From c980cd0207b2bd94b1e444f399a8381d53a61994 Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Wed, 26 Apr 2023 18:11:18 -0700
Subject: [PATCH] [NGINX] Fix ACME

---
 nixos/roles/matrix-homeserver/nginx.nix        | 1 +
 nixos/roles/vaultwarden-server/nginx.nix       | 3 +++
 nixos/roles/vaultwarden-server/vaultwarden.nix | 6 ------
 nixos/roles/web-server/acme.nix                | 3 +--
 nixos/roles/web-server/scalpel.nix             | 2 +-
 nixos/roles/web-server/secrets.nix             | 2 +-
 nixos/roles/web-server/secrets.yaml            | 6 +++---
 7 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/nixos/roles/matrix-homeserver/nginx.nix b/nixos/roles/matrix-homeserver/nginx.nix
index 6baa3b61..6702a4e8 100644
--- a/nixos/roles/matrix-homeserver/nginx.nix
+++ b/nixos/roles/matrix-homeserver/nginx.nix
@@ -16,6 +16,7 @@ in {
       "kittywit.ch" = {
         enableACME = true;
         forceSSL = true;
+        acmeRoot = null;
         locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
         locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
       };
diff --git a/nixos/roles/vaultwarden-server/nginx.nix b/nixos/roles/vaultwarden-server/nginx.nix
index 9f155a93..acbba117 100644
--- a/nixos/roles/vaultwarden-server/nginx.nix
+++ b/nixos/roles/vaultwarden-server/nginx.nix
@@ -1,5 +1,8 @@
 _: {
   services.nginx.virtualHosts."vault.kittywit.ch" = {
+    enableACME = true;
+    forceSSL = true;
+    acmeRoot = null;
     locations = {
       "/" = {
         proxyPass = "http://localhost:4000";
diff --git a/nixos/roles/vaultwarden-server/vaultwarden.nix b/nixos/roles/vaultwarden-server/vaultwarden.nix
index a7e544c3..1486d3db 100644
--- a/nixos/roles/vaultwarden-server/vaultwarden.nix
+++ b/nixos/roles/vaultwarden-server/vaultwarden.nix
@@ -5,12 +5,6 @@
   ...
 }:
 with lib; {
-  secrets.variables = mapListToAttrs (field:
-    nameValuePair "vaultwarden-${field}" {
-      path = "secrets/vaultwarden";
-      inherit field;
-    }) ["password" "smtp"];
-
   users.users.vaultwarden.name = "bitwarden_rs";
   users.groups.vaultwarden.name = "bitwarden_rs";
 
diff --git a/nixos/roles/web-server/acme.nix b/nixos/roles/web-server/acme.nix
index e23b31ed..d3e8984a 100644
--- a/nixos/roles/web-server/acme.nix
+++ b/nixos/roles/web-server/acme.nix
@@ -1,8 +1,7 @@
 _: {
   environment.etc."ssl/credentials_template".text = ''
     CF_API_EMAIL=!!CLOUDFLARE_EMAIL!!
-    CF_DNS_API_TOKEN=!!CLOUDFLARE_TOKEN!!
-    CF_ZONE_API_TOKEN=!!CLOUDFLARE_TOKEN!!
+    CLOUDFLARE_API_KEY=!!CLOUDFLARE_API_KEY!!
   '';
 
   security.acme = {
diff --git a/nixos/roles/web-server/scalpel.nix b/nixos/roles/web-server/scalpel.nix
index 7d59d0ba..e30f961d 100644
--- a/nixos/roles/web-server/scalpel.nix
+++ b/nixos/roles/web-server/scalpel.nix
@@ -2,7 +2,7 @@
   scalpel.trafos."credentials_file" = {
     source = "/etc/ssl/credentials_template";
     matchers."CLOUDFLARE_EMAIL".secret = config.sops.secrets.cloudflare_email.path;
-    matchers."CLOUDFLARE_TOKEN".secret = config.sops.secrets.cloudflare_token.path;
+    matchers."CLOUDFLARE_API_KEY".secret = config.sops.secrets.cloudflare_api_key.path;
     owner = "acme";
     group = "acme";
     mode = "0440";
diff --git a/nixos/roles/web-server/secrets.nix b/nixos/roles/web-server/secrets.nix
index cb35bea8..18f9e765 100644
--- a/nixos/roles/web-server/secrets.nix
+++ b/nixos/roles/web-server/secrets.nix
@@ -5,7 +5,7 @@ _: let
   };
 in {
   sops.secrets.cloudflare_email = secretConfig;
-  sops.secrets.cloudflare_token = secretConfig;
+  sops.secrets.cloudflare_api_key = secretConfig;
 
   scalpels = [
     ./scalpel.nix
diff --git a/nixos/roles/web-server/secrets.yaml b/nixos/roles/web-server/secrets.yaml
index d48fb6e7..d9be183a 100644
--- a/nixos/roles/web-server/secrets.yaml
+++ b/nixos/roles/web-server/secrets.yaml
@@ -1,5 +1,5 @@
 cloudflare_email: ENC[AES256_GCM,data:fwcHkWRqH3hEPDbFmA==,iv:He6yJHpD9oXrZSHPJKL7mnkRWm621HRj2cS6qLSn6aI=,tag:lON1D+55zSiJQljTox2JKQ==,type:str]
-cloudflare_token: ENC[AES256_GCM,data:gEiJNdzrQhHMRFLHZ5ZMe2T6VyZgMnXfufbu6LbtiVyQST53TBo7pQ==,iv:a/J6bUZbHQIQBRy8DV7MJe4TffElFBlDRAm3/j5E9hQ=,tag:n/07dZNyBWNpFKQCctkuBw==,type:str]
+cloudflare_api_key: ENC[AES256_GCM,data:kCDaXb1BPWoNVFVRjfOw4577BlIbMtsaouRT8dwNiL/JGNWH9w==,iv:rKSpeSfjIiQNFu58qjNnUtdBPIfXhIa6u7G7wqBohSg=,tag:7wnoB1MBj55okWzNISKftA==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -16,8 +16,8 @@ sops:
             VDM0QUcyeVBmRzdyUHNrTUVablcyY2cK4WD0mB/EvZNmagFMq1kZz8y5M9mdHxwB
             o44D7JYE31czIpM/CJTfjsxG4NlQn//H48W60edSZPFHwIDNzjnbLA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-25T23:06:23Z"
-    mac: ENC[AES256_GCM,data:w+3/oRHEdhUG7jUlRfMDtjY1W1ybyIlINopzuxLxvLWj6yTVA8/D8mp99V3kg7MvKBWW43hA0mQ+MkH8EtPfEDIXZKaMvmY89mKygc2FMGrFcgHVV9zg3qqxk84Zp1lg8+G4gwsgRuNAumFHrlvgCsZUVqEZGjy+cf+R4Dpmw2s=,iv:ax1E/PcwQ0ZcXlsdwY0hQvRp6b38o4qfEhNQASuxQoM=,tag:zEthuo4DoG/1DX28aogntw==,type:str]
+    lastmodified: "2023-04-27T01:10:09Z"
+    mac: ENC[AES256_GCM,data:tsvbspqI3jrwWQ/728g+urvhbDTvYJ70rcW1F3w5hC0YR6n7M4oED+QXOoH437Q85A9168OvfNqoIIIq3zEq7OWhk1dtInW2EWh2j5nHz1aFkiYg7VonfktJN9ylyamuZVKkmarMc87thzZrU+Ntb2VOdYsYd0AdWtlfY1CT++4=,iv:TI7tUjAUNc6DxpPRrrEdrsWxiJP6F+BZLGaOzTyo+3I=,tag:2zbq3/rMWFNjkRoBnYgfEA==,type:str]
     pgp:
         - created_at: "2023-04-25T23:00:27Z"
           enc: |