From e9793beb7b58f97eede0a1ca170151b0d89d7c9d Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Thu, 4 Apr 2024 23:41:46 -0400
Subject: [PATCH] Got dns-01 based certs

---
 .../nixos/nixnuc/containers/nginx-proxy.nix   | 31 +++++++-
 modules/hosts/nixos/nixnuc/default.nix        |  2 +-
 modules/system/common/secrets.yaml            | 76 +++++++++++++++++++
 3 files changed, 105 insertions(+), 4 deletions(-)
 create mode 100644 modules/system/common/secrets.yaml

diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix
index bd07530..d1c22cd 100644
--- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix
+++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix
@@ -1,8 +1,25 @@
-{ ... }: let
+{ config, ... }: let
   http_port = 8080;
   https_port = 8444;
+  gandi_api = "${config.sops.secrets.gandi_api.path}";
+  #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}";
 in {
+  sops.secrets.gandi_api = {
+    sopsFile = ../../../../system/common/secrets.yaml;
+    restartUnits = [
+      "container@nginx-proxy.service"
+    ];
+  };
+  #sops.secrets.gandi_dns_pat = {
+  #  sopsFile = ../../../../system/common/secrets.yaml;
+  #  restartUnits = [
+  #    "container@nginx-proxy.service"
+  #  ];
+  #};
+
   containers.nginx-proxy = {
+    bindMounts."${gandi_api}".isReadOnly = true;
+    #bindMounts."${gandi_dns_pat}".isReadOnly = true;
     autoStart = true;
     privateNetwork = true;
     hostBridge = "br1-23";
@@ -17,13 +34,14 @@ in {
         recommendedTlsSettings = true;
 
         virtualHosts = {
-          "nix-tester.home.technicalissues.us" = {
+          "nix-tester.h.technicalissues.us" = {
             default = true;
             listen = [
               { port = http_port; addr = "0.0.0.0"; }
               { port = https_port; addr = "0.0.0.0"; }
             ];
             enableACME = true;
+            acmeRoot = null;
             forceSSL = false;
           };
         };
@@ -31,7 +49,14 @@ in {
 
       security.acme = {
         acceptTerms = true;
-        defaults.email = "lets-encrypt@technicalissues.us";
+        defaults = {
+          email = "lets-encrypt@technicalissues.us";
+          credentialFiles = { "GANDIV5_API_KEY_FILE" = gandi_api; };
+          #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; };
+          dnsProvider = "gandiv5";
+        };
+        # uncomment below for testing
+        defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       };
 
       networking = {
diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 1bffce6..82e73ba 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -1,4 +1,4 @@
-{ inputs, config, hostname, pkgs, sops-nix, username,  ... }: {
+{ config, pkgs, username,  ... }: {
   imports = [
     ./hardware-configuration.nix
     ./audiobookshelf.nix
diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml
new file mode 100644
index 0000000..8064289
--- /dev/null
+++ b/modules/system/common/secrets.yaml
@@ -0,0 +1,76 @@
+gandi_dns_pat: ENC[AES256_GCM,data:81tlAE6e655+RgKZVJgwYg6V59VtMmuVk5spkGZq1U6AgxYXO3wvsA==,iv:Dp5csrqHIAYloi5XkrBgDMqeIX/W+JFJ1avKbTnEU/Y=,tag:QjhdX4gv9OmWtQp7r06+RA==,type:str]
+gandi_api: ENC[AES256_GCM,data:YsdDMk75miIKO4LkCZjfwJw6gxfrmsTL,iv:BOPRxB661sPJnUH1AUKEALIJfBeyAHZpkWJEDbY+7i8=,tag:TvtW7qhPbOqi9kKDcIe28w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseHFTeDZoMElxVUZpWFVa
+            dmxvWEFkS0p6aTFraUNyNmtITTQ4bFdLNFVZCnlsTlE3TUVvMWdXS0psb0FOQVdP
+            UGtTVVQ3ZExQVUdvekFEa0lYZmRxdEkKLS0tIEEyMXdkZ0JyV0orSnVwL3hMWVpy
+            TTAvb09FUE1JaXpNSm80Mmx3Z292eVUKjJ8Q9y2PhU9NpgCjKYne7zY+I+fXvIhs
+            BB/lskZG/AVuGdBDHRf0yIVFd/j6inTWbP1u3wJ+Mf+dBnPAlS9rXg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWWVCd0ZjMzkxZVdIR1JC
+            Q1plamZveGg1Z1FaK2VPb29CUVVia0Q4aFZ3CkNKUjl0S090SUMwU1dJenRONEpJ
+            WnZ6aEFwV2lrelBZV0p0UUQvaWdmS0kKLS0tIGh2OE5iTTRObFEraUpxN0YyTVpx
+            Mk5Sb0VCN1VjMnNNdzBBZWY3Q2FsUFkK7d9MAUNRL7GSF6diz/5X21BmMsyE5Cu3
+            18ycNiMLtUwGHsfxh+aLliFDBO32LwMI64/tKHDtx4sHQSBGoppsfQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UEc1M2UwTkduWnEyMG8x
+            TGVYaUpsSlNVcnBxdHZRWU8ydUJvMnZXTTNZCmtIenlWeDdvM0xQemI3Y1dXNlox
+            SUhNcG5iZE44WGhWL0NwUTZjSzhPNFkKLS0tIHIyaU1DOUxSV0VWVTRaQmhBbXVP
+            dGVWRnhIek1mV2FJemF1dzVwMjZqWUUKNvkzOwi6OR369S5e5y6TSfGA4/EH09WK
+            MWlH3fzABkCN+IeRmOmtU/L3MdHIiWanDWp6KdWCJJ3OnBO8cjMEig==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOE5pYXFDdXQzblI1N01i
+            eFROYzVvK3cxN1pJMHlScW0rZjBScG9SMzBnCko4VDllS0pQMU5NdU5NbndWQWpq
+            NmhWK1RJSHpITktFWTZIN2JHRklqS2cKLS0tIFFjRE9Ia3Z0TzIyd2MrS2RRWU9k
+            d3FIL3dqTHRtQVJiS255aVVWZ1p3UjQKb+65IgxbWXtkidmlb5w5Cu11izXh5QgR
+            I1YAckCX6RlR3Mlcs/5cTyLakpc3ibm/g4+N9+EhlIQz4wIxmxAtHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2hxZElESWd4eTFycFI1
+            YWpKS1ZpWmtYcy9JK2ZPQ1QzSXFjWXM5VzFjCk1CcmJmdE5yL0J1Q2RBN3Npa2hn
+            WWxZTHkwTnhZaXBYanpZTkRTRUdTcWcKLS0tIFA3SkVuVFFVT2NsbVBlNUdFRlUx
+            UE9sMXVVOW1ib3JBYUR5LzVFRFp3ZWcK2hwlxaEUexjqHcg86dSpJU37b8bkWO6r
+            mSygDEjU71u20G6sdMeoSyxepPtWJsVhnAMukFsnKZf6LyfiiCseAQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZndiK3FMOUptbDRGOVQ0
+            QnNSSEtlVHZtaUlRQlRySzJNUmdqbzRQRFZFCnNyOHRtNFhsWGEvTFRkNTRUbit6
+            OWh6cVRRTXhlQmxpY3JpNVFRdStuWkkKLS0tIElYZGRVVWVSTlBhRHhVYWRFSFhC
+            NERwYVhzTjRZUDBmbTM2QzEyay9vT2MK9QIINuuaagTz2wyF9NiNzE0aiwoAHquH
+            GK203V5jVnLXftOV09NIg3027m8KCRc7yEWOtcbH5UkGZxZCqESv9Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNY2xrM1BFRDdtckRGZkIz
+            Mkc5VzNHQzV5aC9xTzU4US80czFMcHNpbXpzCnlqUWliUjlra1U0Y0dJTDByMGFQ
+            MlRTd2FaT1QzMXFWZ3piVjZsZ1ZDemsKLS0tIENRdlVvNE5VT3VOc2hqM2ZnVUVY
+            ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc
+            3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-05T03:17:40Z"
+    mac: ENC[AES256_GCM,data:4u2rpoc20qDv3W6s3lgtYU+35cfaK1tOmMySuji07s7IxqXqmkAn/giynH7y+PQRLACV6XvKnysLwuTPanekmXqQx/cOPOIPPrXOwz4oDLncFILI+7H/ShFuRN3KKUq9+OZElO4lLO0PDL+6flo3Mq6oSbzzeqxqVXUvt5gG8So=,iv:WEoiZzIWxAsxr3+nUY7b/jewYn6YRraU+zIPBhin8JI=,tag:BN5zLe8jdrvvCFU0BbfiaQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1