From 5366c48991c9059883dae4adcd4e6ed6a399f3ca Mon Sep 17 00:00:00 2001
From: andromeda <andromeda@lenovo>
Date: Fri, 2 Jan 2026 20:21:46 +0100
Subject: [PATCH] use nginx for acme

---
 machines/109-199-104-83/configuration.nix | 68 +++--------------------
 1 file changed, 9 insertions(+), 59 deletions(-)

diff --git a/machines/109-199-104-83/configuration.nix b/machines/109-199-104-83/configuration.nix
index 7e170ee..1ec2aa7 100644
--- a/machines/109-199-104-83/configuration.nix
+++ b/machines/109-199-104-83/configuration.nix
@@ -2,86 +2,36 @@
   config,
   modulesPath,
   machine,
-  pkgs,
   ...
-}: {
+}: rec {
   # mailserver config
   mailserver = {
     enable = true;
     stateVersion = 3;
-    fqdn = "mail.galaxious.de";
-    domains = ["galaxious.de"];
+    fqdn = "mail.${networking.domain}";
+    domains = ["${networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
     loginAccounts = {
-      "test@galaxious.de" = {
+      "test@${networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
       };
     };
   };
 
   # cert config
-  # systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service
   security.acme = {
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
-    certs."mail.galaxious.de" = {
-      domain = "mail.galaxious.de";
-      dnsProvider = "rfc2136";
-      environmentFile = "/var/lib/secrets/certs.secret";
-      dnsPropagationCheck = false;
-    };
   };
-  services.bind = {
+  services.nginx = {
     enable = true;
-    extraConfig = ''
-      include "/var/lib/secrets/dnskeys.conf";
-    '';
-    zones = [
-      rec {
-        name = "galaxious.de";
-        file = "/var/db/bind/${name}";
-        master = true;
-        extraConfig = "allow-update { key rfc2136key.galaxious.de; };";
-      }
-    ];
-  };
-  systemd.services.dns-rfc2136-conf = {
-    requiredBy = [
-      "acme-galaxious.de.service"
-      "bind.service"
-    ];
-    before = [
-      "acme-galaxious.de.service"
-      "bind.service"
-    ];
-    unitConfig = {
-      ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
+    virtualHosts."mail.${networking.domain}" = {
+      forceSSL = true;
+      enableACME = true;
     };
-    serviceConfig = {
-      Type = "oneshot";
-      UMask = 77;
-    };
-    path = [pkgs.bind];
-    script = ''
-      mkdir -p /var/lib/secrets
-      chmod 755 /var/lib/secrets
-      tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf
-      chown named:root /var/lib/secrets/dnskeys.conf
-      chmod 400 /var/lib/secrets/dnskeys.conf
-
-      # extract secret value from the dnskeys.conf
-      while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
-
-      cat > /var/lib/secrets/certs.secret << EOF
-      RFC2136_NAMESERVER='127.0.0.1:53'
-      RFC2136_TSIG_ALGORITHM='hmac-sha256.'
-      RFC2136_TSIG_KEY='rfc2136key.galaxious.de'
-      RFC2136_TSIG_SECRET='$secret'
-      EOF
-      chmod 400 /var/lib/secrets/certs.secret
-    '';
   };
 
+  # system config
   system.stateVersion = "25.11";
   nix.settings.experimental-features = ["flakes" "nix-command"];
   imports = [(modulesPath + "/profiles/qemu-guest.nix")];