surtr: tls/dns: rfc2136 for rheperire.org

1 files changed, 0 insertions, 120 deletions

diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
deleted file mode 100644
index 2ff26e35..00000000
--- a/hosts/surtr/tls.nix
+++ /dev/null
@@ -1,120 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.security.acme;
-  knotCfg = config.services.knot;
-  
-  knotDNSCredentials = domain: let
-    zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
-  in pkgs.writeText "lego-credentials" ''
-    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
-    EXEC_PROPAGATION_TIMEOUT=300
-    EXEC_POLLING_INTERVAL=5
-  '';
-  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
-    #!${pkgs.zsh}/bin/zsh -xe
-
-    mode=$1
-    fqdn=$2
-    challenge=$3
-
-    owner=''${fqdn%".${zone}."}
-
-    commited=
-    function abort() {
-      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
-    }
-
-    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
-    trap abort EXIT
-
-    case "''${mode}" in
-      present)
-        if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
-          ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
-        fi
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
-        ;;
-      cleanup)
-        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
-        ;;
-      *)
-        exit 2
-        ;;
-    esac
-
-    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
-    commited=yes
-  '';
-  
-  domainOptions = {
-    options = {
-      wildcard = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      zone = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-      };
-      certCfg = mkOption {
-        type = types.attrs;
-        default = {};
-      };
-    };
-  };
-in {
-  options = {
-    security.acme = {
-      domains = mkOption {
-        type = types.attrsOf (types.submodule domainOptions);
-        default = {};
-      };
-    };
-  };
-  
-  config = {
-    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
-    
-    fileSystems."/var/lib/acme" =
-      { device = "surtr/safe/var-lib-acme";
-        fsType = "zfs";
-      };
-
-    security.acme = {
-      acceptTerms = true;
-      preliminarySelfsigned = true; # DNS challenge is slow
-      defaults = {
-        email = "phikeebaogobaegh@141.li";
-        keyType = "rsa4096"; # we don't like NIST curves
-        # extraLegoFlags = ["--preferred-chain" "ISRG Root X1"];
-      };
-      certs =
-        let
-          domainAttrset = domain: {
-            inherit domain;
-            extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
-            dnsProvider = "exec";
-            credentialsFile = knotDNSCredentials domain;
-            dnsResolver = "1.1.1.1:53";
-          } // cfg.domains.${domain}.certCfg;
-        in genAttrs (attrNames cfg.domains) domainAttrset;
-    };
-
-    systemd.services =
-      let
-        serviceAttrset = domain: {
-          after = [ "knot.service" ];
-          bindsTo = [ "knot.service" ];
-          serviceConfig = {
-            ReadWritePaths = ["/run/knot/knot.sock"];
-            SupplementaryGroups = ["knot"];
-            RestrictAddressFamilies = ["AF_UNIX"];
-          };
-        };
-      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
-  };
-}