colmena/cobalt/services/acme.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

let
  poorObfuscation = y: x: "${x}@${y}";
in
{
  security.acme = {
    acceptTerms = true;
    defaults.email = poorObfuscation "sefidel.com" "postmaster";
    certs = {
      "sefidel.com" = {
        domain = "*.sefidel.com";
        dnsProvider = "hetzner";
        dnsPropagationCheck = true;
        credentialsFile = "/persist/secrets/hetzner.key";
      };
    };
  };

  environment.persistence."/persist".directories = [
    "/var/lib/acme"
  ];

  deployment.keys."hetzner.key" = {
    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
    destDir = "/persist/secrets";
  };
}