caddy: wildcard TLS via DNS-01 challenge + ddns-updater for Njalla

Build Caddy with the caddy-dns/njalla plugin to enable DNS-01 ACME challenges. This issues a single wildcard certificate for *.sigkill.computer instead of per-subdomain certificates, reducing Let's Encrypt API calls and certificate management overhead. Add ddns-updater service (nixpkgs services.ddns-updater) configured with Njalla provider to automatically update DNS records when the server's public IP changes.
2026-04-09 19:46:40 -04:00
parent e9ce1ce0a2
commit ce1c335230
6 changed files with 45 additions and 2 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -71,6 +71,8 @@
    ./services/mollysocket.nix
    ./services/harmonia.nix
    ./services/ddns-updater.nix
  ];
  # Hosts entries for CI/CD deploy targets
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -46,6 +46,20 @@
      group = "caddy";
    };
    # Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
    njalla-api-token-env = {
      file = ../secrets/njalla-api-token-env.age;
      mode = "0400";
      owner = "caddy";
      group = "caddy";
    };
    # ddns-updater config.json with Njalla provider credentials
    ddns-updater-config = {
      file = ../secrets/ddns-updater-config.age;
      mode = "0400";
    };
    jellyfin-api-key = {
      file = ../secrets/jellyfin-api-key.age;
      mode = "0400";
--- a/secrets/ddns-updater-config.age
+++ b/secrets/ddns-updater-config.age
--- a/secrets/njalla-api-token-env.age
+++ b/secrets/njalla-api-token-env.age
--- a/services/caddy/caddy.nix
+++ b/services/caddy/caddy.nix
@@ -56,9 +56,19 @@ in
    enable = true;
    email = "titaniumtown@proton.me";
-    # Enable on-demand TLS for old domain redirects
+    # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
-    # Certs are issued dynamically when subdomains are accessed
+    package = pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/njalla@v0.0.0-20250823094507-f709141f1fe6" ];
      hash = "sha256-rrOAR6noTDpV/I/hZXxhz0OXVJKu0mFQRq87RUrpmzw=";
    };
    globalConfig = ''
      # Wildcard cert for *.${newDomain} via DNS-01 challenge
      acme_dns njalla {
        api_token {env.NJALLA_API_TOKEN}
      }
      # On-demand TLS for old domain redirects
      on_demand_tls {
        ask http://localhost:9123/check
      }
@@ -106,6 +116,9 @@ in
    };
  };
  # Inject Njalla API token for DNS-01 challenge
  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.njalla-api-token-env.path;
  systemd.tmpfiles.rules = [
    "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -0,0 +1,14 @@
 {
  config,
  ...
 }:
 {
  services.ddns-updater = {
    enable = true;
    environment = {
      PERIOD = "5m";
      # ddns-updater reads config from this path at runtime
      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
    };
  };
 }