fix(linkal): Use http-01 challenge for certificates

2023-10-02 21:18:40 +02:00 · 2023-10-02 21:18:40 +02:00 · 36c6859ef9
commit 36c6859ef9
parent 56cd177d3e
1 changed files with 34 additions and 34 deletions
--- a/machines/web01/linkal/module.nix
+++ b/machines/web01/linkal/module.nix
@ -48,39 +48,39 @@ in {
      }) cfg.calendarGroups;
    # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
-    services.bind = {
+    # services.bind = {
-      enable = true;
+    #   enable = true;
-      ipv4Only = true;
+    #   ipv4Only = true;
-      extraConfig = ''
+    #   extraConfig = ''
-        include "${config.age.secrets."named-bind_dnskeys_conf".path}";
+    #     include "${config.age.secrets."named-bind_dnskeys_conf".path}";
-      '';
+    #   '';
-
+    #
-      zones = [rec {
+    #   zones = [rec {
-        name = "cal.dgnum.eu";
+    #     name = "cal.dgnum.eu";
-        file = "/var/db/bind/${name}";
+    #     file = "/var/db/bind/${name}";
-        master = true;
+    #     master = true;
-        extraConfig = ''
+    #     extraConfig = ''
-          allow-update { key "rfc2136key.cal.dgnum.eu"; };
+    #       allow-update { key "rfc2136key.cal.dgnum.eu"; };
-        '';
+    #     '';
-      }];
+    #   }];
-    };
+    # };
-
+    #
-    networking.firewall = {
+    # networking.firewall = {
-      allowedTCPPorts = [ 53 ];
+    #   allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 ];
+    #   allowedUDPPorts = [ 53 ];
-    };
+    # };
-
+    #
-    dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
+    # dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
-
+    #
-    # Configure ACME for DNS certificate validation
+    # # Configure ACME for DNS certificate validation
-    security.acme = {
+    # security.acme = {
-      acceptTerms = true;
+    #   acceptTerms = true;
-      defaults = {
+    #   defaults = {
-        dnsProvider = "rfc2136";
+    #     dnsProvider = "rfc2136";
-        credentialsFile = config.age.secrets."acme-certs_secret".path;
+    #     credentialsFile = config.age.secrets."acme-certs_secret".path;
-        dnsPropagationCheck = false;
+    #     dnsPropagationCheck = false;
-      };
+    #   };
-    };
+    # };
    services.nginx = {
      enable = true;
@ -89,7 +89,7 @@ in {
        { port, ... }:
        nameValuePair "${name}.${cfg.domain}" {
          enableACME = true;
-          acmeRoot = null; # Use DNS-01 validation
+          # acmeRoot = null; # Use DNS-01 validation
          forceSSL = true;
          locations."/".proxyPass =