit/default.nix
@@ -76,6 +76,18 @@ in
       default = true;
       forceSSL = true;
       enableACME = true;
+      listen = [
+        {
+          addr = "192.168.6.40";
+          port = 443;
+          ssl = true;
+        }
+        {
+          addr = "192.168.6.40";
+          port = 80;
+          ssl = false;
+        }
+      ];
       locations = {
         "~* ^.+.(css|png|ico)$" = { root = "${pkgs.cgit}/cgit"; };
         # as per https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
diff --git a/modules/services/monitoring/grafana.nix b/modules/services/monitoring/grafana.nix
index 9b75fc3..28e86f6 100644
--- a/modules/services/monitoring/grafana.nix
+++ b/modules/services/monitoring/grafana.nix
@@ -46,15 +46,15 @@ in
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -67,11 +67,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     my.services.backup = {
       paths = [ "/var/lib/grafana" ];
       exclude = [
diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix
index 1e3b6e7..1c8243a 100644
--- a/modules/services/navidrome/default.nix
+++ b/modules/services/navidrome/default.nix
@@ -21,20 +21,22 @@ in
   config = lib.mkIf cfg.enable {
     services.navidrome = {
       enable = true;
-      settings = { MusicFolder = cfg.musicFolder; };
+      settings = {
+        MusicFolder = cfg.musicFolder;
+      };
     };
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -45,11 +47,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     my.services.backup = {
       paths = [ "/var/lib/navidrome" ];
       exclude = [ "/var/lib/navidrome/cache/" ];
diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix
index f745b9b..ec71ba2 100644
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -18,11 +18,6 @@ in
     # Nginx needs to be able to read the certificates
     users.users.nginx.extraGroups = [ "acme" ];
 
-    security.acme = {
-      defaults.email = "franck@fcuny.net";
-      acceptTerms = true;
-    };
-
     services.prometheus = {
       exporters.nginx = {
         enable = true;
diff --git a/modules/services/transmission/default.nix b/modules/services/transmission/default.nix
index 824f7a5..43c4675 100644
--- a/modules/services/transmission/default.nix
+++ b/modules/services/transmission/default.nix
@@ -35,15 +35,15 @@ in
 
     services.nginx.virtualHosts."${cfg.vhostName}" = {
       forceSSL = true;
-      useACMEHost = cfg.vhostName;
+      useACMEHost = config.homelab.domain;
       listen = [
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 443;
           ssl = true;
         }
         {
-          addr = "100.85.232.66";
+          addr = "192.168.6.40";
           port = 80;
           ssl = false;
         }
@@ -54,11 +54,6 @@ in
       };
     };
 
-    security.acme.certs."${cfg.vhostName}" = {
-      dnsProvider = "gcloud";
-      credentialsFile = secrets."acme/credentials".path;
-    };
-
     networking.firewall = {
       allowedTCPPorts = [ 52213 ];
       allowedUDPPorts = [ 52213 ];
diff --git a/profiles/acme.nix b/profiles/acme.nix
new file mode 100644
index 0000000..7fc62d3
--- /dev/null
+++ b/profiles/acme.nix
@@ -0,0 +1,18 @@
+{ pkgs, lib, config, ... }:
+let
+  secrets = config.age.secrets;
+in
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "le@fcuny.net";
+    dnsProvider = "gandiv5";
+    group = config.services.nginx.group;
+    credentialsFile = secrets."gandi/apikey".path;
+    dnsPropagationCheck = true;
+  };
+  security.acme.certs."${config.homelab.domain}" = {
+    domain = "*.${config.homelab.domain}";
+    extraDomainNames = [ config.homelab.domain ];
+  };
+}
diff --git a/profiles/nas.nix b/profiles/nas.nix
index d1033af..7dc92da 100644
--- a/profiles/nas.nix
+++ b/profiles/nas.nix
@@ -1,8 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./server.nix
     ./btrfs.nix
+    ./server.nix
   ];
 
   users.groups.nas.gid = 5000;