Use ACME for certificates

Simplifies a lot the configuration. It eliminates the overlay and it accepts the key via environment file

hosts/caddy/default.nix

@@ -58,7 +58,12 @@ in
         authKeyFile = config.age.secrets.tailscale-authKey.path;
       };
 
-      caddy.enable = true;
+      caddy = {
+        enable = true;
+        email = "pasettodavide@gmail.com";
+        domain = "tegola.pro";
+      };
+
     };
 
     virtualisation = {

hosts/default.nix

@@ -13,7 +13,7 @@ let
   # customOverlays = import ../overlay;
   customOverlays = (
     final: prev: {
-      caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { };
+      # caddy-custom = prev.callPackage ../overlay/caddy-custom.nix { };
       jellyseerr = nixpkgs-unstable.legacyPackages."x86_64-linux".jellyseerr;
     }
   );
@@ -99,4 +99,15 @@ in
     # specialArgs = { };
   };
 
+  nextcloud = nixpkgs.lib.nixosSystem {
+    pkgs = pkgs "x86_64-linux";
+    modules = [
+      myModule
+      proxmoxModule
+      ./nextcloud
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }

modules/networking/caddy.nix

@@ -13,6 +13,23 @@ in
 {
   options.my.networking.caddy = {
     enable = lib.mkEnableOption "Enable caddy as reverse proxy";
+
+    domain = lib.mkOption {
+      default = "example.com";
+      type = lib.types.str;
+      description = ''
+        The domain where Caddy is reachable
+      '';
+    };
+
+    email = lib.mkOption {
+      default = "user@domain.com";
+      type = lib.types.str;
+      description = ''
+        Email for Certbot
+      '';
+    };
+
   };
 
   config = lib.mkIf cfg.enable {
@@ -25,28 +42,50 @@ in
       };
     };
 
+    # Insted on relying on caddy to provide TLS, we use certbot to get a certificate
+    # https://aottr.dev/posts/2024/08/homelab-setting-up-caddy-reverse-proxy-with-ssl-on-nixos/
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = cfg.email;
+
+      # TESTING ONLY!
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+      certs."${cfg.domain}" = {
+        group = config.services.caddy.group;
+
+        domain = "${cfg.domain}";
+        extraDomainNames = [ "*.${cfg.domain}" ];
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        environmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
+      };
+    };
+
     services.caddy = {
       enable = true;
-      package = pkgs.caddy-custom;
-      # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; # ONLY FOR DEVELOPMENT!
       globalConfig = ''
         admin :2024
         servers {
           metrics
         }
       '';
-      extraConfig = ''
+
+      extraConfig =
+        let
+          certPath = config.security.acme.certs."${cfg.domain}".directory;
+        in
+        ''
           (cloudflare) {
-          tls {
-            dns cloudflare {env.CLOUDFLARE_KEY}
-            resolvers 1.1.1.1 100.100.100.100
+            tls ${certPath}/cert.pem ${certPath}/key.pem {
+              protocols tls1.3
             }
           }
         '';
     };
 
     systemd.services.caddy.serviceConfig = {
-      EnvironmentFile = config.age.secrets.cloudflare-tegola-apiKey.path;
       AmbientCapabilities = "CAP_NET_BIND_SERVICE";
     };
 

secrets/cloudflare-tegola-apiKey.age

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 BFt3Fg 3BOjRS3gXw2m7aF/cFMDIUEkxXOa+c5CyBI7YRLqGms
-v/evjDvdsenaKYYd3kiRqmVZQbeIUkVuPGOheZtJEOs
--> ssh-ed25519 Si3UKw H/AzU/m7neT+UV9OrXTRPZtEUIu59iofjDoSTvyPTk0
-d7qkQT90YhD1XTUFreMw+/1paJjpj5xQxltnkuNYE6E
--> ssh-ed25519 3UG3uw Dktzj/64DXaVRTmbsM5hWBftPFo8QSDvGl/xqG2lATQ
-5yTfsJGFruBVXd3foK5Qtts7tvY3DbBEuoFOVnUiIgM
--> ssh-ed25519 JEhtoQ 4EZdqHV1NCL5KkY16HWmln3lo8ZvOJMXSxiCkwXQxD4
-l9KfUtJLcXTT2g9tvujcthhMoXcpcdh+BAIl1go07VU
---- cPsKGqV7VxQBE4YNw8vftdGTSW62AWWVPwxP2yoYwcw
-JM§´¹ÖÀY¾ùÞ(R@É7³³G.S`<b*ÔǵaC)”‡W^l¢U›ЮjÒxÿ¾º"£aE1UÑéŽCL•A;8± ߥ>0L”<4C>sÇltoPÛäPq
+-> ssh-ed25519 BFt3Fg W//eYYU4aPOIstbKg/42XU5RlwAwqB2P/+BBiVInxCY
+F06umStqDvKdQR2c5Xi9KOn7PLV7jXTQQOmgStO0dXM
+-> ssh-ed25519 Si3UKw +KBURMIwbPhiO7QjaSyRp3Y8TRQ5PKvEJG7iLxxEmRY
+yzXCbhXynQXnZ5OvCutMx1lNrHdP4y2ZMfLDX242IRM
+-> ssh-ed25519 3UG3uw XMPr/2l6UcS7GOkBQHciCMRPLsCB3qt/SP6NwRUv4go
+qgTyMKDDdo5wMEfrW47KkzMReltqXXW1qfaQGuBYYKc
+-> ssh-ed25519 JEhtoQ 7iktd5bTGrk9zWI3S4pd9vrTYBJ+fWtv58l4YEw+4Qk
+k1DmUoPoDlxu3VzvdF+0gH3HeOJ+QZ+qmagzbdCK+eQ
+--- OxYCCTwnyL3tR5JmlM4Pxb6dctimEeML2Jz0EUGYUpk
+<EFBFBD>Öq¸+X/W¾ªð®WÚ+k‹káïW‘<-ʬ¢ÛˆÔðý²ì=­n{t†£•Ït²âòë<C3B2>x±¤¹y#	'È#×+^£fm2Jˆ-ØÉÈ^ü)\À]Jˆ“v‚<><E2809A>