From 4d4bdbefec694961bb676889fcfe40808324f951 Mon Sep 17 00:00:00 2001
From: Lgmrszd <lgmrszd@disroot.org>
Date: Sun, 18 Feb 2024 15:36:52 +0300
Subject: [PATCH] Use DNS validation

---
 .sops.yaml                     |  2 +-
 hosts/laptop/configuration.nix |  4 ++++
 hosts/vps1/configuration.nix   | 18 +++++++++++++-----
 secrets/porkbun.env            | 14 ++++++++++++++
 4 files changed, 32 insertions(+), 6 deletions(-)
 create mode 100644 secrets/porkbun.env

diff --git a/.sops.yaml b/.sops.yaml
index 460b37f..c6b3d71 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,7 +3,7 @@ keys:
   - &laptop_ssh_pubkey age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
   - &vps_ssh_pubkey age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
 creation_rules:
-  - path_regex: secrets/.*\.(yaml|json)$
+  - path_regex: secrets/.*\.(yaml|json|env)$
     key_groups:
     - pgp:
       - *primary_gpg
diff --git a/hosts/laptop/configuration.nix b/hosts/laptop/configuration.nix
index fd71807..35e1171 100644
--- a/hosts/laptop/configuration.nix
+++ b/hosts/laptop/configuration.nix
@@ -294,6 +294,10 @@ in
     defaultSopsFile = ../../secrets/secrets.yaml;
     defaultSopsFormat = "yaml";
     secrets.example_key = {};
+    # secrets.porkbun = {
+    #   sopsFile = ../../secrets/porkbun.env;
+    #   format = "dotenv";
+    # };
   };
 
   # OnlyKey
diff --git a/hosts/vps1/configuration.nix b/hosts/vps1/configuration.nix
index adb8d61..dd2a0dc 100644
--- a/hosts/vps1/configuration.nix
+++ b/hosts/vps1/configuration.nix
@@ -95,6 +95,10 @@ in
       owner = config.users.users.akkoma.name;
       group = config.users.users.akkoma.group;
     };
+    secrets.porkbun = {
+      sopsFile = ../../secrets/porkbun.env;
+      format = "dotenv";
+    };
   };
 
   users.users.nginx.extraGroups = [ "acme" ];
@@ -111,7 +115,7 @@ in
     };
     virtualHosts.${rootDomain} = {
       onlySSL = true;
-      enableACME = true;
+      useACMEHost = "${rootDomain}";
       root = "/var/www/todo";
     };
     virtualHosts.${gtnhDomain} = {
@@ -140,11 +144,15 @@ in
     acceptTerms = true;
     defaults.email = "lgmrszd@disroot.org";
     certs.${rootDomain} = {
+      # domain = "*.${rootDomain}";
+      dnsProvider = "porkbun";
+      environmentFile = config.sops.secrets.porkbun.path;
       extraDomainNames = [
-        gtnhDomain
-        akkoDomain
-        iceDomain
-        discDomain
+        "*.${rootDomain}"
+      #   gtnhDomain
+      #   akkoDomain
+      #   iceDomain
+      #   discDomain
       ];
     };
   };
diff --git a/secrets/porkbun.env b/secrets/porkbun.env
new file mode 100644
index 0000000..5d141e9
--- /dev/null
+++ b/secrets/porkbun.env
@@ -0,0 +1,14 @@
+#ENC[AES256_GCM,data:QtPfbzdPdADup2eK3ndD9OQ=,iv:Rh4WvqtmhloQP141pLt6Nml6NIhe6OFJzJBsJlcktno=,tag:z6YJcuDJ+cbrt4pTKRv4JA==,type:comment]
+PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:U1x8/saUkyE/6YzoVmUcYeKCe7JACJb0LBOZUFTT6pRmBs4VHgRQnoA/oL2lzmojtQL1VEcYhlhAANQb6F+hlYZnF8k=,iv:KrARR9Xv18hg2YiWEgStveEvDcxiEwwJWT1W6NNrlz8=,tag:seUpwyy1jJUKWsgaq8W/rw==,type:str]
+PORKBUN_API_KEY=ENC[AES256_GCM,data:aP+99C3quMNyoVvuU+JkkLIqgTTI3dL+LtARSpycvFysaEj5hha7yR6PoXJGKf4Wc7RmDz5NKN/ad3ro8kZX9lZ2ofI=,iv:D/wyJZBsXr0BjUvC7o0VzFdRDymT8rBuvulUv7qjEIg=,tag:yHxwDtVQ8dCNORM3/XiZvA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdGhOUVNxN1cxVXZNR1FD\nVnFaZllEZ1ZNVUN5a0NYR1ZiYUFzMVlLMUJBCjN1UENJSHRwTGhTWXI3M1YvcmJi\nTk5ldDM4UUxnMFNCREhlUEJrbUlTTUUKLS0tIFJ0ajRqbUdQNkRzWE0rSlFqbEtn\nNTFTb29zT1hZUEx2VkROQndVS2tuL0UKMywal3iyD1hP3ze4z5F/x0WWZg7M/bBD\n8gazBMeDc6BhEl5gyibmMRj/GJpWHKE+Z9DIFke1w3i/7/He5UKLyA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMW5ZZC9RTG1DV0Y0UWpm\nS1ZhcDV3WW8zcWczZCtyZnhTRitUaEZ6SWhRCloyTUhRMXZmTXpXWFhiWEJQODRq\nZ3N0NThlT0pZazRhTk5sY0ZFUXFUWWMKLS0tIGNaNjMxb0RpWWRBK25wNFI0UElC\nZkw4TjBneDAvZjdXRzJRR2RiT2RJSlEKz4gM+YVkJq/XgHzU40kaEM8JuBuwWxOF\n3faSazb6GSvIYISMI5yNpI8c46kCzPfowjsHmTEoYloxI9CKW2k/Tw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
+sops_lastmodified=2024-02-18T12:13:05Z
+sops_mac=ENC[AES256_GCM,data:o75BQJu3bAE+caTWz4aSCi+fBFzb5f/PAL6fgf51kZK1Qbs/qwFue6jNOjEfEECbAz6MMalUCCw/2c7IKrybsWlx6/BY74KIAvSGpmuW2Eh4RUAZAu9K+3udk7rDCRWBh745j64TX4Phk/VkYRAtaRN1Lr1cZwk3ULkZP/lQbik=,iv:EvG+pPb8gXv9UHfiAg+5AcBvhvIkftjc735zRBYAMdI=,tag:owf4pj/9ND24rN9+Z9HOMQ==,type:str]
+sops_pgp__list_0__map_created_at=2024-02-18T12:04:47Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdAXpQv1r53C+1WjwS3fyFBKoIGTkPgF7dtYGGqPUrpKmIw\ntwx5s7tauIKm0oXNMHoPi0D0D1eXrwQPLXS15DnSnpohNgrsRxtHT2jDnq0ge6hB\n1GYBCQIQ2JgMFQcOWzQUcdfaVgbpmiiaT/Fiy41NX27MxFMhpgP3YTzgkjquSy5j\n64aOsZIByXfE4BXq3bubHaDlj3jvqqymB3dHqb9JXJTmfZf7Ld811FgPOY0w7b42\n8XAxAYYmRDk=\n=Ve8O\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1