summaryrefslogtreecommitdiff
path: root/hosts/surtr/tls
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-08-09 11:23:00 +0300
committerGregor Kleen <gkleen@yggdrasil.li>2022-08-09 11:23:00 +0300
commitc1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch)
treed20ff0f367804bc87996c6312cebe2fa57b5bd4c /hosts/surtr/tls
parentde66ba821b2851cb23bcc7b064e84de3dd848e26 (diff)
downloadnixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip
...
Diffstat (limited to 'hosts/surtr/tls')
-rw-r--r--hosts/surtr/tls/default.nix15
1 files changed, 3 insertions, 12 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 0f3a7fec..9b1fd1f3 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -59,22 +59,19 @@ in {
59 let 59 let
60 domainAttrset = domain: let 60 domainAttrset = domain: let
61 tsigPath = ./tsig_keys + "/${domain}"; 61 tsigPath = ./tsig_keys + "/${domain}";
62 tsigSecret = config.sops.secrets.${tsigSecretName domain};
63 isTsig = pathExists tsigPath; 62 isTsig = pathExists tsigPath;
64 shared = { 63 shared = {
65 inherit domain; 64 inherit domain;
66 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; 65 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
67 dnsResolver = "127.0.0.1:5353"; 66 dnsResolver = "127.0.0.1:5353";
68 }; 67 };
69 mkRFC2136 = let 68 mkRFC2136 = shared // {
70 tsigInfo = readYaml tsigPath;
71 in shared // {
72 dnsProvider = "rfc2136"; 69 dnsProvider = "rfc2136";
73 credentialsFile = pkgs.writeText "${domain}_credentials.env" '' 70 credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
74 RFC2136_NAMESERVER=127.0.0.1:53 71 RFC2136_NAMESERVER=127.0.0.1:53
75 RFC2136_TSIG_ALGORITHM=hmac-sha256. 72 RFC2136_TSIG_ALGORITHM=hmac-sha256.
76 RFC2136_TSIG_KEY=${domain}_acme_key 73 RFC2136_TSIG_KEY=${domain}_acme_key
77 RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} 74 RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret
78 RFC2136_TTL=0 75 RFC2136_TTL=0
79 RFC2136_PROPAGATION_TIMEOUT=60 76 RFC2136_PROPAGATION_TIMEOUT=60
80 RFC2136_POLLING_INTERVAL=2 77 RFC2136_POLLING_INTERVAL=2
@@ -90,8 +87,6 @@ in {
90 if v == "regular" || v == "symlink" 87 if v == "regular" || v == "symlink"
91 then nameValuePair (tsigSecretName n) { 88 then nameValuePair (tsigSecretName n) {
92 format = "binary"; 89 format = "binary";
93 owner = if config.security.acme.useRoot then "root" else "acme";
94 group = "acme";
95 sopsFile = ./tsig_keys + "/${n}"; 90 sopsFile = ./tsig_keys + "/${n}";
96 } else null; 91 } else null;
97 in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); 92 in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);
@@ -101,11 +96,7 @@ in {
101 serviceAttrset = domain: { 96 serviceAttrset = domain: {
102 after = [ "knot.service" ]; 97 after = [ "knot.service" ];
103 bindsTo = [ "knot.service" ]; 98 bindsTo = [ "knot.service" ];
104 serviceConfig = { 99 serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
105 ReadWritePaths = ["/run/knot/knot.sock"];
106 SupplementaryGroups = ["knot"];
107 RestrictAddressFamilies = ["AF_UNIX"];
108 };
109 }; 100 };
110 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); 101 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
111 102