hosts/surtr/tls/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

{ config, lib, customUtils, pkgs, ... }:

with lib;

let
  inherit (customUtils) mapFilterAttrs;

  tsigSecretName = domain: "${domain}_tsig-secret";

  cfg = config.security.acme;
  
  domainOptions = {
    options = {
      wildcard = mkOption {
        type = types.bool;
        default = false;
      };
      zone = mkOption {
        type = types.nullOr types.str;
        default = null;
      };
      certCfg = mkOption {
        type = types.attrs;
        default = {};
      };
    };
  };
in {
  options = {
    security.acme = {
      domains = mkOption {
        type = types.attrsOf (types.submodule domainOptions);
        default = {};
      };
    };
  };
  
  config = {
    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
    
    fileSystems."/var/lib/acme" =
      { device = "surtr/safe/var-lib-acme";
        fsType = "zfs";
      };

    security.acme = {
      acceptTerms = true;
      preliminarySelfsigned = true; # DNS challenge is slow
      defaults = {
        email = "phikeebaogobaegh@141.li";
        keyType = "rsa4096"; # we don't like NIST curves
        extraLegoRenewFlags = [
          # "--preferred-chain" "ISRG Root X1"
          # "--always-deactivate-authorizations" "true"
        ];
        extraLegoRunFlags = config.security.acme.defaults.extraLegoRenewFlags;
      };
      certs =
        let
          domainAttrset = domain: let
            tsigPath = ./tsig_keys + "/${domain}";
            tsigSecret = config.sops.secrets.${tsigSecretName domain};
            isTsig = pathExists tsigPath;
            shared = {
              inherit domain;
              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
              dnsResolver = "127.0.0.1:5353";
            };
            mkRFC2136 = let
              tsigInfo = readYaml tsigPath;
            in shared // {
              dnsProvider = "rfc2136";
              credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
                RFC2136_NAMESERVER=127.0.0.1:53
                RFC2136_TSIG_ALGORITHM=hmac-sha256.
                RFC2136_TSIG_KEY=${domain}_acme_key
                RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
                RFC2136_TTL=0
                RFC2136_PROPAGATION_TIMEOUT=60
                RFC2136_POLLING_INTERVAL=2
                RFC2136_SEQUENCE_INTERVAL=1
              '';
            };
          in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
        in genAttrs (attrNames cfg.domains) domainAttrset;
    };

    sops.secrets = let
      toTSIGSecret = n: v:
        if v == "regular" || v == "symlink"
        then nameValuePair (tsigSecretName n) {
          format = "binary";
          owner = if config.security.acme.useRoot then "root" else "acme";
          group = "acme";
          sopsFile = ./tsig_keys + "/${n}";
        } else null;
    in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);

    systemd.services =
      let
        serviceAttrset = domain: {
          after = [ "knot.service" ];
          bindsTo = [ "knot.service" ];
          serviceConfig = {
            ReadWritePaths = ["/run/knot/knot.sock"];
            SupplementaryGroups = ["knot"];
            RestrictAddressFamilies = ["AF_UNIX"];
          };
        };
      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
  };
}