Use ACME for certificates

Simplifies a lot the configuration. It eliminates the overlay and it accepts the key via environment file
2024-11-06 12:09:39 +01:00 · 2024-11-06 12:09:39 +01:00 · d86ded0d74
commit d86ded0d74
parent 191119d1f1
4 changed files with 77 additions and 22 deletions
--- a/modules/networking/caddy.nix
+++ b/modules/networking/caddy.nix
@ -13,6 +13,23 @@ in
 {
  options.my.networking.caddy = {
    enable = lib.mkEnableOption "Enable caddy as reverse proxy";
+
+    domain = lib.mkOption {
+      default = "example.com";
+      type = lib.types.str;
+      description = ''
+        The domain where Caddy is reachable
+      '';
+    };
+
+    email = lib.mkOption {
+      default = "user@domain.com";
+      type = lib.types.str;
+      description = ''
+        Email for Certbot
+      '';
+    };
+
  };

  config = lib.mkIf cfg.enable {
@ -25,28 +42,50 @@ in
      };
    };

+    # Insted on relying on caddy to provide TLS, we use certbot to get a certificate
+    # https://aottr.dev/posts/2024/08/homelab-setting-up-caddy-reverse-proxy-with-ssl-on-nixos/
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = cfg.email;
+
+      # TESTING ONLY!
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+      certs."${cfg.domain}" = {
+        group = config.services.caddy.group;
+
+        domain = "${cfg.domain}";
+        extraDomainNames = [ "*.${cfg.domain}" ];
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        environmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
+      };
+    };
+
    services.caddy = {
      enable = true;
-      package = pkgs.caddy-custom;
-      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
      globalConfig = ''
        admin :2024
        servers {
          metrics
        }
      '';
-      extraConfig = ''
-        (cloudflare) {
-          tls {
-            dns cloudflare {env.CLOUDFLARE_KEY}
-            resolvers 1.1.1.1 100.100.100.100
+
+      extraConfig =
+        let
+          certPath = config.security.acme.certs."${cfg.domain}".directory;
+        in
+        ''
+          (cloudflare) {
+            tls ${certPath}/cert.pem ${certPath}/key.pem {
+              protocols tls1.3
+            }
          }
-        }
-      '';
+        '';
    };

    systemd.services.caddy.serviceConfig = {
-      EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    };