2 files changed, 52 insertions, 0 deletions

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 6fbab9bd..d204a51d 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -108,5 +108,10 @@ in {
           };
         };
       in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
+
+    services.certspotter = {
+      watchList = map (domain: ".${domain}") (attrNames cfg.domains);
+      logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json";
+    };
   };
 }
diff --git a/modules/certspotter.nix b/modules/certspotter.nix
new file mode 100644
index 00000000..f82b004f
--- /dev/null
+++ b/modules/certspotter.nix
@@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.certspotter;
+
+  startOptions = extraOptions
+                 ++ optionals (cfg.logs != null) ["-logs" cfg.logs]
+                 ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
+                    ];
+in {
+  options = {
+    services.certspotter = {
+      watchList = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+
+      logs = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+
+      extraOptions = mkOption {
+        type = types.listOf types.str;
+        default = [ "-verbose" ];
+      };
+
+      package = mkPackageOption pkgs "certspotter" {};
+    };
+  };
+
+  config = mkIf (cfg.watchList != []) {
+    systemd.services.certspotter = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock";
+        ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}";
+        StateDirectory = "certspotter";
+        LogsDirectory = "certspotter";
+        StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log";
+        DynamicUser = true;
+      };
+    };
+  };
+}