Use DNS validation

This commit is contained in:
Lgmrszd 2024-02-18 15:36:52 +03:00
parent c96a0534aa
commit 4d4bdbefec
No known key found for this signature in database
GPG key ID: 9396B8BA6FBB14DE
4 changed files with 32 additions and 6 deletions

View file

@ -3,7 +3,7 @@ keys:
- &laptop_ssh_pubkey age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu - &laptop_ssh_pubkey age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
- &vps_ssh_pubkey age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk - &vps_ssh_pubkey age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
creation_rules: creation_rules:
- path_regex: secrets/.*\.(yaml|json)$ - path_regex: secrets/.*\.(yaml|json|env)$
key_groups: key_groups:
- pgp: - pgp:
- *primary_gpg - *primary_gpg

View file

@ -294,6 +294,10 @@ in
defaultSopsFile = ../../secrets/secrets.yaml; defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml"; defaultSopsFormat = "yaml";
secrets.example_key = {}; secrets.example_key = {};
# secrets.porkbun = {
# sopsFile = ../../secrets/porkbun.env;
# format = "dotenv";
# };
}; };
# OnlyKey # OnlyKey

View file

@ -95,6 +95,10 @@ in
owner = config.users.users.akkoma.name; owner = config.users.users.akkoma.name;
group = config.users.users.akkoma.group; group = config.users.users.akkoma.group;
}; };
secrets.porkbun = {
sopsFile = ../../secrets/porkbun.env;
format = "dotenv";
};
}; };
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
@ -111,7 +115,7 @@ in
}; };
virtualHosts.${rootDomain} = { virtualHosts.${rootDomain} = {
onlySSL = true; onlySSL = true;
enableACME = true; useACMEHost = "${rootDomain}";
root = "/var/www/todo"; root = "/var/www/todo";
}; };
virtualHosts.${gtnhDomain} = { virtualHosts.${gtnhDomain} = {
@ -140,11 +144,15 @@ in
acceptTerms = true; acceptTerms = true;
defaults.email = "lgmrszd@disroot.org"; defaults.email = "lgmrszd@disroot.org";
certs.${rootDomain} = { certs.${rootDomain} = {
# domain = "*.${rootDomain}";
dnsProvider = "porkbun";
environmentFile = config.sops.secrets.porkbun.path;
extraDomainNames = [ extraDomainNames = [
gtnhDomain "*.${rootDomain}"
akkoDomain # gtnhDomain
iceDomain # akkoDomain
discDomain # iceDomain
# discDomain
]; ];
}; };
}; };

14
secrets/porkbun.env Normal file
View file

@ -0,0 +1,14 @@
#ENC[AES256_GCM,data:QtPfbzdPdADup2eK3ndD9OQ=,iv:Rh4WvqtmhloQP141pLt6Nml6NIhe6OFJzJBsJlcktno=,tag:z6YJcuDJ+cbrt4pTKRv4JA==,type:comment]
PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:U1x8/saUkyE/6YzoVmUcYeKCe7JACJb0LBOZUFTT6pRmBs4VHgRQnoA/oL2lzmojtQL1VEcYhlhAANQb6F+hlYZnF8k=,iv:KrARR9Xv18hg2YiWEgStveEvDcxiEwwJWT1W6NNrlz8=,tag:seUpwyy1jJUKWsgaq8W/rw==,type:str]
PORKBUN_API_KEY=ENC[AES256_GCM,data:aP+99C3quMNyoVvuU+JkkLIqgTTI3dL+LtARSpycvFysaEj5hha7yR6PoXJGKf4Wc7RmDz5NKN/ad3ro8kZX9lZ2ofI=,iv:D/wyJZBsXr0BjUvC7o0VzFdRDymT8rBuvulUv7qjEIg=,tag:yHxwDtVQ8dCNORM3/XiZvA==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdGhOUVNxN1cxVXZNR1FD\nVnFaZllEZ1ZNVUN5a0NYR1ZiYUFzMVlLMUJBCjN1UENJSHRwTGhTWXI3M1YvcmJi\nTk5ldDM4UUxnMFNCREhlUEJrbUlTTUUKLS0tIFJ0ajRqbUdQNkRzWE0rSlFqbEtn\nNTFTb29zT1hZUEx2VkROQndVS2tuL0UKMywal3iyD1hP3ze4z5F/x0WWZg7M/bBD\n8gazBMeDc6BhEl5gyibmMRj/GJpWHKE+Z9DIFke1w3i/7/He5UKLyA==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1acgqxvyczgsamz53z3v0gmahzfxlg9tscwnrgcxrfndgxhsvn3vs4ss5tk
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMW5ZZC9RTG1DV0Y0UWpm\nS1ZhcDV3WW8zcWczZCtyZnhTRitUaEZ6SWhRCloyTUhRMXZmTXpXWFhiWEJQODRq\nZ3N0NThlT0pZazRhTk5sY0ZFUXFUWWMKLS0tIGNaNjMxb0RpWWRBK25wNFI0UElC\nZkw4TjBneDAvZjdXRzJRR2RiT2RJSlEKz4gM+YVkJq/XgHzU40kaEM8JuBuwWxOF\n3faSazb6GSvIYISMI5yNpI8c46kCzPfowjsHmTEoYloxI9CKW2k/Tw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1xrzl49tvnatuu55xu5av6xcxyhrakd7mkzl5kz30kqqaxvh2m3sqax8jeu
sops_lastmodified=2024-02-18T12:13:05Z
sops_mac=ENC[AES256_GCM,data:o75BQJu3bAE+caTWz4aSCi+fBFzb5f/PAL6fgf51kZK1Qbs/qwFue6jNOjEfEECbAz6MMalUCCw/2c7IKrybsWlx6/BY74KIAvSGpmuW2Eh4RUAZAu9K+3udk7rDCRWBh745j64TX4Phk/VkYRAtaRN1Lr1cZwk3ULkZP/lQbik=,iv:EvG+pPb8gXv9UHfiAg+5AcBvhvIkftjc735zRBYAMdI=,tag:owf4pj/9ND24rN9+Z9HOMQ==,type:str]
sops_pgp__list_0__map_created_at=2024-02-18T12:04:47Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DrTkQq20WUVESAQdAXpQv1r53C+1WjwS3fyFBKoIGTkPgF7dtYGGqPUrpKmIw\ntwx5s7tauIKm0oXNMHoPi0D0D1eXrwQPLXS15DnSnpohNgrsRxtHT2jDnq0ge6hB\n1GYBCQIQ2JgMFQcOWzQUcdfaVgbpmiiaT/Fiy41NX27MxFMhpgP3YTzgkjquSy5j\n64aOsZIByXfE4BXq3bubHaDlj3jvqqymB3dHqb9JXJTmfZf7Ld811FgPOY0w7b42\n8XAxAYYmRDk=\n=Ve8O\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=D3067BE844D3FC49535A47B29396B8BA6FBB14DE
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1