1 files changed, 70 insertions, 0 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..9581dd60
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+let
+  knotCfg = config.services.knot;
+  
+  knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
+    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
+    EXEC_PROPAGATION_TIMEOUT=300
+    EXEC_POLLING_INTERVAL=5
+  '';
+  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
+    #!${pkgs.zsh}/bin/zsh -xe
+    mode=$1
+    fqdn=$2
+    challenge=$3
+    owner=''${fqdn%".${zone}."}
+    commited=
+    function abort() {
+      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
+    }
+    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
+    trap abort EXIT
+    case "''${mode}" in
+      present)
+        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
+        ;;
+      cleanup)
+        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
+        ;;
+      *)
+        exit 2
+        ;;
+    esac
+    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
+    commited=yes
+  '';
+in {
+  config = {
+    fileSystems."/var/lib/acme" =
+      { device = "surtr/safe/var-lib-acme";
+        fsType = "zfs";
+      };
+    security.acme = {
+      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      
+      acceptTerms = true;
+      preliminarySelfsigned = false;
+      email = "phikeebaogobaegh@141.li";
+      certs = {
+        "rheperire.org" = {
+          domain = "rheperire.org";
+          extraDomainNames = [ "*.rheperire.org" ];
+          dnsProvider = "exec";
+          credentialsFile = knotDNSCredentials "rheperire.org";
+          dnsResolver = "1.1.1.1:53";
+        };
+      };
+    };
+    users.groups."knot".members = [ "acme" ];
+  };
+}

diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..9581dd60 --- /dev/null +++ b/hosts/surtr/tls.nix
@@ -0,0 +1,70 @@
	1	{ config, pkgs, ... }:
	2	let
	3	knotCfg = config.services.knot;
	4
	5	knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
	6	EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
	7	EXEC_PROPAGATION_TIMEOUT=300
	8	EXEC_POLLING_INTERVAL=5
	9	'';
	10	knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
	11	#!${pkgs.zsh}/bin/zsh -xe
	12
	13	mode=$1
	14	fqdn=$2
	15	challenge=$3
	16
	17	owner=''${fqdn%".${zone}."}
	18
	19	commited=
	20	function abort() {
	21	[[ -n "''${commited}" ]] \|\| ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
	22	}
	23
	24	${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
	25	trap abort EXIT
	26
	27	case "''${mode}" in
	28	present)
	29	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
	30	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
	31	;;
	32	cleanup)
	33	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
	34	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
	35	;;
	36	*)
	37	exit 2
	38	;;
	39	esac
	40
	41	${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
	42	commited=yes
	43	'';
	44	in {
	45	config = {
	46	fileSystems."/var/lib/acme" =
	47	{ device = "surtr/safe/var-lib-acme";
	48	fsType = "zfs";
	49	};
	50
	51	security.acme = {
	52	server = "https://acme-staging-v02.api.letsencrypt.org/directory";
	53
	54	acceptTerms = true;
	55	preliminarySelfsigned = false;
	56	email = "phikeebaogobaegh@141.li";
	57	certs = {
	58	"rheperire.org" = {
	59	domain = "rheperire.org";
	60	extraDomainNames = [ "*.rheperire.org" ];
	61	dnsProvider = "exec";
	62	credentialsFile = knotDNSCredentials "rheperire.org";
	63	dnsResolver = "1.1.1.1:53";
	64	};
	65	};
	66	};
	67
	68	users.groups."knot".members = [ "acme" ];
	69	};
	70	}