Philipp
5792e478af
This replaces caddy and the port exposure, this is more efficent and easier to manage in the future.
38 lines
738 B
Nix
38 lines
738 B
Nix
{
|
|
lib,
|
|
config,
|
|
namespace,
|
|
...
|
|
}:
|
|
with lib;
|
|
with lib.${namespace};
|
|
let
|
|
cfg = config.${namespace}.services.acme;
|
|
in
|
|
{
|
|
options.${namespace}.services.acme = {
|
|
enable = mkBoolOpt false "ACME";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "admin+acme@stahl.sh";
|
|
certs."stahl.sh" = {
|
|
domain = "stahl.sh";
|
|
extraDomainNames = [ "*.stahl.sh" ];
|
|
dnsProvider = "infomaniak";
|
|
dnsPropagationCheck = true;
|
|
environmentFile = "/run/secrets/acme";
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
|
|
sops.secrets.acme = {
|
|
format = "dotenv";
|
|
sopsFile = ../../../../secrets/blarm-acme.env;
|
|
};
|
|
};
|
|
|
|
}
|