diff options
-rw-r--r-- | hosts/surtr/tls/default.nix | 5 | ||||
-rw-r--r-- | modules/certspotter.nix | 47 |
2 files changed, 52 insertions, 0 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 6fbab9bd..d204a51d 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
@@ -108,5 +108,10 @@ in { | |||
108 | }; | 108 | }; |
109 | }; | 109 | }; |
110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
111 | |||
112 | services.certspotter = { | ||
113 | watchList = map (domain: ".${domain}") (attrNames cfg.domains); | ||
114 | logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json"; | ||
115 | }; | ||
111 | }; | 116 | }; |
112 | } | 117 | } |
diff --git a/modules/certspotter.nix b/modules/certspotter.nix new file mode 100644 index 00000000..f82b004f --- /dev/null +++ b/modules/certspotter.nix | |||
@@ -0,0 +1,47 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.certspotter; | ||
7 | |||
8 | startOptions = extraOptions | ||
9 | ++ optionals (cfg.logs != null) ["-logs" cfg.logs] | ||
10 | ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) | ||
11 | ]; | ||
12 | in { | ||
13 | options = { | ||
14 | services.certspotter = { | ||
15 | watchList = mkOption { | ||
16 | type = types.listOf types.str; | ||
17 | default = []; | ||
18 | }; | ||
19 | |||
20 | logs = mkOption { | ||
21 | type = types.nullOr types.str; | ||
22 | default = null; | ||
23 | }; | ||
24 | |||
25 | extraOptions = mkOption { | ||
26 | type = types.listOf types.str; | ||
27 | default = [ "-verbose" ]; | ||
28 | }; | ||
29 | |||
30 | package = mkPackageOption pkgs "certspotter" {}; | ||
31 | }; | ||
32 | }; | ||
33 | |||
34 | config = mkIf (cfg.watchList != []) { | ||
35 | systemd.services.certspotter = { | ||
36 | serviceConfig = { | ||
37 | Type = "oneshot"; | ||
38 | ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock"; | ||
39 | ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}"; | ||
40 | StateDirectory = "certspotter"; | ||
41 | LogsDirectory = "certspotter"; | ||
42 | StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log"; | ||
43 | DynamicUser = true; | ||
44 | }; | ||
45 | }; | ||
46 | }; | ||
47 | } | ||