From ce1c3352301a439f2b7c09842eee49308da0e1ea Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 9 Apr 2026 19:46:40 -0400
Subject: [PATCH] caddy: wildcard TLS via DNS-01 challenge + ddns-updater for
 Njalla

Build Caddy with the caddy-dns/njalla plugin to enable DNS-01 ACME
challenges. This issues a single wildcard certificate for
*.sigkill.computer instead of per-subdomain certificates, reducing
Let's Encrypt API calls and certificate management overhead.

Add ddns-updater service (nixpkgs services.ddns-updater) configured
with Njalla provider to automatically update DNS records when the
server's public IP changes.
---
 configuration.nix                |   2 ++
 modules/age-secrets.nix          |  14 ++++++++++++++
 secrets/ddns-updater-config.age  | Bin 0 -> 417 bytes
 secrets/njalla-api-token-env.age | Bin 0 -> 292 bytes
 services/caddy/caddy.nix         |  17 +++++++++++++++--
 services/ddns-updater.nix        |  14 ++++++++++++++
 6 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 secrets/ddns-updater-config.age
 create mode 100644 secrets/njalla-api-token-env.age
 create mode 100644 services/ddns-updater.nix

diff --git a/configuration.nix b/configuration.nix
index 6bcd45e..79f0159 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -71,6 +71,8 @@
     ./services/mollysocket.nix
 
     ./services/harmonia.nix
+
+    ./services/ddns-updater.nix
   ];
 
   # Hosts entries for CI/CD deploy targets
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index d3d8912..cd43825 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -46,6 +46,20 @@
       group = "caddy";
     };
 
+    # Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
+    njalla-api-token-env = {
+      file = ../secrets/njalla-api-token-env.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
+
+    # ddns-updater config.json with Njalla provider credentials
+    ddns-updater-config = {
+      file = ../secrets/ddns-updater-config.age;
+      mode = "0400";
+    };
+
     jellyfin-api-key = {
       file = ../secrets/jellyfin-api-key.age;
       mode = "0400";
diff --git a/secrets/ddns-updater-config.age b/secrets/ddns-updater-config.age
new file mode 100644
index 0000000000000000000000000000000000000000..1fe9a46fac88ac96ac13ef29a8300fa3b85367bf
GIT binary patch
literal 417
zcmZQ@_Y83kiVO&0_^@J;nHxis;DsFLfA{CPJ~0sW*H!DeQMyjzhS8pj8=7yqsOar>
z3|y`vUu*H}VQpDaK=zNj`_6@LHaUCtko&6%c2SEY6ZiX-sf*wFZt{<F&&<6Cy56pt
znJzD&{#kFrUB3LZWsC|b+A^$1I?8A4Y<A2uwoCafl=OUhM#{D)YtxM;lq+%eSgUQV
zJSEoOFEu09XZxPi#-)Fz3f6mF31Us@?-#Vve!HyT=*E|`F5c%nwajPMn`H++%~tO%
z4r+gw$!RKbv~1O%kh|A*d?-wO*tDmBZ|$*w(&PJD4!ONB*gwys&e}BI^(0Ttf&%m1
zvb9gUr!1~ma@(U}Ztc?cQ{J)1bL@WVR?IJ*71((5`xC*E7nh9o2xV{Ea{Iu>sj{WK
zen%%|d^xjf=Q;h(YnjRX?7s6poeSx-USrVjF+alLUs9v1X&9&Cgq`Ahx=Q+8?&iOk
zkazLe_0@|PJXn<UNI1j)&AhB<p5O0yiOWjXhwxZf1?}0JXIDAJI@G&qrYfUT@Q1`d
eU&ET7_b<y1y}YFBVf4MAec9<o&bOj1R{;PM4bOrA

literal 0
HcmV?d00001

diff --git a/secrets/njalla-api-token-env.age b/secrets/njalla-api-token-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..d491b1cf442ead8c256822c2142ee6ac47e53842
GIT binary patch
literal 292
zcmZQ@_Y83kiVO&0=+!oTcDK7W@KspZ#PA8<IbU5mpyt_e+VzcCc4~Kq7EjQ&gx5>`
zC&}@+{}xaAp|WA8?GKmoHM5>Z&AF8xCn&>R;$_l*e`=QZqP|Z|f0uc`W1aZ4#IQc8
zXA+ZBo=2tY>g<;mJAVAK&gk4L<i2D#hm5RF?`OH&3pZ%j@tk8;nc<=8C>&cF+5UXp
zGZxw1zm0e7SNf#BPbJ56_l;KjmX~IJm5OK0S24Y|IKE3@$5fBczm7gRX?&^unj9-f
z%`<`0_v>!WJ$dR-%fZc(@dBz#J1);P+{Sy_(|ui;_L(In-vzGwb!xxjzw6|5eC~?p
zz5hA1rhkk7`1+~#<D4s2fzS4wzwj#H!8-4C$7Y4@+PQgqEX&Gs37rNDPRluPo^}QR
D{Vb4k

literal 0
HcmV?d00001

diff --git a/services/caddy/caddy.nix b/services/caddy/caddy.nix
index f77644f..6481c8d 100644
--- a/services/caddy/caddy.nix
+++ b/services/caddy/caddy.nix
@@ -56,9 +56,19 @@ in
     enable = true;
     email = "titaniumtown@proton.me";
 
-    # Enable on-demand TLS for old domain redirects
-    # Certs are issued dynamically when subdomains are accessed
+    # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/njalla@v0.0.0-20250823094507-f709141f1fe6" ];
+      hash = "sha256-rrOAR6noTDpV/I/hZXxhz0OXVJKu0mFQRq87RUrpmzw=";
+    };
+
     globalConfig = ''
+      # Wildcard cert for *.${newDomain} via DNS-01 challenge
+      acme_dns njalla {
+        api_token {env.NJALLA_API_TOKEN}
+      }
+
+      # On-demand TLS for old domain redirects
       on_demand_tls {
         ask http://localhost:9123/check
       }
@@ -106,6 +116,9 @@ in
     };
   };
 
+  # Inject Njalla API token for DNS-01 challenge
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.njalla-api-token-env.path;
+
   systemd.tmpfiles.rules = [
     "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];
diff --git a/services/ddns-updater.nix b/services/ddns-updater.nix
new file mode 100644
index 0000000..9b145c9
--- /dev/null
+++ b/services/ddns-updater.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  ...
+}:
+{
+  services.ddns-updater = {
+    enable = true;
+    environment = {
+      PERIOD = "5m";
+      # ddns-updater reads config from this path at runtime
+      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
+    };
+  };
+}