blob: f1a515db46c96ba5d3122d3c7288f05644227056 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
{ config, lib, customUtils, pkgs, ... }:
with lib;
let
inherit (customUtils) mapFilterAttrs;
tsigSecretName = domain: "${domain}_tsig-secret";
cfg = config.security.acme;
domainOptions = {
options = {
wildcard = mkOption {
type = types.bool;
default = false;
};
zone = mkOption {
type = types.nullOr types.str;
default = null;
};
certCfg = mkOption {
type = types.attrs;
default = {};
};
};
};
in {
options = {
security.acme = {
domains = mkOption {
type = types.attrsOf (types.submodule domainOptions);
default = {};
};
};
};
config = {
security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "synapse.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email" "bouncy.email" "kleen.consulting"] (domain: { wildcard = true; });
fileSystems."/var/lib/acme" =
{ device = "surtr/safe/var-lib-acme";
fsType = "zfs";
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true; # DNS challenge is slow
defaults = {
email = "phikeebaogobaegh@141.li";
keyType = "rsa4096"; # we don't like NIST curves
extraLegoRenewFlags = [
# "--preferred-chain" "ISRG Root X1"
# "--always-deactivate-authorizations" "true"
];
extraLegoRunFlags = config.security.acme.defaults.extraLegoRenewFlags;
};
certs =
let
domainAttrset = domain: let
tsigPath = ./tsig_keys + "/${domain}";
isTsig = pathExists tsigPath;
shared = {
inherit domain;
extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
dnsResolver = "127.0.0.1:5353";
};
mkRFC2136 = shared // rec {
dnsProvider = "rfc2136";
credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
RFC2136_NAMESERVER=127.0.0.1:53
RFC2136_TSIG_ALGORITHM=hmac-sha256.
RFC2136_TSIG_KEY=${domain}_acme_key
RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret
RFC2136_TTL=0
RFC2136_PROPAGATION_TIMEOUT=60
RFC2136_POLLING_INTERVAL=2
RFC2136_SEQUENCE_INTERVAL=1
'';
dnsPropagationCheck = false;
};
in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
in genAttrs (attrNames cfg.domains) domainAttrset;
};
sops.secrets = let
toTSIGSecret = n: v:
if v == "regular" || v == "symlink"
then nameValuePair (tsigSecretName n) {
format = "binary";
sopsFile = ./tsig_keys + "/${n}";
} else null;
in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);
systemd.services =
let
serviceAttrset = domain: {
after = [ "knot.service" ];
bindsTo = [ "knot.service" ];
serviceConfig = {
LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
};
};
in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
services.certspotter = {
extraOptions = [ "-verbose" "-num_workers" "4" "-batch_size" "2000" ];
watchList = map (domain: ".${domain}") (attrNames cfg.domains);
logs = "https://www.gstatic.com/ct/log_list/v2/all_logs_list.json";
};
};
}
|