summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/surtr/tls.nix54
2 files changed, 55 insertions, 1 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 0ab67967..72ed81ae 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -1,7 +1,7 @@
1{ flake, pkgs, lib, ... }: 1{ flake, pkgs, lib, ... }:
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines ./zfs.nix ./dns 4 qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix
5 ]; 5 ];
6 6
7 config = { 7 config = {
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..e78aa298
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,54 @@
1{ pkgs, ... }:
2let
3 knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" ''
4 EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
5 '';
6 knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
7 #!${pkgs.zsh}/bin/zsh -xe
8
9 mode=$1
10 fqdn=$2
11 challenge=$3
12
13 owner=''${fqdn%"${zone}."}
14
15 knotc zone-begin "${zone}"
16
17 case "''${mode}" in
18 present)
19 knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}"
20 ;;
21 cleanup)
22 knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
23 ;;
24 *)
25 exit 2
26 ;;
27 esac
28
29 knotc zone-commit "${zone}"
30 '';
31in {
32 config = {
33 fileSystems."/var/lib/acme" =
34 { device = "surtr/safe/var-lib-acme";
35 fsType = "zfs";
36 };
37
38 security.acme = {
39 server = "https://acme-staging-v02.api.letsencrypt.org/directory";
40
41 acceptTerms = true;
42 preliminarySelfsigned = false;
43 email = "phikeebaogobaegh@141.li";
44 certs = {
45 "rheperire.org" = {
46 domain = "rheperire.org";
47 extraDomainNames = "*.rheperire.org";
48 dnsProvider = "exec";
49 credentialsFile = knotDNSCredentials "rheperire.org";
50 };
51 };
52 };
53 };
54}