feat: agenix for ssl certificates

2025-03-10 13:52:42 +01:00 · 2025-03-10 13:52:42 +01:00 · 22fb85a881
commit 22fb85a881
parent e1ae95daef
4 changed files with 12 additions and 3 deletions
--- a/hosts/raptus/default.nix
+++ b/hosts/raptus/default.nix
@ -26,6 +26,7 @@ in
      group = "rustypaste";
    };
    forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age;
+    acme.file = ../../secrets/acme.age;
  };

  boot.loader.grub = {
@ -97,6 +98,9 @@ in
    acme = {
      defaults.email = "admin@ccnlc.eu";
      acceptTerms = true;
+      dnsProvider = "ovh";
+      environmentFile = config.age.secrets.acme.path;
+
    };
  };

--- a/hosts/shan/default.nix
+++ b/hosts/shan/default.nix
@ -27,6 +27,7 @@
      file = ../../secrets/freshrss-default-password.age;
      owner = config.services.freshrss.user;
    };
+    acme.file = ../../secrets/acme.age;
  };

  boot.loader.grub = {
@ -149,7 +150,7 @@
    defaults = {
      email = "contact@ccnlc.eu";
      dnsProvider = "ovh";
-      environmentFile = "/run/secrets/ovh";
+      environmentFile = config.age.secrets.acme.path;
    };

    certs."ccnlc.eu" = {
@ -161,7 +162,7 @@
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-    clientMaxBodySize = "100M";
+    clientMaxBodySize = "2000M";
    virtualHosts =
      let
        mkVHLocal = mkVH "http://localhost";
@ -175,7 +176,6 @@
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $http_connection;
              proxy_http_version 1.1;
-              client_max_body_size 2000M;
            '';
          };
          useACMEHost = "ccnlc.eu";
--- a/secrets/acme.age
+++ b/secrets/acme.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -24,4 +24,9 @@ in
    shan
    ny
  ];
+  "acme.age".publicKeys = [
+    shan
+    raptus
+    ny
+  ];
 }