feat(hosts/granodomus-lima): use acme for SSL on exposed host

hosts/granodomus-lima.nix

@@ -4,15 +4,10 @@
   config,
   ...
 }: let
-  sopsPath = key: config.sops.secrets.${key}.path;
-
-  mkVirtHost = certificateName:
-    lib.attrsets.recursiveUpdate {
-      forceSSL = true;
-      sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
-      sslCertificateKey = sopsPath "certificate-key-${certificateName}";
-      sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
-    };
+  mkVirtHost = lib.attrsets.recursiveUpdate {
+    forceSSL = true;
+    enableACME = true;
+  };
 in {
   imports = [
     ../hardware/netcup-vps-200-g10.nix
@@ -41,7 +36,7 @@ in {
       enable = true;
       ignoreIP = let
         vpn = (builtins.import ../state.nix).vpn;
-        extractIPs = host: config: [config.v4 config.v6];
+        extractIPs = _: config: [config.v4 config.v6];
       in
         lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
     };
@@ -51,10 +46,10 @@ in {
 
     services.nginx.virtualHosts = let
       services = (builtins.import ../state.nix).services;
-      removeUnexposed = lib.attrsets.filterAttrs (name: config: config ? "external" && config.external);
+      removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
       createVirtHost = name: config: {
         name = "${name}.tammena.me";
-        value = mkVirtHost "${name}-tammena-me" {
+        value = mkVirtHost {
           locations."/" = {
             proxyPass = "http://${config.host}:${builtins.toString config.port}";
             proxyWebsockets = true;
@@ -65,7 +60,7 @@ in {
       lib.mapAttrs' createVirtHost (removeUnexposed services);
 
     sops.secrets =
-      lib.mapAttrs' (name: config: {
+      lib.mapAttrs' (name: _: {
         name = "certificate-key-${name}-tammena-me";
         value = {
           owner = "nginx";
@@ -74,27 +69,6 @@ in {
       })
       (builtins.import ../state.nix).services;
 
-    # services.nginx.virtualHosts = {
-    #   "config.tammena.me" = mkVirtHost "config-tammena-me" {
-    #     locations."/" = {
-    #       proxyPass = "https://config.home";
-    #       proxyWebsockets = true;
-    #     };
-    #   };
-    #   "todo.tammena.me" = mkVirtHost "todo-tammena-me" {
-    #     locations."/" = {
-    #       proxyPass = "https://todo.home";
-    #       proxyWebsockets = true;
-    #     };
-    #   };
-    #   "time.tammena.me" = mkVirtHost "time-tammena-me" {
-    #     locations."/" = {
-    #       proxyPass = "https://time.home";
-    #       proxyWebsockets = true;
-    #     };
-    #   };
-    # };
-
     services.qemuGuest.enable = true;
 
     services.bind = {

modules/radicale.nix

@@ -1,5 +1,4 @@
 {
-  pkgs,
   config,
   lib,
   ...
@@ -7,8 +6,6 @@
   internalPort = 5232;
   cfg = config.services.radicaleWithInfcloud;
 
-  sopsPath = key: config.sops.secrets.${key}.path;
-
   htpasswd_filename = "/etc/radicale/users";
 in {
   options.services."radicaleWithInfcloud" = with lib; {
@@ -54,13 +51,9 @@ in {
     };
 
     # Enable nginx proxy with ACME
-    services.nginx.virtualHosts."cal.tammena.me" = let
-      certificateName = "cal-tammena-me";
-    in {
+    services.nginx.virtualHosts."cal.tammena.me" = {
       forceSSL = true;
-      sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
-      sslCertificateKey = sopsPath "certificate-key-${certificateName}";
-      sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
+      enableACME = true;
       locations."/" = {
         proxyPass = "http://[::1]:${builtins.toString internalPort}";
       };

secrets/pub/cal-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqDCCAU2gAwIBAgIUN1xAqAk8fpv1fe3pekGIEjhmpiowCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTM5NThaFw0yNDExMDUy
-MTM5NThaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABDVTB1SfuQbqUaM4QICW22kbbi4/RjV2G8su1fuQeMsa6YCp3Skl+NsnX24m
-dhI+8IDyukxrco3KBqkoQ4DVpaejfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
-BggrBgEFBQcDATAZBgNVHREEEjAQgg5jYWwudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
-qwzA7/SfmMN/ae/s+npixYFZbtMwHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
-rWWZT6swCgYIKoZIzj0EAwIDSQAwRgIhAMp4+2+ZbBEqEWoc5e8x6HvDwFc9v0Hq
-DjyiRM9nOIHHAiEAygDCeTVbLil/CnyoaBzZ0ueujKhXHTivnswLX05YUkM=
------END CERTIFICATE-----

secrets/pub/config-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqzCCAVKgAwIBAgIUbhftS4D+aE8zrKZZ1oEmbr1VIIowCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDRaFw0yNDExMDUy
-MTQwMDRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABBsrwKiLkWKz+InN/fY5weBuBqm79ANXvAR3yckbCfd2uPMnuQG2zqjsTniF
-RdRMiVoVga4dOCwvO38lcQv0/06jgYMwgYAwCwYDVR0PBAQDAgXgMBMGA1UdJQQM
-MAoGCCsGAQUFBwMBMBwGA1UdEQQVMBOCEWNvbmZpZy50YW1tZW5hLm1lMB0GA1Ud
-DgQWBBRYof6XYSynBDKsuu+euj0Y3YjPEDAfBgNVHSMEGDAWgBQA+twP2yay+C3X
-JDsZsiKtZZlPqzAKBggqhkjOPQQDAgNHADBEAiBw4dTvjO+zYPsv1fnvtFAI4wnO
-NhcGQw7NLZuElGHU3wIgAzXOWFCaI2GVE7F6UFU2RMDdODrCNzsmWGpQc/q7xjA=
------END CERTIFICATE-----

secrets/pub/git-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBpzCCAU2gAwIBAgIUIt5Vq8vD0KgXL3se9tfMDDf3WIswCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMDlaFw0yNDExMDUy
-MTQwMDlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABJ3oh7A2Fh1wWZVv9e40cgEzUHokHWxnlgFERgHJ6K3Vj9T7OkZxnBbrbMJb
-8THwaiPMXLFmxNvYzpB/VEEjXRCjfzB9MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK
-BggrBgEFBQcDATAZBgNVHREEEjAQgg5naXQudGFtbWVuYS5tZTAdBgNVHQ4EFgQU
-tpzJcISsrz5pWeqdQqXOMiU3A9owHwYDVR0jBBgwFoAUAPrcD9smsvgt1yQ7GbIi
-rWWZT6swCgYIKoZIzj0EAwIDSAAwRQIgLxPAFIR91qfY3c8MVW9aDHP+H9FIFV7J
-O4ziCiysrWwCIQDZu7wd79qjmbpi9hZ7mhJgnVzPyWlSYOcoAhBSbhADLw==
------END CERTIFICATE-----

secrets/pub/read-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqjCCAU+gAwIBAgIUdtzKCtg60ov4uv9wq8BUoY7AzfcwCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTRaFw0yNDExMDUy
-MTQwMTRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABBYmlSt8Dvn/UEXBrEPr4P2tgJ/KB39eW+8VYviRbVU3cRT9E4SkQlvP2GNy
-ubme0/fdhXGPR5IBkgxFVsjZ3JujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
-CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPcmVhZC50YW1tZW5hLm1lMB0GA1UdDgQW
-BBTC7uwuHtWPvvLuJNPEuHI5yZ34jzAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
-siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEA9X4uGMe6bePVZgJEFvMIYim2290+
-pWSEUu8nMfKHp9UCIQCYsAzzE0+xvHsY/ji/MaaPewfTGiP9wRw+Aj071QFSLg==
------END CERTIFICATE-----

secrets/pub/time-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqTCCAU+gAwIBAgIUVzphXFAp3znAnDTnN/dc4xp2n7EwCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMTlaFw0yNDExMDUy
-MTQwMTlaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABEKyJMoIKHu5Ia8u28PpnhFKKb+Rfny6Yd9AmoDM6PYwGCTnUHW++WvkGknq
-SC9Z4Fctsf7xHLZF++vQoy1o2p6jgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
-CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdGltZS50YW1tZW5hLm1lMB0GA1UdDgQW
-BBQfyn6d6feTl3IwdO/zTwGyZec7qTAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
-siKtZZlPqzAKBggqhkjOPQQDAgNIADBFAiEAqamkuEOQ3ONO2JQZgPmiw+W+MhAk
-Mx8f1Dh4Kpf8OfACICU2y+1OAziJDlnM56xyQvBmKVSJkZykOoNAaZI8SoYe
------END CERTIFICATE-----

secrets/pub/todo-tammena-me.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBqjCCAU+gAwIBAgIUEuZlqKfEB+axYUvr9ODqYWyTW9QwCgYIKoZIzj0EAwIw
-FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzExMDYyMTQwMjRaFw0yNDExMDUy
-MTQwMjRaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH
-A0IABONx/Qy4ukmMr/xx/onP7JsxLEx1L/IuKrrTJdcMKQw3KWdmLnZhmhCDaggO
-d5kPri7fH3i6WQeR+Yd6eOJiVMujgYAwfjALBgNVHQ8EBAMCBeAwEwYDVR0lBAww
-CgYIKwYBBQUHAwEwGgYDVR0RBBMwEYIPdG9kby50YW1tZW5hLm1lMB0GA1UdDgQW
-BBRiGgT0KmCURLb+c1Cv13zamYwJNDAfBgNVHSMEGDAWgBQA+twP2yay+C3XJDsZ
-siKtZZlPqzAKBggqhkjOPQQDAgNJADBGAiEAxvlQmrapCM59iE2czjK1C2E4IiLJ
-6jYm2OMqU3ToqWwCIQCkJA1cxvDf3yuLEXuFPUwkVOsbUG933HAxI2WIKTswRg==
------END CERTIFICATE-----