services/nginx: use acme dns challenge

hosts/caramel/default.nix

@@ -4,6 +4,7 @@
   time.timeZone = "Asia/Phnom_Penh";
 
   age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
     passwd.file = ../../secrets/passwd.age;
     wpa_conf.file = ../../secrets/wpa_conf.age;
     wg_caramel.file = ../../secrets/wg_caramel.age;

modules/services/nginx.nix

@@ -1,6 +1,14 @@
-{ inputs, ... }: {
-  security.acme.acceptTerms = true;
-  security.acme.email = "me@lava.moe";
+{ config, inputs, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    email = "me@lava.moe";
+    certs."lava.moe" = {
+      domain = "*.lava.moe";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets."acme_dns".path;
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
@@ -10,7 +18,7 @@
 
     virtualHosts = {
       "lava.moe" = {
-        enableACME = true;
+        useACMEHost = "lava.moe";
         forceSSL = true;
         root = inputs.website.outPath;
       };

secrets.nix

@@ -8,6 +8,7 @@ in {
   "secrets/passwd.age".publicKeys = [ blossom caramel sugarcane rin ];
   "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];
 
+  "secrets/acme_dns.age".publicKeys = [ caramel rin ];
   "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
   "secrets/wg_caramel.age".publicKeys = [ caramel rin ];
   "secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ];

secrets/acme_dns.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg dDnXFO4iUwixemx1WPFZSM15/z7xtAGjZxriBbsURRg
+uv6gdP/LDmZMZu/B3IWWYEzfR+H7TJsR3Zo8hYzthQE
+-> ssh-ed25519 krYeuQ Yo3FXb2pDijXv2JxYvNP3IF0DADygWjIHEoUlfCw3zc
+vly4m2xyGfuJxBPue0mk9dodc4YAEKYTWLwx9ljVhWs
+-> ,-grease
+v4PvG0kmxXhjh7Jf
+--- 6yg8u5a9px36osMqiVI4ZPfea+ySjKB8GR/TcCG/ZXU
+q<EFBFBD>T!ø|Eí#àŽŽÐrÍòQíÌTQM¹É‘IX#²:f|kSiÀs^~¥^ÖÏ_ÒôK•}§"ðI)G–ŽIÝ
+~úÑ‹«*ç4ÎA^w(¸ÇÛ