add acme for wildcard ssl certificate

hosts/controller/default.nix

@@ -26,6 +26,14 @@
     searx_secret_key = {
       sopsFile = ./secrets.yaml;
     };
+
+    "cloudflare_credentials/email" = {
+      sopsFile = ./secrets.yaml;
+    };
+
+    "cloudflare_credentials/dns_api_token" = {
+      sopsFile = ./secrets.yaml;
+    };
   };
 
   boot = {
@@ -44,8 +52,26 @@
 
   security = {
     sudo.wheelNeedsPassword = false;
+
+    acme = {
+      acceptTerms = true;
+      defaults.email = "0xtux@pm.me";
+      certs = {
+        "tux.rs" = {
+          domain = "*.tux.rs";
+          extraDomainNames = ["tux.rs"];
+          dnsProvider = "cloudflare";
+          credentialFiles = {
+            CLOUDFLARE_EMAIL_FILE = config.sops.secrets."cloudflare_credentials/email".path;
+            CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare_credentials/dns_api_token".path;
+          };
+        };
+      };
+    };
   };
 
+  users.users.nginx.extraGroups = ["acme"];
+
   services = {
     borgbackup.jobs.controller-backup = {
       paths = [

hosts/controller/secrets.yaml

@@ -1,5 +1,8 @@
 borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str]
-searx_secret_key: ENC[AES256_GCM,data:FzQBnYDB6mrAfIBB1LCdTLSNltD7T1PoUGssW+EX74j/y9kNqPZOtxIYpsWqAfenEODrP+rUjrLXAsVrMLFng3ZOtBAI1HYTobA=,iv:Vty/zrD8jE2CoWfguHwDr14TUSejOTnpBHJjc9IcEiE=,tag:yz4ZdWsmg+ammb/dup6f4A==,type:str]
+searx_secret_key: ENC[AES256_GCM,data:Z49PJ2gNI5CI0IfzOta+r67VNUvjoPpMVv5lajGhUMPzSy1KWZC5wIM3d02jWwCOsNjXdU5hE3j9W0rkoy5ZhFPXBJRUEv5b6IcaLA==,iv:364zGZkD2LO189nkvizl8yjedi1IgYEEQMA67SexSSI=,tag:qPqefG6jUaBOpUy6d7E++w==,type:str]
+cloudflare_credentials:
+    email: ENC[AES256_GCM,data:qesgxkzUglKdYPI=,iv:2XDEoQzmtagSiILWZzJPswdhkQ+qjdZfNd+LL1nHPx8=,tag:K1F23Za2Zq78tzf0fl5zEw==,type:str]
+    dns_api_token: ENC[AES256_GCM,data:ibSL4KWYhqgHjo27fiSqB1iN9NWU3/qGGuLpmiMpBf+qCuh8uxR7Yw==,iv:NapMvfUSm5rgeROK7KuxGyog8s2PW9CCKtjRG87FoCQ=,tag:/Oah7PRCe4XPts0IYt83zw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +27,8 @@ sops:
             NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9
             uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T19:35:08Z"
+    lastmodified: "2024-08-26T14:25:03Z"
-    mac: ENC[AES256_GCM,data:EtYv7GNuYAmUSSu6SZUCJTnAb42qDIQIuyTLSEsT8Jp3H7UIX7QH2eHxmAV8RfEPQ18XevQAM9UdK4YVR2trLRSBeDn/xxdFtzpo2z7kUQXz+1pDmFBLpdiPfrmNJ76ZuBr5qihiB7J8Go3KkErcyYAFEw1KQV/N4OSQB+CPnhw=,iv:QYVKKRpaJHXmICpQMhW+Le4wJwSh4yOH2NfVUpRDcbI=,tag:98m/t5U96MikHrMTgn510g==,type:str]
+    mac: ENC[AES256_GCM,data:UOxh1tIsFmYJ8i5HKhK8ckSZTbXsl6BmJATuLIJhfT93ir/sh58E9a9D6p6+Uyl6lt9qRESKRpeHUsdy4kKtXmmutQACzUHgVobzgL/1KpGYM4A/Wj5pSWGiT6D/zDkR0pJNFEshHxNfTJE8B6ZKFkHXy85nY22DW4fLjuMD4Y4=,iv:X4ArW4afDSHZ84rnn8Cuh+4Sgmk+7NXqcewgemlW+VI=,tag:2yorv0yFRAQkTZm06TQNiA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

modules/nixos/gitea.nix

@@ -16,7 +16,7 @@
       virtualHosts = {
         "git.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:3000";

modules/nixos/headscale.nix

@@ -45,7 +45,7 @@
       virtualHosts = {
         "hs.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:${toString config.services.headscale.port}";

modules/nixos/monitoring/grafana.nix

@@ -20,7 +20,7 @@
       virtualHosts = {
         "grafana.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:8888";

modules/nixos/monitoring/loki.nix

@@ -44,7 +44,7 @@
       virtualHosts = {
         "loki.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:3100";

modules/nixos/monitoring/promtail.nix

@@ -42,7 +42,7 @@
       virtualHosts = {
         "promtail.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:9080";

modules/nixos/ntfy-sh.nix

@@ -14,7 +14,7 @@
       virtualHosts = {
         "ntfy.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:7070";

modules/nixos/searx.nix

@@ -30,7 +30,7 @@
       virtualHosts = {
         "sx.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:3415";

modules/nixos/uptime-kuma.nix

@@ -9,7 +9,7 @@
       virtualHosts = {
         "uptime.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:3001";

modules/nixos/vaultwarden.nix

@@ -15,7 +15,7 @@
       virtualHosts = {
         "bw.tux.rs" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = "tux.rs";
           locations = {
             "/" = {
               proxyPass = "http://localhost:8000";