chore: maintain

2026-01-20 13:41:53 +08:00 · 2026-01-20 13:41:53 +08:00 · 25482857d4
commit 25482857d4
parent 2378a66114
58 changed files with 1095 additions and 747 deletions
--- a/system/dev/dn-server/services/acme.nix
+++ b/system/dev/dn-server/services/acme.nix
@ -0,0 +1,59 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.sops) secrets;
+in
+{
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  sops.secrets = {
+    "acme/pdns" = {
+      mode = "0660";
+      owner = "acme";
+      group = "acme";
+    };
+
+    "acme/cloudflare" = {
+      mode = "0640";
+    };
+  };
+
+  systemConf.security.allowedDomains = [
+    "acme-v02.api.letsencrypt.org"
+    "api.cloudflare.com"
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      server = "https://10.0.0.1:${toString config.services.step-ca.port}/acme/acme/directory";
+      validMinDays = 2;
+      renewInterval = "daily";
+      email = "danny@net.dn";
+      dnsProvider = "pdns";
+      dnsPropagationCheck = false;
+      environmentFile = secrets."acme/pdns".path;
+    };
+
+    certs."dnywe.com" = {
+      domain = "*.dnywe.com";
+      extraDomainNames = [
+        "*.stalwart.dnywe.com"
+      ];
+      server = "https://acme-v02.api.letsencrypt.org/directory";
+      dnsProvider = "cloudflare";
+      dnsResolver = "1.1.1.1:53";
+      email = "postmaster@dnywe.com";
+      dnsPropagationCheck = true;
+      environmentFile = pkgs.writeText "lego-config" ''
+        LEGO_CA_CERTIFICATES=${config.security.pki.caBundle}
+      '';
+      credentialFiles = {
+        "CLOUDFLARE_DNS_API_TOKEN_FILE" = secrets."acme/cloudflare".path;
+      };
+    };
+  };
+}