diff options
-rw-r--r-- | hosts/surtr/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/tls.nix | 54 |
2 files changed, 55 insertions, 1 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 0ab67967..72ed81ae 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -1,7 +1,7 @@ | |||
1 | { flake, pkgs, lib, ... }: | 1 | { flake, pkgs, lib, ... }: |
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | qemu-guest openssh rebuild-machines ./zfs.nix ./dns | 4 | qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix |
5 | ]; | 5 | ]; |
6 | 6 | ||
7 | config = { | 7 | config = { |
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..e78aa298 --- /dev/null +++ b/hosts/surtr/tls.nix | |||
@@ -0,0 +1,54 @@ | |||
1 | { pkgs, ... }: | ||
2 | let | ||
3 | knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" '' | ||
4 | EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh | ||
5 | ''; | ||
6 | knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' | ||
7 | #!${pkgs.zsh}/bin/zsh -xe | ||
8 | |||
9 | mode=$1 | ||
10 | fqdn=$2 | ||
11 | challenge=$3 | ||
12 | |||
13 | owner=''${fqdn%"${zone}."} | ||
14 | |||
15 | knotc zone-begin "${zone}" | ||
16 | |||
17 | case "''${mode}" in | ||
18 | present) | ||
19 | knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}" | ||
20 | ;; | ||
21 | cleanup) | ||
22 | knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" | ||
23 | ;; | ||
24 | *) | ||
25 | exit 2 | ||
26 | ;; | ||
27 | esac | ||
28 | |||
29 | knotc zone-commit "${zone}" | ||
30 | ''; | ||
31 | in { | ||
32 | config = { | ||
33 | fileSystems."/var/lib/acme" = | ||
34 | { device = "surtr/safe/var-lib-acme"; | ||
35 | fsType = "zfs"; | ||
36 | }; | ||
37 | |||
38 | security.acme = { | ||
39 | server = "https://acme-staging-v02.api.letsencrypt.org/directory"; | ||
40 | |||
41 | acceptTerms = true; | ||
42 | preliminarySelfsigned = false; | ||
43 | email = "phikeebaogobaegh@141.li"; | ||
44 | certs = { | ||
45 | "rheperire.org" = { | ||
46 | domain = "rheperire.org"; | ||
47 | extraDomainNames = "*.rheperire.org"; | ||
48 | dnsProvider = "exec"; | ||
49 | credentialsFile = knotDNSCredentials "rheperire.org"; | ||
50 | }; | ||
51 | }; | ||
52 | }; | ||
53 | }; | ||
54 | } | ||