{ config, lib, customUtils, pkgs, ... }: with lib; let inherit (customUtils) mapFilterAttrs; tsigSecretName = domain: "${domain}_tsig-secret"; cfg = config.security.acme; knotCfg = config.services.knot; knotDNSCredentials = domain: let zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone; in pkgs.writeText "lego-credentials" '' EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh EXEC_PROPAGATION_TIMEOUT=300 EXEC_POLLING_INTERVAL=5 ''; knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' #!${pkgs.zsh}/bin/zsh -xe mode=$1 fqdn=$2 challenge=$3 owner=''${fqdn%".${zone}."} commited= function abort() { [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" } ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" trap abort EXIT case "''${mode}" in present) if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' fi ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" ;; cleanup) ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' ;; *) exit 2 ;; esac ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" commited=yes ''; domainOptions = { options = { wildcard = mkOption { type = types.bool; default = false; }; zone = mkOption { type = types.nullOr types.str; default = null; }; certCfg = mkOption { type = types.attrs; default = {}; }; }; }; in { options = { security.acme = { domains = mkOption { type = types.attrsOf (types.submodule domainOptions); default = {}; }; }; }; config = { security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; }); fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # DNS challenge is slow defaults = { email = "phikeebaogobaegh@141.li"; keyType = "rsa4096"; # we don't like NIST curves extraLegoRenewFlags = [ # "--preferred-chain" "ISRG Root X1" "--always-deactivate-authorizations" "true" ]; extraLegoRunFlags = config.security.acme.defaults.extraLegoRenewFlags; }; certs = let domainAttrset = domain: let tsigPath = ./tsig_keys + "/${domain}"; tsigSecret = config.sops.secrets.${tsigSecretName domain}; isTsig = pathExists tsigPath; shared = { inherit domain; extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsResolver = "127.0.0.1:5353"; }; mkKnotc = shared // { dnsProvider = "exec"; credentialsFile = knotDNSCredentials domain; }; mkRFC2136 = let tsigInfo = readYaml tsigPath; in shared // { dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "${domain}_credentials.env" '' RFC2136_NAMESERVER=127.0.0.1:53 RFC2136_TSIG_ALGORITHM=hmac-sha256. RFC2136_TSIG_KEY=${domain}_acme_key RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} RFC2136_PROPAGATION_TIMEOUT=300 RFC2136_POLLING_INTERVAL=5 RFC2136_TTL=300 ''; }; in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg; in genAttrs (attrNames cfg.domains) domainAttrset; }; sops.secrets = let toTSIGSecret = n: v: if v == "regular" || v == "symlink" then nameValuePair (tsigSecretName n) { format = "binary"; owner = if config.security.acme.useRoot then "root" else "acme"; group = "acme"; sopsFile = ./tsig_keys + "/${n}"; } else null; in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); systemd.services = let serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; serviceConfig = { ReadWritePaths = ["/run/knot/knot.sock"]; SupplementaryGroups = ["knot"]; RestrictAddressFamilies = ["AF_UNIX"]; }; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); }; }