From de4f48353e51db5d99297015950c2d4be9315073 Mon Sep 17 00:00:00 2001 From: Zynh Ludwig Date: Fri, 27 Dec 2024 20:15:01 -0800 Subject: [PATCH] certs: cloudflare key --- modules/nginx.nix | 10 ++++++++++ secrets.yaml | 7 +++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/modules/nginx.nix b/modules/nginx.nix index d0ae598..232adbd 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -24,6 +24,10 @@ in config = lib.mkIf cfg.enable { services.nginx.enable = true; + + sops.secrets."cloudflare/email" = { }; + sops.secrets."cloudflare/api_key" = { }; + security.acme.acceptTerms = true; security.acme.certs.permafrost = lib.mkIf cfg.enableACME { email = "Zynh0722@gmail.com"; @@ -35,6 +39,12 @@ in then "https://acme-staging-v02.api.letsencrypt.org/directory" else config.security.acme.defaults.server; extraDomainNames = cfg.certDomains; + + dnsProvider = "cloudflare"; + credentialFiles = { + "CF_API_EMAIL_FILE" = config.sops.secrets."cloudflare/email".path; + "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/api_key".path; + }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/secrets.yaml b/secrets.yaml index 84a8d09..a2bfbc0 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,5 +1,8 @@ passwords: ravenshade: ENC[AES256_GCM,data:zWSMfn1NhvjJ41w8gh8rWHAGhhfx/m19CDT+V8opc/ToDqSC83ajHJ7g9wo5UFuTfVqd3hhw0+CLAINp/QFf10790UPZmiTqrQ==,iv:WYfg7XG1J68IxAaG5HA/9hXaAo3DPdArozUm0WQNtR0=,tag:jfgcLT1/cDxW5AgIbksIgA==,type:str] +cloudflare: + email: ENC[AES256_GCM,data:1Z8m/dMfgNRFOuvndAL+5reB,iv://WYj8Y3a9Hy5P2wayA+aU1u06xqrsz1jabtZv0D46Q=,tag:Y8vYMWq4473gIqFcq9Yf9Q==,type:str] + api_key: ENC[AES256_GCM,data:LWWECE2TQfDoRT1nlPR/4tJ38msZNkIhze8EwkF4MvxA8lw4CslBjw==,iv:/cIBwSHQ0DViFcgI3jR8qlih1FvGYQDi6aV2licm9Pg=,tag:+43MkkEqHe++rJO5tyfXNw==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +27,8 @@ sops: dUk3UkE4dEFTTlNqTmNMbkh2M0ZWSTgKBKhzo5inQL8LXWyiD7ZqjfXZpZFPWgM8 b4urS/bu1qvX12Nu4IYls/xLV6Tca5DJ5+cXfYMec4TcydlUVcxJLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-28T05:25:33Z" - mac: ENC[AES256_GCM,data:8fnd7hhq3QplMCIL82VyHaWykHxoOzgovB8ij6B2B1f7C+h20PcaFlEZHWCb15L/kU6Hc3aL2rfkLR6DYAJnWRrTBLPyNHo0CvnUDTqVB0BU2asY27hPnAJZ2zBt6qdkk5enGf3qgKjQI+1HwftALhIstsiyiem8u/f4OX3HE0s=,iv:VU2SKF28hX4BXEFBhjZMiO+ZaNN7z5mVBviuzIc0vMA=,tag:5hJ/zR4r2BCVjQ7ZEM8V4g==,type:str] + lastmodified: "2024-12-28T05:40:19Z" + mac: ENC[AES256_GCM,data:yNooB5pD8mCD8BVOC7kojOyp64lHZoxJNxSFZjZvh1xCw5wCG95JuzCjHqdJKa0a84C6HfsLshGAQ3fM30DiZfwA9vKar+hPh/p7FksHgTrV0bi04pSImpBycOveztkQyLya39kI7kgKDbCG2wDJ72mYB89+oCQe+nC8cKKt88I=,iv:fpwobK48VBXPhax1IQ2z2/7oACTX3eGEEZmAp3T1pIc=,tag:BvDzVcgvKSmf0tfHiCgeXA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2