feat(linkal): Start setting up DNS-01 verification on *.cal.dgnum.eu

machines/web01/linkal/default.nix

@@ -1,11 +1,11 @@
 _:
 
 let
-  host = "linkal.dgnum.eu";
+  host = "cal.dgnum.eu";
 
   calendarGroups = {
     luj-current = {
-      port = 8443;
+      port = 8444;
       calendars = {
         "https://cloud.eleves.ens.fr/remote.php/dav/public-calendars/LLWm8qK9iC5YGrrR" = {
           name = "Délégation Générale";

machines/web01/linkal/module.nix

@@ -47,25 +47,54 @@ in {
         };
       }) cfg.calendarGroups;
 
+    # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
+    services.bind = {
+      enable = true;
+      ipv4Only = true;
+      extraConfig = ''
+        include "${config.age.secrets."named-bind_dnskeys_conf".path}";
+      '';
+
+      zones = [rec {
+        name = "cal.dgnum.eu";
+        file = "/var/db/bind/${name}";
+        master = true;
+        extraConfig = ''
+          allow-update { key "rfc2136key.cal.dgnum.eu"; };
+        '';
+      }];
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
+    dgn-secrets.options = [{ named-bind_dnskeys_conf.owner = "named"; }];
+
+    # Configure ACME for DNS certificate validation
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        dnsProvider = "rfc2136";
+        credentialsFile = config.age.secrets."acme-certs_secret".path;
+        dnsPropagationCheck = false;
+      };
+    };
+
     services.nginx = {
       enable = true;
 
-      virtualHosts.${cfg.domain} = {
+      virtualHosts = mapAttrs' (name:
-        enableACME = true;
+        { port, ... }:
-        forceSSL = true;
+        nameValuePair "${name}.${cfg.domain}" {
+          enableACME = true;
+          acmeRoot = null; # Use DNS-01 validation
+          forceSSL = true;
 
-        locations = mapAttrs' (name:
+          locations."/".proxyPass =
-          { port, ... }:
+            "http://127.0.0.1:${builtins.toString port}/";
-          nameValuePair "^~ /${name}" {
+        }) cfg.calendarGroups;
-            proxyPass = "http://127.0.0.1:${builtins.toString port}/";
-            # extraConfig = ''
-            #   proxy_set_header    X-Real-IP  $remote_addr;
-            #   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-            #   proxy_set_header    Host $host;
-            #   proxy_redirect      off;
-            # '';
-          }) cfg.calendarGroups;
-      };
     };
   };
 }

machines/web01/secrets/secrets.nix

@@ -1,9 +1,9 @@
 let
   lib = import ../../../lib { };
   publicKeys = lib.getNodeKeys "web01";
-in
+in lib.setDefault { inherit publicKeys; } [
-
+  "acme-certs_secret"
-lib.setDefault { inherit publicKeys; } [
+  "named-bind_dnskeys_conf"
   "plausible_admin-user-password-file"
   "plausible_secret-key-base-file"
   "plausible_release-cookie-file"