profiles/homeserver/acme.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

{ config, lib, ... }: with lib; {
  security.acme = {
    acceptTerms = true;
    defaults = {
      extraLegoFlags = [ "--dns.disable-cp" ];
      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
      email = ivi.email;
      dnsProvider = "porkbun";
      environmentFile = config.secrets.porkbun.path;
    };
    certs."${ivi.domain}" = {
      # NOTE(ivi): use dns wildcard certs for local services
      domain = "*.${ivi.domain}";
    };
  };
}