Switch ACME to DNS-01 challenge with auto-configured certificates

Changed certificate generation from HTTP-01 to DNS-01 challenge to support services behind Tailscale/CGNAT IPs. HTTP-01 challenges fail because Let's Encrypt cannot reach private Tailscale IPs (100.x.x.x) that Cloudflare DNS points to. Changes: - Pre-configure certificates in security.acme.certs using DNS-01 via Cloudflare - Auto-generate certificate configs from shared/services.nix - Alexandria: filters services with host == "alexandria" - Trantor: filters services with host == "trantor" - Updated mkNginxVHosts to use useACMEHost instead of enableACME - Each domain gets its own certificate configured with DNS-01 challenge This ensures all services get valid Let's Encrypt certificates even when accessible only through Tailscale or private networks. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-08 22:53:18 -03:00 · 2025-11-08 22:53:18 -03:00 · 58fec03579
commit 58fec03579
parent 952a55f03d
3 changed files with 30 additions and 8 deletions
--- a/utils.nix
+++ b/utils.nix
@ -185,13 +185,15 @@ in
  mkNginxVHosts =
    { domains }:
    let
-      commonVHostConfig = {
-        enableACME = true;
-        forceSSL = true;
-        kTLS = true;
-      };
+      # Extract domain name and apply it as useACMEHost
+      mkVHostConfig = domain: config:
+        lib.recursiveUpdate {
+          useACMEHost = domain;
+          forceSSL = true;
+          kTLS = true;
+        } config;
    in
-    lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains;
+    lib.mapAttrs mkVHostConfig domains;

  # Split DNS utilities for unbound
  # Generates unbound view config from a list of DNS entries