diff options
Diffstat (limited to 'hosts/surtr/tls.nix')
| -rw-r--r-- | hosts/surtr/tls.nix | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 6a1d6f84..704941e2 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix | |||
| @@ -3,6 +3,7 @@ | |||
| 3 | with lib; | 3 | with lib; |
| 4 | 4 | ||
| 5 | let | 5 | let |
| 6 | cfg = config.security.acme; | ||
| 6 | knotCfg = config.services.knot; | 7 | knotCfg = config.services.knot; |
| 7 | 8 | ||
| 8 | knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' | 9 | knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' |
| @@ -45,9 +46,27 @@ let | |||
| 45 | commited=yes | 46 | commited=yes |
| 46 | ''; | 47 | ''; |
| 47 | 48 | ||
| 48 | domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; | 49 | domainOptions = { |
| 50 | options = { | ||
| 51 | wildcard = mkOption { | ||
| 52 | type = types.bool; | ||
| 53 | default = false; | ||
| 54 | }; | ||
| 55 | }; | ||
| 56 | }; | ||
| 49 | in { | 57 | in { |
| 58 | options = { | ||
| 59 | security.acme = { | ||
| 60 | domains = mkOption { | ||
| 61 | type = types.attrsOf (types.submodule domainOptions); | ||
| 62 | default = {}; | ||
| 63 | }; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | |||
| 50 | config = { | 67 | config = { |
| 68 | security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; }); | ||
| 69 | |||
| 51 | fileSystems."/var/lib/acme" = | 70 | fileSystems."/var/lib/acme" = |
| 52 | { device = "surtr/safe/var-lib-acme"; | 71 | { device = "surtr/safe/var-lib-acme"; |
| 53 | fsType = "zfs"; | 72 | fsType = "zfs"; |
| @@ -61,13 +80,13 @@ in { | |||
| 61 | let | 80 | let |
| 62 | domainAttrset = domain: { | 81 | domainAttrset = domain: { |
| 63 | inherit domain; | 82 | inherit domain; |
| 64 | extraDomainNames = [ "*.${domain}" ]; | 83 | extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; |
| 65 | dnsProvider = "exec"; | 84 | dnsProvider = "exec"; |
| 66 | credentialsFile = knotDNSCredentials domain; | 85 | credentialsFile = knotDNSCredentials domain; |
| 67 | dnsResolver = "1.1.1.1:53"; | 86 | dnsResolver = "1.1.1.1:53"; |
| 68 | keyType = "rsa4096"; # we don't like NIST curves | 87 | keyType = "rsa4096"; # we don't like NIST curves |
| 69 | }; | 88 | }; |
| 70 | in genAttrs domains domainAttrset; | 89 | in genAttrs (attrNames cfg.domains) domainAttrset; |
| 71 | }; | 90 | }; |
| 72 | 91 | ||
| 73 | systemd.services = | 92 | systemd.services = |
| @@ -81,6 +100,6 @@ in { | |||
| 81 | RestrictAddressFamilies = ["AF_UNIX"]; | 100 | RestrictAddressFamilies = ["AF_UNIX"]; |
| 82 | }; | 101 | }; |
| 83 | }; | 102 | }; |
| 84 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); | 103 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
| 85 | }; | 104 | }; |
| 86 | } | 105 | } |