summaryrefslogtreecommitdiff
path: root/hosts/surtr/tls.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/tls.nix')
-rw-r--r--hosts/surtr/tls.nix120
1 files changed, 0 insertions, 120 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
deleted file mode 100644
index 2ff26e35..00000000
--- a/hosts/surtr/tls.nix
+++ /dev/null
@@ -1,120 +0,0 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.security.acme;
7 knotCfg = config.services.knot;
8
9 knotDNSCredentials = domain: let
10 zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
11 in pkgs.writeText "lego-credentials" ''
12 EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
13 EXEC_PROPAGATION_TIMEOUT=300
14 EXEC_POLLING_INTERVAL=5
15 '';
16 knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
17 #!${pkgs.zsh}/bin/zsh -xe
18
19 mode=$1
20 fqdn=$2
21 challenge=$3
22
23 owner=''${fqdn%".${zone}."}
24
25 commited=
26 function abort() {
27 [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
28 }
29
30 ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
31 trap abort EXIT
32
33 case "''${mode}" in
34 present)
35 if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
36 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
37 fi
38 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
39 ;;
40 cleanup)
41 ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
42 ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
43 ;;
44 *)
45 exit 2
46 ;;
47 esac
48
49 ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
50 commited=yes
51 '';
52
53 domainOptions = {
54 options = {
55 wildcard = mkOption {
56 type = types.bool;
57 default = false;
58 };
59 zone = mkOption {
60 type = types.nullOr types.str;
61 default = null;
62 };
63 certCfg = mkOption {
64 type = types.attrs;
65 default = {};
66 };
67 };
68 };
69in {
70 options = {
71 security.acme = {
72 domains = mkOption {
73 type = types.attrsOf (types.submodule domainOptions);
74 default = {};
75 };
76 };
77 };
78
79 config = {
80 security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
81
82 fileSystems."/var/lib/acme" =
83 { device = "surtr/safe/var-lib-acme";
84 fsType = "zfs";
85 };
86
87 security.acme = {
88 acceptTerms = true;
89 preliminarySelfsigned = true; # DNS challenge is slow
90 defaults = {
91 email = "phikeebaogobaegh@141.li";
92 keyType = "rsa4096"; # we don't like NIST curves
93 # extraLegoFlags = ["--preferred-chain" "ISRG Root X1"];
94 };
95 certs =
96 let
97 domainAttrset = domain: {
98 inherit domain;
99 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
100 dnsProvider = "exec";
101 credentialsFile = knotDNSCredentials domain;
102 dnsResolver = "1.1.1.1:53";
103 } // cfg.domains.${domain}.certCfg;
104 in genAttrs (attrNames cfg.domains) domainAttrset;
105 };
106
107 systemd.services =
108 let
109 serviceAttrset = domain: {
110 after = [ "knot.service" ];
111 bindsTo = [ "knot.service" ];
112 serviceConfig = {
113 ReadWritePaths = ["/run/knot/knot.sock"];
114 SupplementaryGroups = ["knot"];
115 RestrictAddressFamilies = ["AF_UNIX"];
116 };
117 };
118 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
119 };
120}