{ config, lib, customUtils, pkgs, ... }: with lib; let inherit (customUtils) mapFilterAttrs; tsigSecretName = domain: "${domain}_tsig-secret"; cfg = config.security.acme; domainOptions = { options = { wildcard = mkOption { type = types.bool; default = false; }; zone = mkOption { type = types.nullOr types.str; default = null; }; certCfg = mkOption { type = types.attrs; default = {}; }; }; }; in { options = { security.acme = { domains = mkOption { type = types.attrsOf (types.submodule domainOptions); default = {}; }; }; }; config = { security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email" "kleen.consulting"] (domain: { wildcard = true; }); fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # DNS challenge is slow defaults = { email = "phikeebaogobaegh@141.li"; keyType = "rsa4096"; # we don't like NIST curves extraLegoRenewFlags = [ # "--preferred-chain" "ISRG Root X1" # "--always-deactivate-authorizations" "true" ]; extraLegoRunFlags = config.security.acme.defaults.extraLegoRenewFlags; }; certs = let domainAttrset = domain: let tsigPath = ./tsig_keys + "/${domain}"; isTsig = pathExists tsigPath; shared = { inherit domain; extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsResolver = "127.0.0.1:5353"; }; mkRFC2136 = shared // rec { dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "${domain}_credentials.env" '' RFC2136_NAMESERVER=127.0.0.1:53 RFC2136_TSIG_ALGORITHM=hmac-sha256. RFC2136_TSIG_KEY=${domain}_acme_key RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret RFC2136_TTL=0 RFC2136_PROPAGATION_TIMEOUT=60 RFC2136_POLLING_INTERVAL=2 RFC2136_SEQUENCE_INTERVAL=1 ''; dnsPropagationCheck = false; }; in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg; in genAttrs (attrNames cfg.domains) domainAttrset; }; sops.secrets = let toTSIGSecret = n: v: if v == "regular" || v == "symlink" then nameValuePair (tsigSecretName n) { format = "binary"; sopsFile = ./tsig_keys + "/${n}"; } else null; in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); systemd.services = let serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; serviceConfig = { LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ]; }; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); services.certspotter = { extraOptions = [ "-verbose" "-num_workers" "4" "-batch_size" "2000" ]; watchList = map (domain: ".${domain}") (attrNames cfg.domains); logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json"; }; }; }