feat: ACME cert service through DNS-01 challenge

agenix-config-module.nix

@@ -0,0 +1,4 @@
+{
+  age.secrets.samsehu_NFSN_API_KEY.file = ./secrets/samsehu_NFSN_API_KEY.age;
+  age.secrets.samsehu_NFSN_LOGIN.file = ./secrets/samsehu_NFSN_LOGIN.age;
+}

configuration.nix

@@ -127,6 +127,20 @@
     };
   };
 
+  # ACME client service for configuring SSL certificate
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "fresh.car0178@geemili.xyz";
+    certs."samsehu.perli.casa" = {
+      domain = "samsehu.perli.casa";
+      dnsProvider = "nearlyfreespeech";
+      credentialFiles = {
+        "NEARLYFREESPECH_API_KEY" = config.age.secrets.samsehu_NFSN_API_KEY.path;
+        "NEARLYFREESPECH_LOGIN" = config.age.secrets.samsehu_NFSN_LOGIN.path;
+      };
+    };
+  };
+
   # Enable automatic upgrades
   system.autoUpgrade.enable = true;
   system.autoUpgrade.allowReboot = true;
@@ -160,8 +174,10 @@
     # Blocky DNS
     53
   ];
-  # Or disable the firewall altogether.
+
-  # networking.firewall.enable = false;
+  # Use systemd-resolved and set networkmanager to allow mdns
+  services.resolved.enable = true;
+  networking.networkmanager.connectionConfig."connection.mdns" = 2; # 2 == yes
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you

flake.lock

@@ -0,0 +1,109 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1703433843,
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1703467016,
+        "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,20 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, agenix }: {
+    nixosConfigurations.samsehu = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./agenix-config-module.nix
+        ./configuration.nix
+        agenix.nixosModules.default
+      ];
+    };
+  };
+}

secrets/samsehu_NFSN_API_KEY.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yXNDbw fIJwXjhuKTVLjQXxRAzkcXQR5sIrfbNYlyDJHeQjDgE
+/zdUzjnkojy5zTynh2dh3YAowIzBc630tsJnsRC9fJA
+-> ssh-ed25519 BTX+xA 1xfWcwHEzRm+pAYtjsimUelhjPzX2ftXCqTT8ZC5Ai4
+ev6pWXEMB/5r5lvGIXnwb/5Y+y+KtF+82kXQsW27L8Q
+--- TmO1kU6MHMyRRScZ4JFs67Dt8PNeuT900kEZFgB/+hM
+/g`Þ‡”WU±»=#¾©É¬Þ >}ºb™—~xE]Ü´'îï<>…$’¸‹[”‚ÄåÎ

secrets/samsehu_NFSN_LOGIN.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yXNDbw 62eQ1z2NUFkXLhNo7Cu++sLJC544LuGO9pF78eDqyBA
+FDhNUIerQRbCAK4YWjRw7pws2m7ohalSy08BuWDQhUM
+-> ssh-ed25519 BTX+xA lzBif7+dwdtGCHugVucaPNIxXnPkeJt0NbXwggs4UAg
+eReSeftMwXfV3hKmgpdNP1uI/sCJqe8ReYZCnkvd1zc
+--- u61FruBB1mBYUUpjsvOgZVfdMC8QnX6Mm7QXUGMjWt8
+Þè²bБ戛ó^?‹ ?%0ZÒ81àx•ÀÙݽ04@›5vöŽ<C3B6>

secrets/secrets.nix

@@ -0,0 +1,10 @@
+let
+  geemili_aitxero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAVxN0eFU4VyBIQB8/Z5oiAW119xfaCfxl5K7AdfoZ7";
+  geemili = [ geemili_aitxero ];
+
+  samsehu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRkyyUcmLsnX0oo1QzGeyPEqIc/i4ExcZClVoERggl9";
+in
+{
+  "samsehu_NFSN_API_KEY.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_NFSN_LOGIN.age".publicKeys = geemili ++ [ samsehu ];
+}