Let Caddy handle the TLS certs itself

giodamelio · Apr 15, 2024 · 8f9ba27 · 8f9ba27
1 parent b679aaf
commit 8f9ba27
Show file tree

Hide file tree

Showing 9 changed files with 56 additions and 163 deletions.
diff --git a/src/nixosModules/core/caddy.nix b/src/nixosModules/core/caddy.nix
@@ -0,0 +1,48 @@
+{root, ...}: {
+  pkgs,
+  config,
+  ...
+}: let
+  caddyDnsCloudflare = root.packages.caddy-dns-cloudflare {inherit pkgs;};
+in {
+  # Cloudflare Token Secret
+  age.secrets.cloudflare-token.file = ../../../secrets/cloudflare-token.age;
+
+  services.caddy = {
+    enable = true;
+    package = caddyDnsCloudflare;
+
+    globalConfig = ''
+      email [email protected]
+      acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+    '';
+  };
+
+  systemd.services.caddy = {
+    serviceConfig = {
+      # I don't understand how Caddy is ever working without this...
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+
+      # Work around to load credendial from age into caddy env var
+      LoadCredential = "CLOUDFLARE_API_TOKEN:${config.age.secrets.cloudflare-token.path}";
+      EnvironmentFile = "-%t/caddy/secrets.env";
+      RuntimeDirectory = "caddy";
+      ExecStartPre = [
+        ((pkgs.writeShellApplication {
+            name = "caddy-secrets";
+            text = ''
+              echo "CLOUDFLARE_API_TOKEN=$(<"$CREDENTIALS_DIRECTORY/CLOUDFLARE_API_TOKEN")" > "$RUNTIME_DIRECTORY/secrets.env"
+            '';
+          })
+          + "/bin/caddy-secrets")
+      ];
+    };
+  };
+
+  networking.firewall.interfaces."wg0" = {
+    allowedTCPPorts = [443 80];
+  };
+  networking.firewall.interfaces."wg9" = {
+    allowedTCPPorts = [443 80];
+  };
+}
diff --git a/src/nixosModules/machines/carbon/default.nix b/src/nixosModules/machines/carbon/default.nix
@@ -19,6 +19,9 @@
     root.nixosModules.basic-packages
     root.nixosModules.basic-settings
 
+    # Setup Caddy
+    root.nixosModules.core.caddy
+
     # Wireguard Mesh
     super.wireguard-mesh
 

diff --git a/src/nixosModules/machines/carbon/homer.nix b/src/nixosModules/machines/carbon/homer.nix
@@ -1,8 +1,4 @@
-_: {
-  pkgs,
-  config,
-  ...
-}: let
+_: {pkgs, ...}: let
   homer = pkgs.stdenv.mkDerivation rec {
     pname = "homer";
     version = "24.02.1";
@@ -93,28 +89,9 @@ _: {
     ];
   };
 in {
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."home.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
   # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://home.gio.ninja" = {
-      useACMEHost = "home.gio.ninja";
       extraConfig = ''
         root * ${homer}
         file_server

diff --git a/src/nixosModules/machines/carbon/miniflux.nix b/src/nixosModules/machines/carbon/miniflux.nix
@@ -47,35 +47,12 @@ in {
     '';
   };
 
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."miniflux.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
   # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://miniflux.gio.ninja" = {
-      useACMEHost = "miniflux.gio.ninja";
       extraConfig = ''
         reverse_proxy localhost:8080
       '';
     };
   };
-
-  networking.firewall.interfaces."wg9" = {
-    allowedTCPPorts = [443 80];
-  };
 }
diff --git a/src/nixosModules/machines/carbon/paperless.nix b/src/nixosModules/machines/carbon/paperless.nix
@@ -1,6 +1,4 @@
 _: {config, ...}: {
-  environment.systemPackages = [];
-
   services.paperless = {
     enable = true;
 
@@ -15,35 +13,11 @@ _: {config, ...}: {
   age.secrets.paperless-oauth-config.file = ../../../../secrets/paperless-oauth-config.age;
   systemd.services.paperless-web.serviceConfig.EnvironmentFile = config.age.secrets.paperless-oauth-config.path;
 
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."paperless.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
-  # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://paperless.gio.ninja" = {
-      useACMEHost = "paperless.gio.ninja";
       extraConfig = ''
         reverse_proxy localhost:28981
       '';
     };
   };
-
-  networking.firewall.interfaces."wg9" = {
-    allowedTCPPorts = [443 80];
-  };
 }
diff --git a/src/nixosModules/machines/zirconium/default.nix b/src/nixosModules/machines/zirconium/default.nix
@@ -22,6 +22,9 @@
     # Setup PostgreSQL on the server
     root.nixosModules.core.postgres
 
+    # Setup Caddy
+    root.nixosModules.core.caddy
+
     # Security Platform (Identity/Overlay Network)
     super.defguard
 

diff --git a/src/nixosModules/machines/zirconium/defguard.nix b/src/nixosModules/machines/zirconium/defguard.nix
@@ -1,8 +1,4 @@
-{root, ...}: {
-  pkgs,
-  config,
-  ...
-}: let
+{root, ...}: {pkgs, ...}: let
   defguardPkgs = root.packages.defguard {inherit pkgs;};
 in {
   # Setup database
@@ -81,28 +77,9 @@ in {
     '';
   };
 
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."defguard.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
   # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://defguard.gio.ninja" = {
-      useACMEHost = "defguard.gio.ninja";
       extraConfig = ''
         handle /api/* {
           reverse_proxy localhost:8000
@@ -118,10 +95,4 @@ in {
     enable = true;
     allowedUDPPorts = [50051];
   };
-  networking.firewall.interfaces."wg0" = {
-    allowedTCPPorts = [443 80];
-  };
-  networking.firewall.interfaces."wg9" = {
-    allowedTCPPorts = [443 80];
-  };
 }
diff --git a/src/nixosModules/machines/zirconium/gatus.nix b/src/nixosModules/machines/zirconium/gatus.nix
@@ -124,38 +124,12 @@ _: {
     };
   };
 
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."status.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
   # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://status.gio.ninja" = {
-      useACMEHost = "status.gio.ninja";
       extraConfig = ''
         reverse_proxy localhost:8080
       '';
     };
   };
-
-  networking.firewall.interfaces."wg0" = {
-    allowedTCPPorts = [443 80];
-  };
-  networking.firewall.interfaces."wg9" = {
-    allowedTCPPorts = [443 80];
-  };
 }
diff --git a/src/nixosModules/machines/zirconium/monitoring.nix b/src/nixosModules/machines/zirconium/monitoring.nix
@@ -81,51 +81,17 @@ in {
     };
   };
 
-  # Cloudflare Token Secret
-  age.secrets.cloudflare-token.file = ../../../../secrets/cloudflare-token.age;
-
-  # Get HTTPS Certificate from LetsEncrypt
-  security.acme = {
-    acceptTerms = true;
-
-    certs."grafana.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-    certs."prometheus.gio.ninja" = {
-      email = "[email protected]";
-      dnsProvider = "cloudflare";
-      credentialFiles = {
-        CLOUDFLARE_DNS_API_TOKEN_FILE = config.age.secrets.cloudflare-token.path;
-      };
-    };
-  };
-
   # Use Caddy as a reverse proxy
   services.caddy = {
-    enable = true;
-
     virtualHosts."https://grafana.gio.ninja" = {
-      useACMEHost = "grafana.gio.ninja";
       extraConfig = ''
         reverse_proxy localhost:3000
       '';
     };
     virtualHosts."https://prometheus.gio.ninja" = {
-      useACMEHost = "prometheus.gio.ninja";
       extraConfig = ''
         reverse_proxy localhost:9090
       '';
     };
   };
-
-  networking.firewall.interfaces."wg0" = {
-    allowedTCPPorts = [443 80];
-  };
-  networking.firewall.interfaces."wg9" = {
-    allowedTCPPorts = [443 80];
-  };
 }