nixos/cobalt/services/acme.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

{ config, ... }:

let
  poorObfuscation = y: x: "${x}@${y}";
in
{
  sops.secrets.hetzner-dns-key = {
    owner = "acme";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = poorObfuscation "sefidel.com" "postmaster";
    certs = {
      "sefidel.com" = {
        domain = "sefidel.com";
        extraDomainNames = [
          "bouncer.sefidel.com"
          "git.sefidel.com"
          "matrix.sefidel.com"
        ];
        dnsProvider = "hetzner";
        dnsPropagationCheck = true;
        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
      };
    };
  };

  environment.persistence."/persist".directories = [
    "/var/lib/acme"
  ];
}