summaryrefslogtreecommitdiff
path: root/hosts/surtr/tls.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/tls.nix')
-rw-r--r--hosts/surtr/tls.nix27
1 files changed, 23 insertions, 4 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 6a1d6f84..704941e2 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -3,6 +3,7 @@
3with lib; 3with lib;
4 4
5let 5let
6 cfg = config.security.acme;
6 knotCfg = config.services.knot; 7 knotCfg = config.services.knot;
7 8
8 knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' 9 knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
@@ -45,9 +46,27 @@ let
45 commited=yes 46 commited=yes
46 ''; 47 '';
47 48
48 domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; 49 domainOptions = {
50 options = {
51 wildcard = mkOption {
52 type = types.bool;
53 default = false;
54 };
55 };
56 };
49in { 57in {
58 options = {
59 security.acme = {
60 domains = mkOption {
61 type = types.attrsOf (types.submodule domainOptions);
62 default = {};
63 };
64 };
65 };
66
50 config = { 67 config = {
68 security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
69
51 fileSystems."/var/lib/acme" = 70 fileSystems."/var/lib/acme" =
52 { device = "surtr/safe/var-lib-acme"; 71 { device = "surtr/safe/var-lib-acme";
53 fsType = "zfs"; 72 fsType = "zfs";
@@ -61,13 +80,13 @@ in {
61 let 80 let
62 domainAttrset = domain: { 81 domainAttrset = domain: {
63 inherit domain; 82 inherit domain;
64 extraDomainNames = [ "*.${domain}" ]; 83 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
65 dnsProvider = "exec"; 84 dnsProvider = "exec";
66 credentialsFile = knotDNSCredentials domain; 85 credentialsFile = knotDNSCredentials domain;
67 dnsResolver = "1.1.1.1:53"; 86 dnsResolver = "1.1.1.1:53";
68 keyType = "rsa4096"; # we don't like NIST curves 87 keyType = "rsa4096"; # we don't like NIST curves
69 }; 88 };
70 in genAttrs domains domainAttrset; 89 in genAttrs (attrNames cfg.domains) domainAttrset;
71 }; 90 };
72 91
73 systemd.services = 92 systemd.services =
@@ -81,6 +100,6 @@ in {
81 RestrictAddressFamilies = ["AF_UNIX"]; 100 RestrictAddressFamilies = ["AF_UNIX"];
82 }; 101 };
83 }; 102 };
84 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); 103 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
85 }; 104 };
86} 105}