diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-30 16:21:13 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-30 16:21:13 +0200 |
| commit | 25f354e8f2550f2eae4d0ba3b80c250332279caa (patch) | |
| tree | 9a5f35d522d7268087b4ac589916e67d5342d161 /hosts | |
| parent | 58df7cfd5ef96b9cd18498d72aabbbfe30abadb6 (diff) | |
| download | nixos-25f354e8f2550f2eae4d0ba3b80c250332279caa.tar nixos-25f354e8f2550f2eae4d0ba3b80c250332279caa.tar.gz nixos-25f354e8f2550f2eae4d0ba3b80c250332279caa.tar.bz2 nixos-25f354e8f2550f2eae4d0ba3b80c250332279caa.tar.xz nixos-25f354e8f2550f2eae4d0ba3b80c250332279caa.zip | |
acme@surtr: rheperire.org test
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/default.nix | 2 | ||||
| -rw-r--r-- | hosts/surtr/tls.nix | 54 |
2 files changed, 55 insertions, 1 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 0ab67967..72ed81ae 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | { flake, pkgs, lib, ... }: | 1 | { flake, pkgs, lib, ... }: |
| 2 | { | 2 | { |
| 3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
| 4 | qemu-guest openssh rebuild-machines ./zfs.nix ./dns | 4 | qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix |
| 5 | ]; | 5 | ]; |
| 6 | 6 | ||
| 7 | config = { | 7 | config = { |
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..e78aa298 --- /dev/null +++ b/hosts/surtr/tls.nix | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | { pkgs, ... }: | ||
| 2 | let | ||
| 3 | knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" '' | ||
| 4 | EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh | ||
| 5 | ''; | ||
| 6 | knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' | ||
| 7 | #!${pkgs.zsh}/bin/zsh -xe | ||
| 8 | |||
| 9 | mode=$1 | ||
| 10 | fqdn=$2 | ||
| 11 | challenge=$3 | ||
| 12 | |||
| 13 | owner=''${fqdn%"${zone}."} | ||
| 14 | |||
| 15 | knotc zone-begin "${zone}" | ||
| 16 | |||
| 17 | case "''${mode}" in | ||
| 18 | present) | ||
| 19 | knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}" | ||
| 20 | ;; | ||
| 21 | cleanup) | ||
| 22 | knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" | ||
| 23 | ;; | ||
| 24 | *) | ||
| 25 | exit 2 | ||
| 26 | ;; | ||
| 27 | esac | ||
| 28 | |||
| 29 | knotc zone-commit "${zone}" | ||
| 30 | ''; | ||
| 31 | in { | ||
| 32 | config = { | ||
| 33 | fileSystems."/var/lib/acme" = | ||
| 34 | { device = "surtr/safe/var-lib-acme"; | ||
| 35 | fsType = "zfs"; | ||
| 36 | }; | ||
| 37 | |||
| 38 | security.acme = { | ||
| 39 | server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | ||
| 40 | |||
| 41 | acceptTerms = true; | ||
| 42 | preliminarySelfsigned = false; | ||
| 43 | email = "phikeebaogobaegh@141.li"; | ||
| 44 | certs = { | ||
| 45 | "rheperire.org" = { | ||
| 46 | domain = "rheperire.org"; | ||
| 47 | extraDomainNames = "*.rheperire.org"; | ||
| 48 | dnsProvider = "exec"; | ||
| 49 | credentialsFile = knotDNSCredentials "rheperire.org"; | ||
| 50 | }; | ||
| 51 | }; | ||
| 52 | }; | ||
| 53 | }; | ||
| 54 | } | ||