move acme configurations to a profile

Clean up API keys for Cloudflare.

7 files changed, 17 insertions, 37 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy.nix b/machines/nixos/x86_64-linux/do-rproxy.nix
index da606b6..70dd15e 100644
--- a/machines/nixos/x86_64-linux/do-rproxy.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy.nix
@@ -1,6 +1,7 @@
 { config, adminUser, ... }:
 {
   imports = [
+    ../../../profiles/acme.nix
     ../../../profiles/cgroups.nix
     ../../../profiles/defaults.nix
     ../../../profiles/disk/basic-vm.nix
@@ -9,16 +10,7 @@
     ../../../profiles/server.nix
   ];
 
-  age = {
-    secrets = {
-      cloudflare-nginx = {
-        file = ../../../secrets/cloudflare-nginx.age;
-      };
-      wireguard = {
-        file = ../../../secrets/do/wireguard.age;
-      };
-    };
-  };
+  age.secrets.wireguard.file = ../../../secrets/do/wireguard.age;
 
   disko.devices.disk.disk1.device = "/dev/vda";
 
@@ -57,25 +49,6 @@
     443
   ];
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "franck@fcuny.net";
-    certs = {
-      "code.fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-      "fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-    };
-  };
-
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
diff --git a/profiles/acme.nix b/profiles/acme.nix
new file mode 100644
index 0000000..4bdadad
--- /dev/null
+++ b/profiles/acme.nix
@@ -0,0 +1,13 @@
+{ config, ... }:
+{
+
+  age.secrets.cloudflare-env.file = ../secrets/cloudflare-env.age;
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "franck@fcuny.net";
+    dnsResolver = "1.1.1.1:53";
+    dnsProvider = "cloudflare";
+    credentialsFile = config.age.secrets.cloudflare-env.path;
+  };
+}
diff --git a/secrets/cloudflare-env.age b/secrets/cloudflare-env.age
new file mode 100644
index 0000000..be85fa3
--- /dev/null
+++ b/secrets/cloudflare-env.age
diff --git a/secrets/cloudflare-nginx.age b/secrets/cloudflare-nginx.age
deleted file mode 100644
index 223f5a8..0000000
--- a/secrets/cloudflare-nginx.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 pFjJaA +DQXHEd8gCVRAxfFOyviaAQb77mlavC/gXpjLKmp4UY
-axtftBxKlDVAIshVpcgDfDf1GpwIb4P7KRn0pNwjrhY
--> ssh-ed25519 8Nmf6A LGX7dma79uy2cwKHid4ifHdDxf9GlYnK0kIVIzlhECw
-ouZigorzxEx+BbkbElk6RFlHCECrItejNqfMzjyr8MM
---- RhSuIz18cWaUImJoXGF6MbyGFBYN4CDqyLQptcIXNcY
-?�v�
26b-��9&�!���<\��������^fSzЖa9�Q�D:���x њ����3%1_$֝�E:|"
\ No newline at end of file
diff --git a/secrets/cloudflared_cert.age b/secrets/cloudflared_cert.age
deleted file mode 100644
index cd411fe..0000000
--- a/secrets/cloudflared_cert.age
+++ /dev/null
diff --git a/secrets/cloudflared_cragmont.age b/secrets/cloudflared_cragmont.age
deleted file mode 100644
index 94b82ab..0000000
--- a/secrets/cloudflared_cragmont.age
+++ /dev/null
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2b6022b..0204f4f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,8 +10,9 @@ let
   };
 in
 {
-  "cloudflare-nginx.age".publicKeys = [
+  "cloudflare-env.age".publicKeys = [
     users.fcuny
+    hosts.rivendell
     hosts.do
   ];
   "restic-pw.age".publicKeys = [