diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-26 16:27:43 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-26 16:27:43 +0100 |
| commit | ec7b0f75b5abad46a0d3653741f3da113b665f02 (patch) | |
| tree | a7ae38dbcb9d6f5a06f6ad2dc26709db2f0091f7 | |
| parent | 2cf55a9d3feedec5e59e0ff955cf21990af21ed4 (diff) | |
| download | nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.gz nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.bz2 nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.xz nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.zip | |
certspotter
| -rw-r--r-- | hosts/surtr/tls/default.nix | 5 | ||||
| -rw-r--r-- | modules/certspotter.nix | 47 |
2 files changed, 52 insertions, 0 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 6fbab9bd..d204a51d 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
| @@ -108,5 +108,10 @@ in { | |||
| 108 | }; | 108 | }; |
| 109 | }; | 109 | }; |
| 110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
| 111 | |||
| 112 | services.certspotter = { | ||
| 113 | watchList = map (domain: ".${domain}") (attrNames cfg.domains); | ||
| 114 | logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json"; | ||
| 115 | }; | ||
| 111 | }; | 116 | }; |
| 112 | } | 117 | } |
diff --git a/modules/certspotter.nix b/modules/certspotter.nix new file mode 100644 index 00000000..f82b004f --- /dev/null +++ b/modules/certspotter.nix | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | { config, pkgs, lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | cfg = config.services.certspotter; | ||
| 7 | |||
| 8 | startOptions = extraOptions | ||
| 9 | ++ optionals (cfg.logs != null) ["-logs" cfg.logs] | ||
| 10 | ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) | ||
| 11 | ]; | ||
| 12 | in { | ||
| 13 | options = { | ||
| 14 | services.certspotter = { | ||
| 15 | watchList = mkOption { | ||
| 16 | type = types.listOf types.str; | ||
| 17 | default = []; | ||
| 18 | }; | ||
| 19 | |||
| 20 | logs = mkOption { | ||
| 21 | type = types.nullOr types.str; | ||
| 22 | default = null; | ||
| 23 | }; | ||
| 24 | |||
| 25 | extraOptions = mkOption { | ||
| 26 | type = types.listOf types.str; | ||
| 27 | default = [ "-verbose" ]; | ||
| 28 | }; | ||
| 29 | |||
| 30 | package = mkPackageOption pkgs "certspotter" {}; | ||
| 31 | }; | ||
| 32 | }; | ||
| 33 | |||
| 34 | config = mkIf (cfg.watchList != []) { | ||
| 35 | systemd.services.certspotter = { | ||
| 36 | serviceConfig = { | ||
| 37 | Type = "oneshot"; | ||
| 38 | ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock"; | ||
| 39 | ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}"; | ||
| 40 | StateDirectory = "certspotter"; | ||
| 41 | LogsDirectory = "certspotter"; | ||
| 42 | StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log"; | ||
| 43 | DynamicUser = true; | ||
| 44 | }; | ||
| 45 | }; | ||
| 46 | }; | ||
| 47 | } | ||