From 151104d696df71377687995768cc52429e2d95e0 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Thu, 17 Jul 2025 17:11:23 +0200
Subject: [PATCH] derp 4

---
 modules/nixos/services/agenix/default.nix |   1 +
 modules/server/caddy/default.nix          |  33 +++++++++-------------
 modules/server/vaultwarden/default.nix    |   2 +-
 secrets/cloudflareDnsApiToken.age         | Bin 0 -> 605 bytes
 secrets/secrets.nix                       |   1 +
 5 files changed, 17 insertions(+), 20 deletions(-)
 create mode 100644 secrets/cloudflareDnsApiToken.age

diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix
index d7f9207d..50fa65c2 100644
--- a/modules/nixos/services/agenix/default.nix
+++ b/modules/nixos/services/agenix/default.nix
@@ -58,6 +58,7 @@ in {
       (mkIf cfg.sobotka.enable {
         secrets = {
           cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age";
+          cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age";
           vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
           vaultwarden-env.file = "${self}/secrets/vaultwarden-env.age";
         };
diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix
index 91a1accb..831df77c 100644
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -12,11 +12,6 @@ in {
     server.caddy.enable = mkEnableOption "Enables caddy";
   };
   config = mkIf cfg.enable {
-    age.secrets.cloudflare-env = {
-      file = "${self}/secrets/cloudflare-env.age";
-      owner = "caddy";
-      mode = "400";
-    };
     networking.firewall = let
       ports = [80 443];
     in {
@@ -24,20 +19,20 @@ in {
       allowedUDPPorts = ports;
     };
 
-    # security.acme = {
-    #   acceptTerms = true;
-    #   defaults.email = config.server.email;
-    #   certs.${config.server.domain} = {
-    #     reloadServices = ["caddy.service"];
-    #     domain = "${config.server.domain}";
-    #     extraDomainNames = ["*.${config.server.domain}"];
-    #     dnsProvider = "cloudflare";
-    #     dnsResolver = "1.1.1.1:53";
-    #     dnsPropagationCheck = true;
-    #     group = config.services.caddy.group;
-    #     environmentFile = config.age.secrets.cloudflare-env.path;
-    #   };
-    # };
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = config.server.email;
+      certs.${config.server.domain} = {
+        reloadServices = ["caddy.service"];
+        domain = "${config.server.domain}";
+        extraDomainNames = ["*.${config.server.domain}"];
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        group = config.services.caddy.group;
+        environmentFile = config.age.secrets.cloudflareDnsApiToken.path;
+      };
+    };
 
     services.caddy = {
       enable = true;
diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index 6d8856ec..903337af 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -15,7 +15,7 @@ in {
       enable = mkEnableOption "Enables vaultwarden";
       url = lib.mkOption {
         type = lib.types.str;
-        default = "vault.${cfg.domain}";
+        default = "${cfg.domain}";
       };
       cloudflared = {
         credentialsFile = lib.mkOption {
diff --git a/secrets/cloudflareDnsApiToken.age b/secrets/cloudflareDnsApiToken.age
new file mode 100644
index 0000000000000000000000000000000000000000..78eb006f280031d33357252490d602e343a3884d
GIT binary patch
literal 605
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHvCQ;$O;@lm4lfJ0
zv`9BJHZBXuF7YwaFH4HBaLaS?2&-~3sPK;p$qdv^N%YFe3FIoVD99~zE>HE3%6H5U
z4=Suoip(-M^YSwH@-;T~^~kL#vh)f{3UJKM_C&YMJ2cYQ%~2sNDmmZLG%d)*sU#x5
z$i&kuJG?lcG|01}D6>4>Ks!9$J2bI8Io~{~(tyjr&?MP2pfW5k)YH=4s3b5o+|(?@
z-6<g1Ft94oCC546)yu@J(9_c}*8tr%bF-j~&_D%~z??FdsNkra%!;hS6n8)UVkeUl
z{eVy>pQ!LGGq>W><oujqzo4S1%w#S@w+I90GNVGrNOQx?h@7l!k6@qVT;Hq;-;8`$
zzm!l9^KfsE;^h3qpip$%ywWU+3(FN;4bn5ric9@-4b#$7a|_J8LejJR%<@VM{LBLj
zqe4p~^L<SWlM4MjT++ELqassX+?~CvO0q3N3d|w{P4yEq3!{9hOiE1hvI|2pf&x=a
zGAqoqokO{Fb#)bTOR@}83q#Dk(|xNfbD~_${PQd<vT_`qD-BXhz4A;mtJ3pxg2GH9
zz4E!HzvSTlol;o5H16B{OEYBr<7*j0kNV2Qe)!c<VQORUJY|xBR@<&$8O91#C%Mkp
zUNzl#vco)Ndi&v8X0^ym@9$QpR@~~dUU~0ZYFwZDIibUE*37)Yb$k1d4@u9L6fcVf
E0BcOtUH||9

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 11e6d0f3..c5e1b45e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,4 +14,5 @@ in {
   "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
   "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
+  "cloudflareDnsApiToken.age".publicKeys = [cnst kima usobotka rsobotka];
 }