tools/acme: init

secrets/acme-dns-key.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A eDXO2rf1oCP7G9J7pB03shPO9BMIZ2pEhBqlaEiO+DI
+Nb6n+yZJ3+ZQQWefjUbV6xiem+4gpOdE0IoA5F9L4zs
+-> ssh-ed25519 5/zT0w I/KivuQEA2nwCF0qq4G81dKvwU/Zni2Fuz+xSraW52E
+osPx87gVzeEEIPBnhTn0APxBuA/IL8ySuMzzVrjYqEI
+-> ssh-ed25519 d3WGuA yrjBtwpNIgsCHG835akTfrwYdncm+yEHT1GnmWQvVnQ
+Myfat35n/tjZzsqeaLEZLpZGxwgBKo7lBVi1uMIzsRo
+-> 1.=T-grease )oe@8$5 _OQDI/o^ &l$G\
+aR164gwY7SDkig
+--- 32woYizDIa931hDX2PO8wLOYmnOhSscYaI38pvUmBLs
+ÿ2ã(<06>ì°cZÄBý„»¸o"Ê´¡±•¿%¡·W9
<01>ãd'ØikCà‹FƒÆž
ˈkPÃVÊNü>ö˜²×[Ý<>
»

secrets/secrets.nix

@@ -4,6 +4,7 @@ let
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
+  "acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "discourse-adminpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "discourse-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];

tools/acme.nix

@@ -0,0 +1,24 @@
+# internal interface
+{ toolsets }:
+# external interface
+{ config ? null, nameserver ? (toolsets.identity {}).dns.master.addr, ... }:
+let
+  tools = (self: {
+
+    dns01 = {
+      age.secrets.acme-dns-key = {
+        file = ../secrets/acme-dns-key.age;
+        owner = "acme";
+        group = "acme";
+        mode = "0400";
+      };
+      credentialsFile = builtins.toFile "acme-dns01-env" ''
+        RFC2136_NAMESERVER=${nameserver}
+        RFC2136_TSIG_KEY=acme-challenge.void
+        RFC2136_TSIG_ALGORITHM=hmac-sha256
+        RFC2136_TSIG_SECRET_FILE=${config.age.secrets.acme-dns-key.path}
+      '';
+    };
+
+  }) tools;
+in tools

tools/default.nix

@@ -1,6 +1,7 @@
 let toolsets = {
     meta = import ./meta.nix;
 
+    acme = import ./acme.nix { inherit toolsets; };
     identity = import ./identity.nix { inherit toolsets; };
     networks = import ./networks.nix { inherit toolsets; };
     nginx = import ./nginx.nix { inherit toolsets; };