save letsencrypt key for acme

This commit is contained in:
Noah Masur 2024-08-17 08:55:03 -04:00
parent f7c5d3510f
commit 771cac63a3
No known key found for this signature in database
2 changed files with 42 additions and 3 deletions

View File

@ -79,6 +79,7 @@ in
{ {
module = "acme"; module = "acme";
email = "acme@${config.mail.server}"; email = "acme@${config.mail.server}";
account_key = "{env.ACME_ACCOUNT_KEY}";
challenges = { challenges = {
dns = { dns = {
provider = { provider = {
@ -93,7 +94,18 @@ in
} }
]; ];
# Allow Caddy to read Cloudflare API key for DNS validation # Allow Caddy to read Cloudflare API key for DNS validation
systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrets.cloudflare-api.dest; systemd.services.caddy.serviceConfig.EnvironmentFile = [
config.secrets.cloudflare-api.dest
config.secrets.letsencrypt-key.dest
];
# Private key is used for LetsEncrypt
secrets.letsencrypt-key = {
source = ../../../private/letsencrypt-key.age;
dest = "${config.secretsDirectory}/letsencrypt-key";
owner = "caddy";
group = "caddy";
};
# API key must have access to modify Cloudflare DNS records # API key must have access to modify Cloudflare DNS records
secrets.cloudflare-api = { secrets.cloudflare-api = {
@ -105,8 +117,14 @@ in
# Wait for secret to exist # Wait for secret to exist
systemd.services.caddy = { systemd.services.caddy = {
after = [ "cloudflare-api-secret.service" ]; after = [
requires = [ "cloudflare-api-secret.service" ]; "cloudflare-api-secret.service"
"letsencrypt-key-secret.service"
];
requires = [
"cloudflare-api-secret.service"
"letsencrypt-key-secret.service"
];
}; };
# Allows Nextcloud to trust Cloudflare IPs # Allows Nextcloud to trust Cloudflare IPs

View File

@ -0,0 +1,21 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBCc2hS
RUw4Y200allVODI0QTYxdXlHSHRiS1pWWHg5SW9tZ0tGVmc2ajJZCitXeEd0dk9K
MmRkZlRYd253RWFzNXpUR0xuTXI2dWVhNFZpQnNlU0VFdEUKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIHNScVkwd1RmVGhNcFVSRTlxQzlvSUc2cGxNWUc0YVJ5RjRydk9J
RG1peDQKVU5iN1ZmWEJyOXBiNWdiRFlnNFFKR09vaFB4SWZWK0x3VWJwMDZtYlBj
MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgSXR5OEk5cWZHUEZ3WmFCUTVFeTBnTG5h
cmNxVWFLV2JhUTRBaUJGWERncwpYMFBIN0kySXdjOE5YcS85bXRCRnRsK3NyMHY4
N0JKelFyeHB6T1dEZ2VnCi0+IHNzaC1lZDI1NTE5IENxSU9VQSAyQVJYRXJ1cFVl
dldaa0Qydlc3MzlFYnN5YUx0amdWZm5PcWovRm1MaVg0CkJsSFZRdGJIZzA1T0Ny
bUNnL0Zxa05ubHluSVBUenVCZTZpYlA5UUFEMDQKLT4gc3NoLWVkMjU1MTkgejFP
Y1p3IDFPQU5HZm5mRFl5NnNLVHUvdUlmTEtyS0djNWZaMWg5VDl1ZldNTkVWbXMK
RkVBTzNUa0d6c3NJUHQrazdKWXNZY3NIRzRndGdRNjFjMXZCSEhIQnIyYwotLS0g
VzNOa3dXS0hrMWxNUlJ4UzAxNlkzSXM4RWc1RGFzQjFyb1dGZXFnL3RCVQoq002V
S5MQqBjKKOacO4OWgn5KpmU2D7zJWJjNMxH80L6HFNoyOj4wNa+8TA0Q7MTn3bKN
YvAuwbDAGjjDt8vZFKOiZB0xAex+H7A1MVvuGIA8xQa6iNBMwj7nWTLif5pCbVk+
9aAAprcJVDJx4TeFXlNF6XtcQ3J8abwi6TDqNFpfwwBb/wruyzutgvlOiz1XSBX0
xlCGckq/BCnItLURIb7zhqRMqk/JODPjOKArmP86nCq25Wm+W5JQ8ViQ7LHJyoFj
zbiwabqeBJZgqoVdVMj8Glz+91RVodn6f9VwQcHINgHxmkd6j2z75AmWZecwD2ic
pUMnikqIMI0B3zW5H38t2cJv+aIMTl7lH5Hf1P5jEn3NPw==
-----END AGE ENCRYPTED FILE-----