From 25f354e8f2550f2eae4d0ba3b80c250332279caa Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 30 May 2021 16:21:13 +0200 Subject: acme@surtr: rheperire.org test --- hosts/surtr/default.nix | 2 +- hosts/surtr/tls.nix | 54 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 hosts/surtr/tls.nix (limited to 'hosts/surtr') diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 0ab67967..72ed81ae 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -1,7 +1,7 @@ { flake, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - qemu-guest openssh rebuild-machines ./zfs.nix ./dns + qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix ]; config = { diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix new file mode 100644 index 00000000..e78aa298 --- /dev/null +++ b/hosts/surtr/tls.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let + knotDNSCredentials = zone: pkgs.writeTextFile "lego-credentials" '' + EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh + ''; + knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' + #!${pkgs.zsh}/bin/zsh -xe + + mode=$1 + fqdn=$2 + challenge=$3 + + owner=''${fqdn%"${zone}."} + + knotc zone-begin "${zone}" + + case "''${mode}" in + present) + knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}" + ;; + cleanup) + knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" + ;; + *) + exit 2 + ;; + esac + + knotc zone-commit "${zone}" + ''; +in { + config = { + fileSystems."/var/lib/acme" = + { device = "surtr/safe/var-lib-acme"; + fsType = "zfs"; + }; + + security.acme = { + server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + acceptTerms = true; + preliminarySelfsigned = false; + email = "phikeebaogobaegh@141.li"; + certs = { + "rheperire.org" = { + domain = "rheperire.org"; + extraDomainNames = "*.rheperire.org"; + dnsProvider = "exec"; + credentialsFile = knotDNSCredentials "rheperire.org"; + }; + }; + }; + }; +} -- cgit v1.2.3