From e72a6620e2a38480d03cdb893879520feccaad7b Mon Sep 17 00:00:00 2001
From: John Bargman
Date: Sat, 21 Feb 2026 23:36:19 +0000
Subject: fixup

---
 services/acme_server.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 services/acme_server.nix

(limited to 'services/acme_server.nix')

diff --git a/services/acme_server.nix b/services/acme_server.nix
new file mode 100644
index 0000000..bd6961b
--- /dev/null
+++ b/services/acme_server.nix
@@ -0,0 +1,23 @@
+{ fqdn }: { pkgs, config, lib, ... }:
+let
+  inherit fqdn;
+in
+{
+  users.groups.acme = { };
+
+  /* trigger the actual certificate generation for additional hostname */
+  security.acme.certs."${fqdn}" = {
+    extraDomainNames = [ "mail.crashoverburn.com"];
+  };
+
+  secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token;
+  # Configure ACME appropriately
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    dnsProvider = "gandiv5";
+    group = "acme";
+    environmentFile = config.secrix.system.secrets.dns01.decrypted.path;
+    # We don't need to wait for propagation since this is a local DNS server
+    dnsPropagationCheck = false;
+  };
+}
-- 
cgit v1.2.3