Merge branch 'cloudflare-acme-dns'

2025-07-05 13:50:13 +00:00 · 2023-06-03 00:31:10 +00:00
parent 3a40bb7485 6815af21dc
commit f4f5f19183
5 changed files with 120 additions and 13 deletions
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@ -2,6 +2,11 @@

  options = {
    caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
+    caddy.tlsPolicies = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Caddy JSON TLS policies";
+      default = [ ];
+    };
    caddy.routes = lib.mkOption {
      type = lib.types.listOf lib.types.attrs;
      description = "Caddy JSON routes for http servers";
@ -26,6 +31,7 @@
          errors.routes = config.caddy.blocks;
          # logs = { }; # Uncomment to collect access logs
        };
+        apps.tls.automation.policies = config.caddy.tlsPolicies;
        logging.logs.main = {
          encoder = { format = "console"; };
          writer = {
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -1,6 +1,6 @@
 # This module is necessary for hosts that are serving through Cloudflare.

-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 let

@ -49,6 +49,38 @@ in {
      }];
    }];

+    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
+    services.caddy.package = (pkgs.callPackage ../../../overlays/caddy.nix {
+      plugins = [ "github.com/caddy-dns/cloudflare" ];
+      # vendorSha256 = "sha256-K9HPZnr+hMcK5aEd1H4gEg6PXAaNrNWFvaHYm5m62JY=";
+    });
+    caddy.tlsPolicies = [{
+      issuers = [{
+        module = "acme";
+        challenges = {
+          dns = {
+            provider = {
+              name = "cloudflare";
+              api_token = "{env.CF_API_TOKEN}";
+            };
+            resolvers = [ "1.1.1.1" ];
+          };
+        };
+      }];
+    }];
+    systemd.services.caddy.serviceConfig.EnvironmentFile =
+      config.secrets.cloudflareApi.dest;
+    systemd.services.caddy.serviceConfig.AmbientCapabilities =
+      "CAP_NET_BIND_SERVICE";
+
+    # API key must have access to modify Cloudflare DNS records
+    secrets.cloudflareApi = {
+      source = ../../../private/cloudflare-api.age;
+      dest = "${config.secretsDirectory}/cloudflare-api";
+      owner = "caddy";
+      group = "caddy";
+    };
+
    # Allows Nextcloud to trust Cloudflare IPs
    services.nextcloud.config.trustedProxies = cloudflareIpRanges;