From ec7b0f75b5abad46a0d3653741f3da113b665f02 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 26 Mar 2022 16:27:43 +0100 Subject: certspotter --- hosts/surtr/tls/default.nix | 5 +++++ modules/certspotter.nix | 47 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 modules/certspotter.nix diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 6fbab9bd..d204a51d 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix @@ -108,5 +108,10 @@ in { }; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); + + services.certspotter = { + watchList = map (domain: ".${domain}") (attrNames cfg.domains); + logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json"; + }; }; } diff --git a/modules/certspotter.nix b/modules/certspotter.nix new file mode 100644 index 00000000..f82b004f --- /dev/null +++ b/modules/certspotter.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.certspotter; + + startOptions = extraOptions + ++ optionals (cfg.logs != null) ["-logs" cfg.logs] + ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) + ]; +in { + options = { + services.certspotter = { + watchList = mkOption { + type = types.listOf types.str; + default = []; + }; + + logs = mkOption { + type = types.nullOr types.str; + default = null; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ "-verbose" ]; + }; + + package = mkPackageOption pkgs "certspotter" {}; + }; + }; + + config = mkIf (cfg.watchList != []) { + systemd.services.certspotter = { + serviceConfig = { + Type = "oneshot"; + ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock"; + ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}"; + StateDirectory = "certspotter"; + LogsDirectory = "certspotter"; + StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log"; + DynamicUser = true; + }; + }; + }; +} -- cgit v1.2.3