feat(roles/acme.nix): add DNS provider configuration for OVH

2024-12-07 10:52:52 +00:00 · 2024-12-07 10:52:52 +00:00 · c14ae459ff
commit c14ae459ff
parent 1cc6cf9f95
4 changed files with 48 additions and 3 deletions
--- a/hosts/architect/options.nix
+++ b/hosts/architect/options.nix
@ -129,7 +129,7 @@ with lib;
    services.nginx.virtualHosts = mapAttrs
      (domain: conf: {
        forceSSL = true;
-        enableACME = true;
+        useACMEHost= "giugl.io";
        locations = mapAttrs
          (path: location: {
            proxyPass = "http://${location.host}:${toString location.port}${location.path}";
--- a/roles/acme.nix
+++ b/roles/acme.nix
@ -1,10 +1,25 @@
-{ options, lib, config, ... }:
+{ config, ... }:

+let
+  giuglioDomain = "giugl.io";
+in
 {
-  config.security.acme = {
+  age.secrets.ovh = {
+    file = ../secrets/ovh.age;
+    owner = "acme";
+  };
+  security.acme = {
    acceptTerms = true;
+    certs.${giuglioDomain} =
+      {
+        dnsProvider = "ovh";
+        environmentFile = config.age.secrets.ovh.path;
+        extraDomainNames = [ "*.${giuglioDomain}" ];
+      };
    defaults = {
      email = "letsencrypt@depasquale.giugl.io";
+      dnsProvider = "ovh";
+      environmentFile = config.age.secrets.ovh.path;
    };
  };
 }
--- a/secrets/ovh.age
+++ b/secrets/ovh.age
@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-rsa QXZdow
+aYgowxTfdGOqTYOZBbkg/dH7f+m6nvVF/8qZX0DE4hazln/QS9maWbkOwD7FLldm
+HRNV/YwZZEhbujHbDqgxnXk7Q11KOA72864B6mF2VZUruyo0cnACqo7OyzwApqv/
+LPjGb9h/gCJpQ3a5Jdh202FfaNGAh358fZVDyd37XPSOykiIAAxgMlDyn+96OiM
+P2vsyduWXDsqzCqtiNQrKVjryI5CIGOTAcYTgQ35S3uXFD8Gu27KfagUwZp2hdyp
+3WmGl+ZTrPNdOwzLWGj/RXaeTslABn1Owmq1naASRvJpp97ToynRzkDA50rBqUyR
+vGVB9IJxSjkSm3BJ4UAI6rpoz/6t2jkfNNE1cPix4AYjPAMyU+uiUSaZ/UBkwlXw
+08rM1eGcBaErB1ExcDV5+jUCdJBfi6Q9vIG7Ty4wbN1PfztAhzEyzT0L1bTn1AKC
+4S9n5lqFa1CdraK9eh2A+o9CNlkta+Z24ctPTVqBYtImBTKHOTofhr0omQdFV6M2
+bhxsOoAAoNhwn/lWC2fAcgfPQrUOW524+eHyPjsvf4rNNv0bk5EP1J4vMrWr9rqJ
+v5GEQ77YVXYQthiyg74XYc3Eo8sbtE+ncDoOquzdT385POd870qi1ht+JMY6OEmj
+q8lxVau2SFTKPkkmZKmtoNrYdKp5+DsB3nOUKcIXofs
+-> ssh-ed25519 7eGqHw cCrhq1kfav4TYAUOpP4O6fQ958O37Uad2jX9SUrnxn4
+TSiMyrYsdblB5SFwZpw7HhmicWX1vNomhBP4HtlvHJo
+-> ssh-rsa tO3rGg
+J6oPMt6hiry6ks3hlAjUAY1AzEYU+7voto5XC+I6Fmyfabz9zaJ3TtbCPVF5BRNR
+DOYLiD24EbcVoqECn2A2MRK1xH4owBD5YaE3Il2NwSJHhC+ZhROaMTu5mHxbzK/u
+BF2MLRZ0Bwwq4szaHoFf12TFwNtIRZXS9m6l4jHdsxWj6x0iui18p3JLxij1cVwE
+03rSWz+9c8bpZ6LHuPJAhatBZHSZwkKwH8Dn8NOxCLmVNRM4PyvJsj9lRn7fMwRY
+64QI2z6bRAry6oINbVAAOsPlM0Ix+7hbFs/UstnENFqfcDvPzrrhALDhuDLIJpGu
+WgAaMStZGjydy0oqHJceuduxVreqTlfiki7yruRFqRBgjMopwOsw5i9UPWR6SZ+E
+cUCFeEynUMrmFSp5qvDX0WtkU2G/GRFEPaB+k+UN+JduIRb2RBCLt2uG0249TwO8
+T4sq098XTM8wARgOv6n51lHFCPpM3iSbP5KMCYH9FhsJV0Qu9Q7157McNZuVL9Ie
+
+--- KYLAPCcTkg/tF2c2ni4UaBTV5AhUleg8GgJH0oRQSK0
+½;¬jŒ<6A>aç¾„ïÓÄ<C393>5`hÂŒø»æy;JúãÈå³C¢µ‡£ÏwX:eßøw³ù»ÜH
+L<EFBFBD>he’jCÓ2¨ì"#Ëµ„=Î/Ç²ˆ1ÒÅÿ¼™^Nû$ÃéM·úqN…v1µØÁ–Ç”ç¸T¦ÌñÙ—Ç0FsÕ(WeõöË…¡˜Ý8|^‹iYFQæ3œ ¡Õ
+A¤1ïEÜÂÚM_=;•¸‚×jFÜVý[Ýät°¬{©
w×…Ê<E280A6>Ö)
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,4 +11,5 @@ in
  "nextcloud-database.age".publicKeys = pubkeys;
  "restic-environment.age".publicKeys = pubkeys;
  "restic-passwords.age".publicKeys = pubkeys;
+  "ovh.age".publicKeys = pubkeys;
 }