caddy: wildcard TLS via DNS-01 challenge + ddns-updater for Njalla

Build Caddy with the caddy-dns/njalla plugin to enable DNS-01 ACME challenges. This issues a single wildcard certificate for *.sigkill.computer instead of per-subdomain certificates, reducing Let's Encrypt API calls and certificate management overhead. Add ddns-updater service (nixpkgs services.ddns-updater) configured with Njalla provider to automatically update DNS records when the server's public IP changes.
2026-04-09 19:46:40 -04:00
parent e9ce1ce0a2
commit ce1c335230
6 changed files with 45 additions and 2 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -71,6 +71,8 @@
    ./services/mollysocket.nix

    ./services/harmonia.nix
+
+    ./services/ddns-updater.nix
  ];

  # Hosts entries for CI/CD deploy targets
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -46,6 +46,20 @@
      group = "caddy";
    };

+    # Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
+    njalla-api-token-env = {
+      file = ../secrets/njalla-api-token-env.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
+
+    # ddns-updater config.json with Njalla provider credentials
+    ddns-updater-config = {
+      file = ../secrets/ddns-updater-config.age;
+      mode = "0400";
+    };
+
    jellyfin-api-key = {
      file = ../secrets/jellyfin-api-key.age;
      mode = "0400";
--- a/secrets/ddns-updater-config.age
+++ b/secrets/ddns-updater-config.age
--- a/secrets/njalla-api-token-env.age
+++ b/secrets/njalla-api-token-env.age
--- a/services/caddy/caddy.nix
+++ b/services/caddy/caddy.nix
@@ -56,9 +56,19 @@ in
    enable = true;
    email = "titaniumtown@proton.me";

-    # Enable on-demand TLS for old domain redirects
-    # Certs are issued dynamically when subdomains are accessed
+    # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/njalla@v0.0.0-20250823094507-f709141f1fe6" ];
+      hash = "sha256-rrOAR6noTDpV/I/hZXxhz0OXVJKu0mFQRq87RUrpmzw=";
+    };
+
    globalConfig = ''
+      # Wildcard cert for *.${newDomain} via DNS-01 challenge
+      acme_dns njalla {
+        api_token {env.NJALLA_API_TOKEN}
+      }
+
+      # On-demand TLS for old domain redirects
      on_demand_tls {
        ask http://localhost:9123/check
      }
@@ -106,6 +116,9 @@ in
    };
  };

+  # Inject Njalla API token for DNS-01 challenge
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.njalla-api-token-env.path;
+
  systemd.tmpfiles.rules = [
    "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  ...
+}:
+{
+  services.ddns-updater = {
+    enable = true;
+    environment = {
+      PERIOD = "5m";
+      # ddns-updater reads config from this path at runtime
+      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
+    };
+  };
+}