1 files changed, 54 insertions, 0 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..e78aa298
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,54 @@
+{ pkgs, ... }:
+let
+  knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" ''
+    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
+  '';
+  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
+    #!${pkgs.zsh}/bin/zsh -xe
+    mode=$1
+    fqdn=$2
+    challenge=$3
+    owner=''${fqdn%"${zone}."}
+    knotc zone-begin "${zone}"
+    case "''${mode}" in
+      present)
+        knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}"
+        ;;
+      cleanup)
+        knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
+        ;;
+      *)
+        exit 2
+        ;;
+    esac
+    knotc zone-commit "${zone}"
+  '';
+in {
+  config = {
+    fileSystems."/var/lib/acme" =
+      { device = "surtr/safe/var-lib-acme";
+        fsType = "zfs";
+      };
+    security.acme = {
+      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      
+      acceptTerms = true;
+      preliminarySelfsigned = false;
+      email = "phikeebaogobaegh@141.li";
+      certs = {
+        "rheperire.org" = {
+          domain = "rheperire.org";
+          extraDomainNames = "*.rheperire.org";
+          dnsProvider = "exec";
+          credentialsFile = knotDNSCredentials "rheperire.org";
+        };
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..e78aa298 --- /dev/null +++ b/hosts/surtr/tls.nix
@@ -0,0 +1,54 @@
	1	{ pkgs, ... }:
	2	let
	3	knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" ''
	4	EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
	5	'';
	6	knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
	7	#!${pkgs.zsh}/bin/zsh -xe
	8
	9	mode=$1
	10	fqdn=$2
	11	challenge=$3
	12
	13	owner=''${fqdn%"${zone}."}
	14
	15	knotc zone-begin "${zone}"
	16
	17	case "''${mode}" in
	18	present)
	19	knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}"
	20	;;
	21	cleanup)
	22	knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
	23	;;
	24	*)
	25	exit 2
	26	;;
	27	esac
	28
	29	knotc zone-commit "${zone}"
	30	'';
	31	in {
	32	config = {
	33	fileSystems."/var/lib/acme" =
	34	{ device = "surtr/safe/var-lib-acme";
	35	fsType = "zfs";
	36	};
	37
	38	security.acme = {
	39	server = "https://acme-staging-v02.api.letsencrypt.org/directory";
	40
	41	acceptTerms = true;
	42	preliminarySelfsigned = false;
	43	email = "phikeebaogobaegh@141.li";
	44	certs = {
	45	"rheperire.org" = {
	46	domain = "rheperire.org";
	47	extraDomainNames = "*.rheperire.org";
	48	dnsProvider = "exec";
	49	credentialsFile = knotDNSCredentials "rheperire.org";
	50	};
	51	};
	52	};
	53	};
	54	}